Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4528
Views
5
Helpful
8
Replies

ISE not add mac address of new endpoints in Internal Endpoints IDStore due MAB after the advanced license are expired...

Go to solution
aukhadiev
Level 1
Level 1

‎11-07-2018 10:48 PM

Hi,
we have ISE 1.2x deployment, ISE not add mac address of new endpoints in Internal Endpoints IDStore due MAB after the advanced license are expired...

 

24209 Looking up Endpoint in Internal Endpoints IDStore...
24217 The host is not found in the internal endpoints identity store
22056 Subject not found in the applicable identity store(s)
22058 The advanced option that is configured for an unknown user is used
22060 The 'Continue' advanced option is configured in case of a failed authentication request

 

Is it expected issue and ISE add mac address of new endpoints in Internal Endpoints IDStore only via profiling?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to aukhadiev

‎11-08-2018 12:06 AM

Yes, this has to do with profiling. If profiling stops working because of an expired license, then you will not see this auto addition of mac addresses on the ISE. to be more technical, The radius probe is designed to process all the endpoints that come through runtime authentications. It has to process the authentication failure also and profile the endpoint (add/update).

View solution in original post

8 Replies 8

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎11-07-2018 11:30 PM

It is not expected. You should be able to mac addresses even without any advanced licenses. I would suggest to check if replication is working properly. You essentially add the mac address on PAN and that gets replicated to PSNs. If the PSNs do not get this info, you would see such issues. I am assuming that you did not get any error when you tried to add the mac address.
0 Helpful

Go to solution
aukhadiev
Level 1
Level 1
In response to Surendra

‎11-07-2018 11:51 PM

Hi, 

replication is working properly (if I can trust deployment info via GUI)

There are 2 PAN, 2 MnT and 2 PSN nodes...

If I  add mac address of new endpoint manually in Internal Endpoints IDStore on PAN always are work as expected... 

24209  Looking up Endpoint in Internal Endpoints IDStore
24211  Found Endpoint in Internal Endpoints IDStore

But previously ISE add mac address of new endpoint automaticly...

Thanks for your response...

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to aukhadiev

‎11-08-2018 12:06 AM

Yes, this has to do with profiling. If profiling stops working because of an expired license, then you will not see this auto addition of mac addresses on the ISE. to be more technical, The radius probe is designed to process all the endpoints that come through runtime authentications. It has to process the authentication failure also and profile the endpoint (add/update).

Go to solution
aukhadiev
Level 1
Level 1
In response to Surendra

‎11-08-2018 12:15 AM

...thanks for the clarification
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Surendra

‎11-08-2018 03:19 AM

Hi Surendra

 

What about customer who do not have Plus licenses and therefore have not enabled profiling (as expected) - BUT who have Cisco WLC/Switches with Device Sensor enabled?  ISE Radius probe should still be running, right?  You cannot disable this as far as I know.

I think what you are referring to are the other probes like DHCP, SNMP, NMAP etc.

If there is any proper documentation on this I would love to see it.  it's not well documented at all and it leads to all this speculation and questions.

 

thanks

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to Arne Bier

‎11-08-2018 03:39 AM

Hi Arne,

I'm not sure what you meant when you said "ISE Radius probe should still be running, right? You cannot disable this as far as I know." You can disable RADIUS Probe under the profiling configuration which then would cause ISE to stop collecting the attributes from RADIUS requests for the endpoints and essentially stopping them from being profiled based on those attributes..

Regards,
Surendra.
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Surendra

‎11-08-2018 04:10 AM

Customers who are not running eval license, but who have enabled base license only, and who have not enabled Profiling service on their PSN, will still have the radius probe enabled.  According to former Cisco TME, Craig Hyps who sadly no longer works for Cisco, this was working as designed.   Have a look here

https://community.cisco.com/t5/identity-services-engine-ise/ise-2-x-device-profiling-without-plus-license/td-p/3590764

 

I don't currently have access to a system that is licensed for Base only, and where I can test with a Cisco WLC using Radius Profiling for DHCP/HTTP - that would be my test case.

 

It would be good to have this confirmed by someone else, because now I am starting to doubt my own sanity :(

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to Arne Bier

‎11-08-2018 04:32 AM

This is news to me too. I guess what it means is that ISE would still collect the data but one cannot put them to use till a plus license is obtained. I'll also test this out to be sure and revert.
0 Helpful
Customers Also Viewed These Support Documents