Cisco profiling using RADIUS device sensor

wiong · ‎03-06-2019

Hi,

I want to identify the endpoint and then place the endpoint on the appropriate VLAN. The endpoint should not be allowed to connect to the network (no IP address assignment, no network communication) until it has been successfully identified to be a legitimate endpoint (IP phone, printer, etc).

If I enable device sensor on my switch and uses RADIUS as the probe for profiling, assuming that LLDP is able to display the endpoint TLV attribute, is the above requirement possible? Until the device has been successfully profiled and match to a profile policy (eg IP phone) then the switch will put the endpoint into the voice VLAN which will then be able to grab an IP address. My customer is paranoid and wants the endpoint to be denied by the network until it has been identified.

Damien Miller · ‎03-06-2019

One could approach this through more typical means, example "closed mode" or TrustSec. One denies all traffic but EAP with a pre auth ACL, or maybe just DHCP in your case. Once authentication has been completed and profiling, you send a COA with a new DACL that allows the endpoint to pick up an IP.

Take a look at this guide as it covers closed mode that looks like it would fit the requirements.
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_20_phased_deployments_overview.pdf

wiong · ‎03-10-2019

Hi Damien,

I want to emulate in the case of a endpoint is using do1x authentication. Only when the user credential authentication is successful, the switch port will allow the endpoint to connect to the network else the endpoint is effectively block to transmit any network packets.

In my scenario, the endpoint does not have a supplicant coz it is an IoT endpoint. So I want ISE to profile and identify the endpoint before it is allowed to connect to the network.

By the way, do I need to add the IoT endpoint MAC address into the MAB before ISE will allow the endpoint to connect to the network and start profiling?