10-19-2015 02:17 PM - edited 03-10-2019 11:10 PM
Having a heck of time finding the answer to this.
Have an ISE 1.4 Install with 3850 switches. Everything is working fine. However struggling to see if 1. Device Sensor data is supported for radius accounting on the 3850 code, 2. If it is, what the command set is.
Use the device-sensor data in the radius accounting to correctly profile devices.
DHCP Probe works fine.
It looks like the 3850 did not support device-sensor till 3.6 code.
Looking through all the 3850 configuration I do not see any documentation on enabling 3850. But I can find the 3750-x configuration guide.
So the problem I run into is enabling the accounting aspect of device-sensor. The command does not exist.
device-sensor filter-list dhcp list dhcp
option name domain-name-servers
option name host-name
option name domain-name
option name class-identifier
option name client-identifier
!
device-sensor filter-list lldp list lldp
tlv name system-name
tlv name system-description
tlv name system-capabilities
tlv name management-address
!
device-sensor filter-list cdp list cdp
tlv name device-name
tlv name port-id-type
tlv name capabilities-type
tlv name version-type
tlv name platform-type
device-sensor filter-spec dhcp include list dhcp
device-sensor filter-spec lldp include list lldap
device-sensor filter-spec cdp include list cdp
device-sensor notify all-changes
switch99(config)#device-sensor ?
filter-list Sensor Protocol Filter List Configuration
filter-spec Sensor Protocol Filter Spec Configuration
notify Options for when to trigger identity update events
switch99(config)#device-sensor accounting
^
% Invalid input detected at '^' marker.
I have a TAC case open but not getting a clear answer on this right now. Device-sensor data is getting collected just fine.
switch99#show device-sensor cache all
Device: 8843.e1c6.a83a on port GigabitEthernet1/0/13
--------------------------------------------------
Proto Type:Name Len Value
DHCP 60:class-identifier 19 3C 11 43 69 73 63 6F 3A 54 6F 75 63 68 64 65 76
69 63 65
CDP 6:platform-type 24 00 06 00 18 43 54 53 2D 43 4F 44 45 43 2D 69 6E
54 6F 75 63 68 20 47 32
CDP 5:version-type 19 00 05 00 13 54 49 37 2E 33 2E 32 20 31 34 61 64
37 63 63
CDP 4:capabilities-type 8 00 04 00 08 00 00 00 90
CDP 3:port-id-type 8 00 03 00 08 65 74 68 30
CDP 1:device-name 19 00 01 00 13 53 45 50 38 38 34 33 45 31 43 36 41
38 33 41
Radius is working and ISE is working fine.But when I run debug radius accounting. It never sends any of the CDP info and I am pretty sure its because the device-sensor isn't configured to send the information because of the absence of
(config)#device-sensor accounting
^
% Invalid input detected at '^' marker.
To add Device Sensor protocol data to accounting records and to generate additional accounting events when new sensor data is detected, use the device-sensor accounting command in global configuration mode. To disable adding Device Sensor protocol data to accounting records and to disable generating accounting events, use the no form of this command.
device-sensor accounting
Oct 19 21:14:07.037: RADIUS(00000000): Config NAS IP: removed
Oct 19 21:14:07.037: RADIUS(00000000): sending
Oct 19 21:14:07.038: RADIUS(00000000): Send Accounting-Request to removed:1813 id 1646/16, len 311
Oct 19 21:14:07.038: RADIUS: authenticator 22 87 CF A3 E2 59 51 1C - E2 C9 BB 22 75 39 01 C9
Oct 19 21:14:07.038: RADIUS: Framed-IP-Address [8] 6 removed
Oct 19 21:14:07.038: RADIUS: User-Name [1] 19 "88-43-E1-C6-A8-3A"
Oct 19 21:14:07.038: RADIUS: Vendor, Cisco [26] 49
Oct 19 21:14:07.038: RADIUS: Cisco AVpair [1] 43 "audit-session-id=AC1C0BFA00001010339251F2"
Oct 19 21:14:07.038: RADIUS: Vendor, Cisco [26] 18
Oct 19 21:14:07.038: RADIUS: Cisco AVpair [1] 12 "method=mab"
Oct 19 21:14:07.038: RADIUS: Called-Station-Id [30] 19 "84-B5-17-D0-B9-8D"
Oct 19 21:14:07.038: RADIUS: Calling-Station-Id [31] 19 "88-43-E1-C6-A8-3A"
Oct 19 21:14:07.038: RADIUS: NAS-IP-Address [4] 6 removed
Oct 19 21:14:07.038: RADIUS: Vendor, Cisco [26] 29
Oct 19 21:14:07.038: RADIUS: cisco-nas-port [2] 23 "GigabitEthernet1/0/13"
Oct 19 21:14:07.038: RADIUS: NAS-Port [5] 6 60000
Oct 19 21:14:07.039: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/13"
Oct 19 21:14:07.039: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Oct 19 21:14:07.039: RADIUS: Acct-Session-Id [44] 10 "0000126B"
Oct 19 21:14:07.039: RADIUS: Class [25] 63
Oct 19 21:14:07.039: RADIUS: 43 41 43 53 3A 41 43 31 43 30 42 46 41 30 30 30 [CACS:AC1C0BFA000]
Oct 19 21:14:07.039: RADIUS: 30 31 30 31 30 33 33 39 32 35 31 46 32 3A 63 6F [01010339251F2:co]
Oct 19 21:14:07.039: RADIUS: 76 64 63 2D 63 6F 70 69 70 6E 2D 30 31 2F 32 33 [vdc-copipn-01/23]
Oct 19 21:14:07.039: RADIUS: 33 30 35 30 36 30 39 2F 32 35 36 34 39 [ 3050609/25649]
Oct 19 21:14:07.039: RADIUS: Acct-Status-Type [40] 6 Start [1]
Oct 19 21:14:07.039: RADIUS: Event-Timestamp [55] 6 1445289247
Oct 19 21:14:07.039: RADIUS: Acct-Delay-Time [41] 6 0
Oct 19 21:14:07.039: RADIUS(00000000): Sending a IPv4 Radius Packet
Oct 19 21:14:07.040: RADIUS(00000000): Started 10 sec timeout
Oct 19 21:14:07.044: RADIUS: Received from id 1646/16 removed:1813, Accounting-response, len 20
05-26-2016 07:10 AM
I believe you are using IBNS 2.0 style of configs. You can check by executing following command.
Switch#authentication display config-mode
Current configuration mode is new-style
In this mode, device-sensor accounting CLI is not available. Instead you can use below CLIs to send protocol attributes as part of accounting messages if you are using 3.6.x code.
access-session accounting attributes filter-list list CDP protocol cdp access-session accounting attributes filter-spec list CDP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide