09-20-2021 07:05 AM - edited 09-20-2021 07:15 AM
I am looking for a document that ISE 3.x *default cisco profiling policies* can RADIUS profile from IOS Device Sensor DHCP, LLDP and CDP attributes. Does such thing exist?
For example, there are different/inconsistent attributes in different CLI config examples for IOS Device Sensor DHCP. With no information on what ISE actually uses in the default profiling policies, it's difficult to say which attributes are actually used, missing, or can be removed. Would like to find the ultimate list of attributes needed, which is confirmed and blessed by Cisco.
And a separate question, I see some IOS Device Sensor configs for DHCP, LLDP and CDP trying to collect "requested-address", while others (SDA configs for example) don't gather this info (endpoint's IP address). I am curious why that is? I think it might have something to do with how accounting/authentication work in pre and post IBNS 2.0 worlds, but would like to find a confirmation.
You could of course write your own profiling policy that profiles and endpoint based no its IP address (DHCP lease reservation), makes sense. And probably no default profiling policy from Cisco would ever profile based on endpoint's random IP. But I'm curious if this IP info ends up getting used in ISE.
The following config is pushed to switches in SDA, but I'm curious if it's missing anything important that should also be included:
device-sensor filter-list lldp list iseLLDP
tlv name system-name
tlv name system-description
tlv name system-capabilities
device-sensor filter-list dhcp list iseDHCP
option name host-name
option name parameter-request-list
option name class-identifier
device-sensor filter-list cdp list iseCDP
tlv name device-name
tlv name capabilities-type
tlv name version-type
tlv name platform-type
Solved! Go to Solution.
09-21-2021 08:14 AM
Please refer to "ISE Profiling Design Guide" https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
... Other attributes may also be available per probe, but the following list highlights the most common or useful attributes for typical deployments.
Probe | Key Profiling Attributes |
RADIUS |
|
RADIUS w/Device Sensor |
|
09-20-2021 07:11 AM
I am looking for a document that ISE 3.x can RADIUS profile from IOS Device Sensor DHCP, LLDP and CDP attributes? Does such thing exist?
-I dont know if one exists specifically for 3.x. However, the link below is a great pool of resources. Take a peek at the 'Visibility' section for profiling guides. HTH!
09-21-2021 08:14 AM
Please refer to "ISE Profiling Design Guide" https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456
... Other attributes may also be available per probe, but the following list highlights the most common or useful attributes for typical deployments.
Probe | Key Profiling Attributes |
RADIUS |
|
RADIUS w/Device Sensor |
|
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: