Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
0
Helpful
0
Replies

Cisco Access Points not profiling correctly in ISE

mark373737
Level 1
Level 1

‎08-30-2016 01:59 AM - edited ‎03-11-2019 12:02 AM

Hi All,

I'm about to move from Monitor Mode to Secure/Closed mode (ISE 2.0) and will be using a variant of the default Cisco ISE Access Point policy to authenticate 1000+ Cisco Access Points.

However I have noticed that about 10% of the AP's have only authenticated in Monitor Mode as "Cisco-Device" not "Cisco-Access-Point". This means they will not match the ISE policy and in Secure/Closed mode will be refused access.

There is no real commonality as I have two AP's of exactly the same model behaving differently on ports within the same switch. Rebooting them makes no difference.

If you compare a correctly profiled AP with a failing one, the correct one seems to be "hitting" the CDP aspects of the profile requirements, namely:

Cdpcacheplatform contains “Cisco AIR-LAP-1142N” equals 30 points AND

Cdpcacheversion contains “K9w8- equals 30” points AND

Cdpcacheversion contains “Cisco IOS” equals 30 points

So AP's that profile OK score 95 points (not sure  why 95 not 90!). However AP's that do not profile OK do not seem to hit the any of the same CDP aspects (they only seem to score 10 points via the Cisco-Device OUI match)  and yet CDP is turned on the switch and the switch command "show cdp neighbor" looks identical for working and non-working AP's.

If I can't rely on the profiling, how can I incorporate it in an ISE policy to prevent "mac spoofing".

Thanks in advance

Mark

7 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents