Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2737
Views
0
Helpful
4
Replies

How to Confirm Network Device Logging to Cisco ISE Server?

Go to solution
Matthew Martin
Level 5
Level 5

‎02-23-2017 03:06 PM - edited ‎03-11-2019 12:29 AM

Hello All,

Cisco ISE: 2.0.0.306
Switch:  WS-C2960X-24PS-L
Switch Version: 15.0(2a)EX5


We have had our ISE server up and running for a few months now and it all seems to be working just fine. Now, we plan on extending the security measures to our remote branch offices, which are using the 2960X switches. When we configured our HQ for ISE we had a consultant come in and help us get ISE setup and running and helped us configured our 4510R+E core switch (*and WLC). But, when we configured the 4510 I don't remember us setting up too much logging commands, if any, on the core switch.

Now that I'm working on the remote offices I am using the Cisco ISE Administrator Guide Release 2.0 pdf, which has a section for configuring your Network Devices (*i.e. the switches configured to pass authentication to ISE). In that chapter for configuring the Network Devices, there is a section on configuring a few logging and SNMP trap commands that claim to assist ISE in device profiling, debugging/troubleshooting, etc...

Using the guide I configured the following Commands:

Global Commands:
	epm logging
	logging monitor informational
	logging origin-id ip
	logging source-interface Vlan1
	logging host <ise-server-ip> transport udp port 20514

	snmp-server group admins v3 priv 
	snmp-server group admins v3 priv context vlan-1		!--> Access Vlan
	snmp-server group admins v3 priv context vlan-2		!--> Voice Vlan
	snmp-server group admins v3 priv context vlan-7		!--> Public Wi-Fi Vlan
	snmp-server community <community-string> RO
	snmp-server trap-source Vlan1
	snmp-server source-interface informs Vlan1
	snmp-server enable traps mac-notification change move threshold
	snmp-server host <ise-server-ip> version 2c <community-string>  mac-notification

Interface Level Commands:
	snmp trap mac-notification change added
	snmp trap mac-notification change removed


Now that I have all of this configured on the switch I'm wondering how I can verify the logging and SNMP traps are reaching ISE. And, how I can use this information on the ISE Server? Are there reports that can be run with this info in it..?

Also, it says in the guide that it helps with Profiling devices. I have noticed many times where a Cisco 7941/ 796x/ 7911/ etc IP Phone was connected to one of the configured switches and it fails authentication (*802.1x and MAB) and in the ISE LiveLog you can see it getting profiled as just a cisco-device instead of a Cisco-IP-Phone-79xx for example. But, after a good while OR after connecting and reconnecting it a few times, it will finally profile to a "Cisco-IP-Phone-7941", or whichever model the phone is... So with these logging and SNMP trap commands now configured on the switch, should it now Profile these devices more accurately and more quickly?

Any thoughts or suggestions would be greatly appreciated!

Thanks in Advance,
Matt

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎02-23-2017 04:32 PM

Hi 

For profiling devices, you need to configure on ISE all probes you want to use to profile a device. This is under the ISE setting page where you enabled profiling services. 

If you have the advanced license, you can also activate Cisco feed update service. 

To see if your SNMP traps are sent to ISE you can use debug command on your switch: 

debug snmp packets

debug mac-notification

When a device is not profiled as expected that means ISE had not accurate data to profile him, this is where probes are coming important mainly if you're doing byod.

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎02-23-2017 04:32 PM

Hi 

For profiling devices, you need to configure on ISE all probes you want to use to profile a device. This is under the ISE setting page where you enabled profiling services. 

If you have the advanced license, you can also activate Cisco feed update service. 

To see if your SNMP traps are sent to ISE you can use debug command on your switch: 

debug snmp packets

debug mac-notification

When a device is not profiled as expected that means ISE had not accurate data to profile him, this is where probes are coming important mainly if you're doing byod.

Thanks 

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Matthew Martin
Level 5
Level 5
In response to Francesco Molino

‎02-24-2017 11:03 AM

Hi Francesco, thanks for the reply!

Ok, I'll have to look into the "probes" you mentioned. Could you tell me where on ISE these Probes are configured?

Also, I am attaching a screenshot of the Licensing page of ISE, it looks like we might possibly have the Advanced license, but 'm not sure. Maybe you can tell from the screenshot.

As for the Cisco feed update service, is this what I see under the Administration tab? There's a section in there called "Feed Services > Profiler"..?

Thanks Again,
Matt

0 Helpful

Go to solution
Matthew Martin
Level 5
Level 5
In response to Francesco Molino

‎02-24-2017 12:40 PM

Actually I think I found these settings. Maybe you can confirm?

Cisco Feed Update Service:

Administration > Feed Service > Profiler
*The Enable checkbox is checked and clicking the "Test Feed Service Connection" button is successful...

Probes:

Administration  >  System  >  Deployment  >  [Select Policy Node]
*While inside that Node's configuration the "Enable Profiling Service" option is checked. Then under the "Profiling Configuration" tab, all the probes are checked except for DNS and SNMPTRAP. So I checked SNMPTRAP to enable it and left DNS unchecked as this was the default.


Do you think adding the snmp trap commands, like I did on the 24-port 2960X would cause issues on the 4510R+E, which is our HQ's Core switch? It currently has just about 200 switchports configured for authentication through ISE (*i.e. User workstations, printer stations, etc)...? Was worried there might be a impact on CPU or some other internal resources.

Thanks Again,
Matt

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to Matthew Martin

‎02-24-2017 01:23 PM

Yes these are the features to setup. For sure you'll have an impact on cpu. But it, normally, won't spike your CPU. More things you active more your profiling is accurate and also more copy you will consume. Again you won't consume 100% except if you're facing a bug. 

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents