topic Re: What is the minimum port configuration necessary to profile host? in Network Access Control

What is the minimum port configuration necessary to profile host?

DamianRCL — Mon, 15 Apr 2024 16:46:53 GMT

Hello,

If I simply want to profile network hosts without subjecting them to dot1x, what is the minimum port configuration necessary to accomplish this?

Re: What is the minimum port configuration necessary to profile host?

Rob Ingram — Mon, 15 Apr 2024 16:52:56 GMT

@DamianRCL you'd need to configure MAB

You'd probably also want to ensure you configure device sensor to learn about the endpoints from the switch and send to ISE in the RADIUS packet, so you have more information to profile the endpoints.

Refer to the IBNS1.0 configuration for monitor mode and device sensor sections. https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--657806293

Re: What is the minimum port configuration necessary to profile host?

DamianRCL — Mon, 15 Apr 2024 18:21:17 GMT

Thanks, Rob. I'll take a look.

Re: What is the minimum port configuration necessary to profile host?

Aref Alsouqi — Tue, 16 Apr 2024 11:22:04 GMT

If you rely on device sensor then I would say nothing would be required from the switch ports perspective because the device sensor feeds will be sent by the switch to ISE regardless if the port is configured for dot1x or MAB.

Re: What is the minimum port configuration necessary to profile host?

ahollifield — Tue, 16 Apr 2024 11:26:58 GMT

@Matt Albrecht - didn't you have a "profile/visibility only" config?

Re: What is the minimum port configuration necessary to profile host?

Matt Albrecht — Tue, 16 Apr 2024 21:42:36 GMT

I do, take a look at the attached template file.

@DamianRCL you may adapt the sensor filters as needed for your environment, the below is an IBNS2.0-based config that puts the interfaces into an authorized state, with no MAB or 802.1x needed, to pull device-sensor information and ship it to ISE for profiling unintrusively.

The key commands are access-session monitor, which creates an access session for ALL ports on the switch, and the language of the service-policy which, essentially, says to immediately authorize the port if a session exists, which it will thanks to the access-session monitor command:

policy-map type control subscriber ISE_VISIBILITY
event session-started match-all
10 class always do-until-failure
10 authorize

This results in all interfaces having an up session, in an authorized state without having to interact with the end station at all, and the switch can gather data and send via device-sensor.

The attached template is distilled directly from here - https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456

Hope this helps.

Re: What is the minimum port configuration necessary to profile host?

DamianRCL — Tue, 16 Apr 2024 18:43:13 GMT

This is tremendous, Matt. Thank you!