topic Re: Device sensor information not getting to ISE in Network Access Control

Device sensor information not getting to ISE

david-mead — Wed, 13 Mar 2024 13:37:54 GMT

Hello,

Got a bit of a weird problem trying to profile some Cisco 9120 APs on ISE 3.1

Short version is that I have 3 APs connected onto a Catalyst 9300 with 802.1x enabled. 2 of them are successfully being profiled as Cisco APs by ISE (and thus hitting the related Auth Policy) one of them is not.

Checking the Endpoints in ISE the 2 which are being profiled correctly have all of the relevant attributes I'd expect to see (DHCP, LLDP and CDP) under "Attributes > Other Attributes". The one which isn't working has none of this information listed.

I've checked the device-sensor information on the switch (show device-sensor cache interface xx) for each of the AP's and they all have the correct details listed there.

I've cleared the authentication sessions, shut/no shut the switch port (many times!) and tried everything I can think of.

Global config must be correct (I assume) as the info is being passed for the other 2 AP's, and the interface config for all 3 is identical.

I've completely run out of ideas so reaching out for some help if anyone has any ideas?

Thank you!

Re: Device sensor information not getting to ISE

thomas — Thu, 14 Mar 2024 14:34:22 GMT

Verify RADIUS Accounting is properly configured on your third network device. Device Sensor information is sent to ISE via RADIUS Accounting.

See > Preparing a Switch for Identity-Based Network Access for details.

Re: Device sensor information not getting to ISE

david-mead — Thu, 14 Mar 2024 15:12:22 GMT

Isn't that information sent from the switch? As I say the switch is successfully sending all of the device sensor information for the other devices attached to it, so I'm confident the AAA config is correct.

Re: Device sensor information not getting to ISE

Carlos T — Thu, 25 Jul 2024 17:33:52 GMT

Having the same issue with a Catalyst 9300 switch and an AP model C9120AXI.

On ISE I can only see the LLDP device sensor information, but not the CDP.

Did u find the solution to this?

Re: Device sensor information not getting to ISE

davidgfriedman — Thu, 25 Jul 2024 18:45:33 GMT

Did you start from the very beginning? Can you login to the switch and see lldp / cdp data locally? i.e. what's the output of:
show lldp neighbors gi1/0/27 d
show cdp neighbors gi1/0/27 d
And if you see output from both of the above, what does device-sensor on the 9300 show you? ex:
show device-sensor cache interface gi1/0/27
Once you've verified the data is at the switch level, you can move upward in the stream to, eventually, ISE.

Regards,
David

Re: Device sensor information not getting to ISE

Carlos T — Thu, 25 Jul 2024 18:51:16 GMT

I can see CDP and LLDP information of the connected device on the switch. Output of command "show device-sensor cache all" shows CDP and LLDP attributes.

On ISE "Endpoint Classification / Attributes / Other Attributes", when looking for the mac address of the Access Point (connected to the switch that is configured with device sensor), it is showing only the LLDP information, but nothing of CDP information.

Re: Device sensor information not getting to ISE

david-mead — Mon, 29 Jul 2024 07:33:35 GMT

Just to say we never found the solution. Ended up adding the MAC addresses of the AP's to MAB.

If you do figure it out though let me know.

Re: Device sensor information not getting to ISE

Carlos T — Mon, 29 Jul 2024 07:55:36 GMT

The implementation we are running on the network is "closed mode" (endpoint blocked access to the network if authentication fails).

As for testing I enabled "open mode" (authentication open, and a permit ip any any acl on the switchport), so then ISE can see the endpoint (even if it fails authentication), and after that I see ISE profiled correctly the endpoint, and also I can see all the CDP information on "Endpoint Classification / Attributes / Other Attributes".

I have a case open so waiting the reply of the TAC, but from the tests, looks like some attributes (CDP for example) are only visible on ISE after the endpoint is profiled. But other attributes (LLDP for example) are visible on ISE before/after the endpoint is profiled.

I think we need to go with the phased approach of "open mode" first, so ISE can profile correctly the endpoint, and then go to "closed mode", so after that the ISE knows all attributes of the endpoint as it was profiled before.