Re: Cisco ISE - Avaya IP Phone with Static IP Profiling

SHABEEB KUNHIPOCKER · ‎03-22-2025

Hello,

One of our customers is having Avaya IP Phones with static IP. The customer has disabled LLDP in the switches due to audit requirements. What would be the best profiling probe method to use in such scenarios?.

Thanks

Shabeeb

sdroy · ‎03-22-2025

In scenarios where LLDP is disabled and Avaya IP Phones are using static IPs, the best profiling probe method would be to rely on DHCP probes if possible. Even with static IPs, DHCP probes can still gather useful information from devices that interact with the DHCP server during initial setup or renewal processes. Alternatively, RADIUS probes can be effective for profiling, especially if the phones are authenticated through a RADIUS server. If neither of these options is viable, consider using SNMP queries to gather device-specific information directly from the network devices. These methods can help ensure accurate profiling without relying on LLDP

Shuvodip Roy

SHABEEB KUNHIPOCKER · ‎03-22-2025

Hello,

I did not understand how DHCP probing can help in scenarios where we have static IP addresses assigned to a device.

Thanks and Regards
Shabeeb

manvik · ‎03-23-2025

ISE has many probes for profiling, bet one is radius probe. All the probes are mentioned here - https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456#toc-hId-1115939359
You can use http probe, it gives few good info.

I had used these commands in a non-LLDP/CDP environment;

ip http active-session-modules none
ip http secure-active-session-modules none
ip dhcp snooping
ip device tracking
device-tracking tracking auto-source
!
mac address-table notification change
mac address-table notification mac-move
!
snmp-server trap-source <Interface>
snmp-server enable traps links
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server view iseview iso included
snmp-server group ISE_GROUP v3 priv
snmp-server user ISE_USER ISE_GROUP v3 auth sha <AUTH_PASSWORD> priv aes 128 <PRIV_PASSWORD>
snmp-server group ISE_GROUP v3 auth read iseview write iseview notify iseview
snmp-server group ISE_GROUP v3 auth context vlan- match prefix read iseview
snmp-server host <ISEIP> version 3 priv ISE_USER
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps config
snmp-server enable traps dot1x
snmp-server enable traps mac-notification change move threshold
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server enable traps mac-notification
mac address-table notification change
mac address-table notification change interval 30
!
aaa new-model
dot1x system-auth-control
radius server ISE
address ipv4 <iseIP> auth-port 1812 acct-port 1813
key Key@123
aaa group server radius ISE-GROUP
server name ISE
aaa server radius dynamic-author
client <iseIP> server-key Key@123
aaa authentication dot1x default group ISE-GROUP
aaa authorization network default group ISE-GROUP
aaa authorization auth-proxy default group ISE-GROUP
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group ISE-GROUP
!
radius-server vsa send authentication
radius-server vsa send accounting
! 
interface GigabitEthernet1/0/1
description Wired Endpoint
switchport mode access
switchport access vlan 10
!
! Enable 802.1X Authentication and MAB for non-802.1X devices
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication event fail action next-method
authentication host-mode single-auth
authentication violation restrict
!
! Enable MAC Authentication Bypass (MAB) for non-802.1X devices
mab
dot1x pae authenticator
dot1x timeout tx-period 10
end