topic ISE profiling - DHCP probe in Network Access Control

ISE profiling - DHCP probe

babalao — Thu, 02 May 2024 00:36:18 GMT

Hello,

to profile devices via DHCP , is it enough to use the device-sensor config for it, or I still need DHCP relay config to forward DHCP packets to ISE?

device-sensor alone ? or device-sensor + dhcp relay (ip helper-address)

Thank you.

Regards

Re: ISE profiling - DHCP probe

Rob Ingram — Thu, 02 May 2024 07:25:46 GMT

@babalao if you have configured device sensor to gather DHCP probe information you do NOT need the ip helper-address on the SVI.

https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

Re: ISE profiling - DHCP probe

MHM Cisco World — Thu, 02 May 2024 07:36:20 GMT

can I see how you config the device sensor

MHM

Re: ISE profiling - DHCP probe

babalao — Thu, 02 May 2024 13:45:40 GMT

Thank yor the replies.

I am going to configure this as device-sensor for dhcp:

device-sensor filter-list dhcp list ISE-dhcp
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
device-sensor filter-spec dhcp include list ISE-dhcp

@Rob Ingram I read that but I did no get a clear answer...

One could test this and if gets dhcp attributes in endpoints means it is working right?

thank you

Re: ISE profiling - DHCP probe

davidgfriedman — Thu, 02 May 2024 13:56:18 GMT

After filter-spec, don't forget to enable it with, (I think):
device-sensor accounting
device-sensor notify all-changes

Re: ISE profiling - DHCP probe

MHM Cisco World — Thu, 02 May 2024 13:56:24 GMT

If you get dhcp attribute in ISE sure you dont need dhcp probe' but I will make double check this case update you tonight

MHM

Re: ISE profiling - DHCP probe

Rob Ingram — Thu, 02 May 2024 14:58:30 GMT

@babalao the DHCP probes (helper-address) provide the following:

Device sensor will provide the same and does allow you to specify more options to send via the filter list.

So no point enabling both device sensor and helper-adddress to learn the same information.

Re: ISE profiling - DHCP probe

PSM — Thu, 02 May 2024 18:46:56 GMT

Hi @babalao which model and version of the switch ? There is a bug which has been registered about 'device-sensor accounting' command.

https://bst.cisco.com/bugsearch/bug/CSCvd12458?rfs=qvlogin

Interestingly, according to guide ISE Profiling Design Guide - Cisco Community this issue started 16.3.x but all the official cisco configuration guides still mention to use 'device-sensor accounting' which is not available at all in any on Cat 9K platform.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-6/configuration_guide/sec/b_176_sec_9300_cg/m9-sec-176-device-sensor.html

In our case device sensor is not sending updates to ISE and we are having a TAC case going on.

Re: ISE profiling - DHCP probe

babalao — Fri, 03 May 2024 18:00:44 GMT

Hello,

yesterday I tried it (with 2 2960x) and in both cases I only get DHCP attributes of the endpoint if I put the helper-address. Device sensor did not get info. I shut/no shut the port several times to make DHCP happen and nothing... maybe device-sensor is slower??

At least in my tests....

Thank you