Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
370
Views
0
Helpful
4
Replies

Using VLAN Information in Profiling

paul
Level 10
Level 10

‎09-16-2019 07:27 AM

Working on an IBNS 2.0 setup and I have the VLAN ID being sent to ISE.  I added the following command to the switch to get the VLAN information to show up in the authentication request:

 

mab request format attribute 32 vlan access-vlan

 

I also have the access-session authentication commands as well on the sw

 

access-session attributes filter-list list Def_Auth_List
  vlan-id

access-session authentication attributes filter-spec include list Def_Auth_List

 

I can see the VLAN ID showing up in the authentication request details as a Cisco AV pair.

 

Capture.JPG

I see how I could use that information in a condition in the authorization phase.  What I am unsure of is it possible to use that information to profile a device?  i.e. if vlan-id=29 then profile device as a certain device type.

 

I don't see this information showing up under the attributes tab in Context Visibility so my guess would be this information can't be used in profiling.  Can someone confirm?

 

0 Helpful
4 Replies 4

Colby LeMaire
VIP Alumni
VIP Alumni

‎09-16-2019 07:38 AM

I am not sure if the information from the authentication request would be stored in a particular attribute that you can use for profiling.  Never tried that before.  My guess is that if it isn't showing up in Context Visibility, then it probably isn't getting stored.  But I do know that you can profile based on VLAN assignment using the SNMP Probe.  I usually don't like enabling the SNMP Probe but I have had situations in the past in environments where static IP's were used and we needed to profile certain mission-specific systems.  The only way we had to tell one mission system from another was by what VLAN they were on.  That would be the SNMP::Vlan or Vlan Name attribute.

0 Helpful

paul
Level 10
Level 10
In response to Colby LeMaire

‎09-16-2019 08:25 AM

I usually use SNMP as backup to device sensor. I haven’t seen any VLAN information pulled via SNMP. You have seen that in ISE?
0 Helpful

Colby LeMaire
VIP Alumni
VIP Alumni
In response to paul

‎09-16-2019 08:32 AM

Yes, we have used it before.  Not SNMP Trap, but SNMP Polling.  It has been a while and was with ISE 1.0.4.  It may be switch/IOS dependent.  I will set it up in my lab today and post my results/screenshots.

0 Helpful

Colby LeMaire
VIP Alumni
VIP Alumni
In response to paul

‎09-17-2019 06:51 AM

I am unable to get it working using ISE 2.4 and a 2960L.  Something must have changed within ISE since 1.0.4 related to storing the VLAN information from the SNMP Probe.  That is unfortunate.

0 Helpful
Customers Also Viewed These Support Documents