cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1100
Views
0
Helpful
3
Replies

Cisco ISE 1.3 - Unknown Endpoints

Vivek Ganapathi
Level 4
Level 4

Hello All,

Has anyone been facing issues with profiling on ISE? Below is a summary of the issue i have been facing

 

We have installed 5 x PSNs at each DC (2 DCs) & load balanced behind a hardware load balancer. PSNs have gateway defined as the LB to avoid doing source NAT. So, the NAD has been configured with the virtual IP of the Load balancer for RADIUS authentications with L7 persistence based on the Calling-Station-ID (Radius Attribute 31) on the Load Balancer.

For Profiling, ISE is using DHCP for this purpose. We have SVI with the ip helpers pointing to the virtual IP of the load balancer again (one per DC).

There are currently 5000 + Endpoint been authenticated by ISE at the moment off that there are few endpoints been identified as "Unknown". Did a bit of investigation & found that some of them are Workstations (Windows machines). Weird part is, we are not seeing any DHCP related information on ISE from these machines (confirmed with local IT, that these machines are not been configured with static IP). Along with this, there are few machines in the same VLAN segment been profiled correctly by ISE as a "Workstation". So, this is not an issue with the helper configuration on the SVI.

Just to add, those switches configured for NAC doesn't have an IOS sensor function unfortunately.

My suspicion is on the load balancing as we have configured the IP helpers to point to the Virtual IP, not sure how the load balancer handles this traffic as this is a DHCP packet & there is no configuration on LB for it. I know of few load balancers like F5 allows to match against the DHCP attribute like DHCP-Client-Identifier which allows the LB to stick the same session to the same PSN allowing optimization of the endpoint profiling. But the weird part here is, we did a few tests on our lab & found that even though there is no specific configuration on LB related to DHCP handling, still the LB seems to stick the DHCP & RADIUS to the same PSN (possibly being lucky). But i didn't understand why, as the DHCP packet will contain the source as the DHCP relay agent source (gateway IP) whereas the RADIUS packet will have the source as the NAD & the persistence (stickiness) criteria is Client MAC address. For those requests which are unlucky, there is a potential of having the DHCP & RADIUS been delivered to different PSN. Question is, what can happen if they were to be delivered to different PSN? (By the way, all 5 PSNs in each DC are part of its own node group cluster). Is my investigation going on in the right direction? Is there something else i should be looking at as well?

 

Regards

Vivek

 

 

3 Replies 3

Vivek Ganapathi
Level 4
Level 4

Any directions please?

 

Regards

Vivek

Did some analysis of a specific workstation not being profiled by ISE using the inbuilt Endpoint Debug option in ISE found under Operations --> Diagnostic Tools --> Endpoint Debug (Seems a new feature in ISE 1.3). This clearly specified that the traffic for a specific endpoint is only reaching to a specific PSN. Based on the analysis of the logs, it looks like ISE never received a DHCP attribute information from the endpoint or the DHCP relay agent. From the same workstation subnet, i can see the DHCP information from other workstations. Anyone faced this?

 

Regards

Vivek

 

Facing the same issue. Following this post.