cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

382
Views
1
Helpful
5
Replies
Cisco Employee

IP Addr necessary in Acct to invoke interface SNMP query ?

We are tying to profile Cisco IP phones via CDP information sent in response to SNMP interface query.

We are seeing Accounting start packet on ISE (we are implementing default access as restrictive DACL) but no SNMP query is initiated after that.

Does the accounting start also needs to have an IP address ?

Because in our case the IP phone does not get IP address until it is profiled correclty.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: IP Addr necessary in Acct to invoke interface SNMP query ?

Either RADIUS accounting start or SNMP traps. See pages 20 ~ 27 for profiling using SNMP traps in How To: ISE Profiling Design Guide

5 REPLIES 5
Highlighted
Cisco Employee

Re: IP Addr necessary in Acct to invoke interface SNMP query ?

Either RADIUS accounting start or SNMP traps. See pages 20 ~ 27 for profiling using SNMP traps in How To: ISE Profiling Design Guide

VIP Engager

Re: IP Addr necessary in Acct to invoke interface SNMP query ?

Your statement saying "Of course it doesn't get an IP address until it is profiled correctly" is a statement that shouldn't be true.  If you are using profiling in your ISE install at a minimum you should allow unknown devices onto the network but apply a DACL that only allows them to respond to the PSNs that may be probing them, i.e. NMAP or SNMP scans.  I know that necessarily won't help you here, but it sounds like you are rejecting in your default rule which can hinder ISE profiling.

Cisco Employee

Re: IP Addr necessary in Acct to invoke interface SNMP query ?

Yes I am pushing a restricted DACL from ISE and I can see that ISE PSN is receiving accounting start from the switch .

Buy no SNMP query is initiate from the PSN which it should according to the document

Thanks for the comments . Will investigate more

Thanks,

Utkarsh

VIP Engager

Re: IP Addr necessary in Acct to invoke interface SNMP query ?

I have seen this issue in the past, but can’t remember what the solution was. A couple other things:

1) If the switch supports device sensor that would be the ideal route, but I am guessing since you are relying on SNMP polls it probably doesn’t support device sensor.

2) I usually have periodic SNMP polling setup on the NAD definitions in ISE. The periodic polling will fix the issue, but of course that doesn’t help you get the phone on in a timely fashion.

If you pushing a DACL and allowing the phone on the network you should be getting DHCP attributes from the phone which should also be profiling the device correctly. Do you have DHCP forwarding to the PSNs configured?

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Cisco Employee

Re: IP Addr necessary in Acct to invoke interface SNMP query ?

Yes. you got that right. Its working with periodic SNMP polling and DHCP forwarding.

Its always worked in the past for me using Interface level SNMP query because that's the best ways to profile endpoints in closed mode.

Anyways I've got tied up in other stuff so will revisit this issue.

Appreciate your time on this.