Solved: Re: How will EndPointSource shows snmp probe

jinyuanbao · ‎07-22-2022

hi guys

i've enabled just snmp probe, and disabled radius probe

and i suppose this lldp information is colleted by snmp

the endpoint has adopted the policy defined by lldp but the EndPointSource shows RADIUS Probe,

from the captured snmp packets, i can see the snmp did collect the lldp information.

so why the EndPointSource shows RADIUS Probe and how can i make the EndPointSource shows snmp probe?

Marcelo Morais · ‎07-24-2022

Hi @jinyuanbao ,

remember that (at ISE Administrator Guide - ISE Endpoint Profiling Policies)

" ... Not ALL Probes are enabled by default. Some Probes are partially enabled even when they are NOT explicitly enabled by a check mark ... "

HTTP and RADIUS are examples of partially enabled Probes.

" ... even when the HTTP Probe is disabled on the PSN, the Node will parse the Browser User Agent string from the Web Traffic and correlate the data to the Endpoint based on its associated Session ID ... "

" ... The RADIUS Probe is running by default, even for systems NOT configured for Profiling Service to ensure ISE can track Endpoint Authentication and Authorization details for use in Context Visibility Services ... "

Hope this helps !!!

View solution in original post

Arne Bier · ‎07-24-2022

That's quite an odd way to implement a product in my opinion. If disabling RADIUS Probes still allows the RADIUS accounting data to be processed, then what have we achieved? Nada. And we should never disable RADIUS Accounting when using ISE because ISE relies on that data for session management. But we should be given the choice to NOT process the data. And quite honestly, I think this should be answered by the TAC since in my opinion it smells like a defect - the profiling has LLDP all over it - what has RADIUS probe got to do with that?

View solution in original post

Marcelo Morais · ‎07-24-2022

Hi @Arne Bier ,

I agree with you that " ... we should be given the choice to NOT process the data ... ".

It is also important to make people aware that HTTP and RADIUS are partially enabled, as not all people know this.

View solution in original post

Arne Bier · ‎07-23-2022

Interesting - are you able to delete that endpoint and repeat the exercise and get the same result?

I also don't understand why the EndpointSource says "RADIUS probe". It was my understanding that this would be flagged as RADIUS Probe if ISE was processing RADIUS Accounting Interim Update requests relating to that Calling-Station-ID. Is RADIUS Accounting enabled? If it's a Cisco switch, do you have Device Tracking and/or Device Sensor enabled?

jinyuanbao · ‎07-26-2022

are you able to delete that endpoint and repeat the exercise and get the same result?

yes, i've deleted and repeated for several times and get the same result.

Is RADIUS Accounting enabled?

Administration > System >
Logging > Logging Categories> RADIUS Accounting. do you mean this option, i've tried to disable this, and luckily the

EndPointSource shows SNMPQuery Probe now, although i'm not sure how this RADIUS Accounting option works.

Thanks!! Helps a lot!

If it's a Cisco switch, do you have Device Tracking and/or Device Sensor enabled?

it's not a cisco switch sadly.

Marcelo Morais · ‎07-26-2022

Hi @jinyuanbao ,

about " ... I'm not sure how this RADIUS Accounting option works ... ", if you are using Cisco SW:

(config)# aaa accounting network default start-stop group radius

. it sends a START Accounting notice at the beginning of the RADIUS Requested event and a STOP Accounting notice at the end of the event !!!

(config)# aaa accounting update newinfo periodic 2880

. when the newinfo keyword is used, Interim Accounting records are sent to the Accounting Server every time there is new accounting information to report !!!

. The periodic 2880 results in the SW sending an Interim Accounting update regardless if the SW observes a change for the Active Session or not.

Hope this helps !!!

Marcelo Morais · ‎07-24-2022

Hi @jinyuanbao ,

remember that (at ISE Administrator Guide - ISE Endpoint Profiling Policies)

" ... Not ALL Probes are enabled by default. Some Probes are partially enabled even when they are NOT explicitly enabled by a check mark ... "

HTTP and RADIUS are examples of partially enabled Probes.

" ... even when the HTTP Probe is disabled on the PSN, the Node will parse the Browser User Agent string from the Web Traffic and correlate the data to the Endpoint based on its associated Session ID ... "

" ... The RADIUS Probe is running by default, even for systems NOT configured for Profiling Service to ensure ISE can track Endpoint Authentication and Authorization details for use in Context Visibility Services ... "

Hope this helps !!!

Arne Bier · ‎07-24-2022

That's quite an odd way to implement a product in my opinion. If disabling RADIUS Probes still allows the RADIUS accounting data to be processed, then what have we achieved? Nada. And we should never disable RADIUS Accounting when using ISE because ISE relies on that data for session management. But we should be given the choice to NOT process the data. And quite honestly, I think this should be answered by the TAC since in my opinion it smells like a defect - the profiling has LLDP all over it - what has RADIUS probe got to do with that?

Marcelo Morais · ‎07-24-2022

Hi @Arne Bier ,

I agree with you that " ... we should be given the choice to NOT process the data ... ".

It is also important to make people aware that HTTP and RADIUS are partially enabled, as not all people know this.

jinyuanbao · ‎07-26-2022

Thanks!!