Solved: Re: Automatic Profiling of endpoints

Ditter · ‎11-22-2018

Hi to All,

i have configured ISE to accept different probes to help our ISE profiling implementation such as SNMP queries, DNS e.t.c. as you can see in the png attached.

One of these probes is DHCP (having already configured SVIs in the appropriate router interfaces where the DHCP servers exist).

However looking in my endpoints i do not see any of them learned by ISE through DHCP probe. There is no ACL between the ISE and the switches , but it seems that the only info i get for my endpoints is the SNMP query that ISE does periodically to the switches.

Is there anything extra i should configure to our switches in order to get dhcp related info in our ISE?

What i have seen in some documents is that the command device sensor should me enabled on the NADs but most of our switches run 15.0(2) which do not support any device sensor command.

Thank you,

Ditter.

paul · ‎11-27-2018

If you aren't doing authentication you don't need the RADIUS commands, but you won't be able to use device-sensor to gather profiling data because it uses RADIUS to send the information to ISE. You can still gather profiling data with DHCP IP helper forwarding, SNMP NAD polling (both the client switches and the L3 GWs for the clients), SNMP polling to endpoints, NMAP, etc.

View solution in original post

paul · ‎11-28-2018

Purging is right. You can build your own purging rules. Build a rule that says "Endpoint Purge Inactive Days Less Than 9999" and don't specify any endpoint group. Then click the run purge button. All endpoints in the system have been inactive less than 9,999 days so they will be purged. Remember to disable/remove the rule when you are done.

View solution in original post

pan · ‎11-22-2018

Please check below post:
https://community.cisco.com/t5/identity-services-engine-ise/viewing-and-troubleshooting-profiler-data/m-p/3745141#M20473

Try to take capture traffic on PSN node and see if DHCP probe are reaching to PSN? may be DHCP snooping would be blocking traffic.

Check below doc as well:
https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456

Ditter · ‎11-26-2018

Thanks, DHCP Snooping is not blocking traffic as trunk ports are DHCP snooping trusted ports.

Cezar Fistik · ‎11-24-2018

You need to add your PSN host(s) IP addresses to the corresponding SVIs using ip helper command, similar to what you have for your real DHCP servers.

paul · ‎11-26-2018

You would only need to add the IP helpers if you aren't using device sensor on the switches doing the authentication. If you can run device sensor (requires DHCP snooping to be in place as well), you should be running that on the switches to gather DHCP, CDP and LLDP data.

Ditter · ‎11-26-2018

Paul one question for you. Suppose that some of the DHCP clients reside on switch ports that are not configured with any form of authentication (no MAB , no dot1.x).

These clients with no mehtod of authentication, although IP helper address is configured should be able to send to ISE DHCP related info, yes or no?

I suppose the strength of cisco ISE profiling is its ability to profile the clients regardless of the fact that no method of authentication is configured to the switch. Correct or no?

Thanks

Ditter.

paul · ‎11-26-2018

That is correct. ISE will profile your whole network without authentication being in place. The issue is ISE won’t correlate endpoints to network devices and ports without authentication in place.

Ditter · ‎11-27-2018

Paul, do i need to have the NAD configured with basic Radius settings even if no authentication occurs?

For example do i need to configure the "radius-server vsa send accounting" command e.t.c. or even these commands are not used for profiling ( i always refer to non authenticated clients).

paul · ‎11-27-2018

If you aren't doing authentication you don't need the RADIUS commands, but you won't be able to use device-sensor to gather profiling data because it uses RADIUS to send the information to ISE. You can still gather profiling data with DHCP IP helper forwarding, SNMP NAD polling (both the client switches and the L3 GWs for the clients), SNMP polling to endpoints, NMAP, etc.

Ditter · ‎11-28-2018

thanks paul,

suppose that i would like to have a fresh beginning by deleting the profiling DB of ISE. How can i do that?

I searched the forum but the only purging i see in ISE is the one that runs once a day and purges registered devices and guest endpoints that are older than 30 days.

What i need to do is to see the number of total endpoints devices set to 0.

Thanks,

Ditter.

paul · ‎11-28-2018

Purging is right. You can build your own purging rules. Build a rule that says "Endpoint Purge Inactive Days Less Than 9999" and don't specify any endpoint group. Then click the run purge button. All endpoints in the system have been inactive less than 9,999 days so they will be purged. Remember to disable/remove the rule when you are done.

Ditter · ‎11-28-2018

Thanks Paul,

it works ! Slowly, but it works (my endpoints discovered last month were almost 30.000).

I attach the rule in case somebody wonders how it is implemented.

Ditter.

Ditter · ‎11-26-2018

Thanks Cezak, already done that.