Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1465
Views
0
Helpful
2
Replies

Device-Sensor and Automated-Tester Behavior

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎07-13-2019 05:38 PM

I've been developing and testing some new IBNS 2.0 configurations on a 3850 with 16.6.6/16.9.3a and came across some odd behavior/interaction with device sensor and the automated tester.  I have a TAC case open on this (SR# 687085849), and I am trying to determine if this is the expected behavior or a bug. I have asked TAC but have not heard back, so anyone know if it should behave this way? 

What I have found is that when "automate-tester username NAD-Tester ignore-acct-port probe-on" is added to the radius server configuration, learned device sensor attributes that appear in the cache do not get forwarded to ISE. 

If I use "automate-tester username NAD-Tester probe-on", removing the "ignore-acct-port", then device sensor attributes show up in ISE, doesn't seem like it should act this way. 

 

Radius server example where device sensor data is not sent
radius server ISE-VIP-A
address ipv4 10.1.1.1 auth-port 1812 acct-port 1813
pac key xxxxxxxxxxx
automate-tester username NAD-Tester ignore-acct-port probe-on

Radius server example where device sensor data is forwarded as expected
radius server ISE-VIP-A
address ipv4 10.1.1.1 auth-port 1812 acct-port 1813
pac key xxxxxxxxxxx
automate-tester username NAD-Tester probe-on

 

This is the same as configured in the ISE Secure Wired Access Prescriptive Deployment Guide, so quite a few deployments could have this issue and not even realize their profiling is hindered.  
https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎07-14-2019 12:40 AM

It should not behave that way. The command should only restrict automate tester from sending probes on 1813/1646. Seems like a bug to me.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎07-14-2019 12:40 AM

It should not behave that way. The command should only restrict automate tester from sending probes on 1813/1646. Seems like a bug to me.
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Surendra

‎07-14-2019 12:27 PM

That agrees with how I feel the command/feature should work. I'll continue to work the TAC case and follow up when complete.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents