06-26-2015 06:42 AM - edited 03-10-2019 10:51 PM
Hello All,
Has anyone been facing issues with profiling on ISE? Below is a summary of the issue i have been facing
We have installed 5 x PSNs at each DC (2 DCs) & load balanced behind a hardware load balancer. PSNs have gateway defined as the LB to avoid doing source NAT. So, the NAD has been configured with the virtual IP of the Load balancer for RADIUS authentications with L7 persistence based on the Calling-Station-ID (Radius Attribute 31) on the Load Balancer.
For Profiling, ISE is using DHCP for this purpose. We have SVI with the ip helpers pointing to the virtual IP of the load balancer again (one per DC).
There are currently 5000 + Endpoint been authenticated by ISE at the moment off that there are few endpoints been identified as "Unknown". Did a bit of investigation & found that some of them are Workstations (Windows machines). Weird part is, we are not seeing any DHCP related information on ISE from these machines (confirmed with local IT, that these machines are not been configured with static IP). Along with this, there are few machines in the same VLAN segment been profiled correctly by ISE as a "Workstation". So, this is not an issue with the helper configuration on the SVI.
Just to add, those switches configured for NAC doesn't have an IOS sensor function unfortunately.
My suspicion is on the load balancing as we have configured the IP helpers to point to the Virtual IP, not sure how the load balancer handles this traffic as this is a DHCP packet & there is no configuration on LB for it. I know of few load balancers like F5 allows to match against the DHCP attribute like DHCP-Client-Identifier which allows the LB to stick the same session to the same PSN allowing optimization of the endpoint profiling. But the weird part here is, we did a few tests on our lab & found that even though there is no specific configuration on LB related to DHCP handling, still the LB seems to stick the DHCP & RADIUS to the same PSN (possibly being lucky). But i didn't understand why, as the DHCP packet will contain the source as the DHCP relay agent source (gateway IP) whereas the RADIUS packet will have the source as the NAD & the persistence (stickiness) criteria is Client MAC address. For those requests which are unlucky, there is a potential of having the DHCP & RADIUS been delivered to different PSN. Question is, what can happen if they were to be delivered to different PSN? (By the way, all 5 PSNs in each DC are part of its own node group cluster). Is my investigation going on in the right direction? Is there something else i should be looking at as well?
Regards
Vivek
06-29-2015 12:54 AM
Any directions please?
Regards
Vivek
06-29-2015 04:46 AM
Did some analysis of a specific workstation not being profiled by ISE using the inbuilt Endpoint Debug option in ISE found under Operations --> Diagnostic Tools --> Endpoint Debug (Seems a new feature in ISE 1.3). This clearly specified that the traffic for a specific endpoint is only reaching to a specific PSN. Based on the analysis of the logs, it looks like ISE never received a DHCP attribute information from the endpoint or the DHCP relay agent. From the same workstation subnet, i can see the DHCP information from other workstations. Anyone faced this?
Regards
Vivek
01-26-2016 10:17 AM
Facing the same issue. Following this post.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide