cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1623
Views
35
Helpful
7
Replies

How will EndPointSource shows snmp probe

jinyuanbao
Level 1
Level 1

hi guys

i've enabled just snmp probe, and disabled radius probe

node.png

 

 

 

 

and i suppose this lldp information is colleted by snmp
lldp.png

 

the endpoint has adopted the policy defined by lldp but the EndPointSource shows RADIUS Probe, 

result-radius probe.png

policy.png

 

from the captured snmp packets, i can see the snmp did collect the lldp information.

 

snmp收集lldp.png

so why the EndPointSource shows RADIUS Probe and how can i make the EndPointSource shows snmp probe?

 

3 Accepted Solutions

Accepted Solutions

Hi @jinyuanbao ,

 remember that (at ISE Administrator Guide - ISE Endpoint Profiling Policies)

" ... Not ALL Probes are enabled by default. Some Probes are partially enabled even when they are NOT explicitly enabled by a check mark ... "

HTTP and RADIUS are examples of partially enabled Probes.

" ... even when the HTTP Probe is disabled on the PSN, the Node will parse the Browser User Agent string from the Web Traffic and correlate the data to the Endpoint based on its associated Session ID ... "

" ... The RADIUS Probe is running by default, even for systems NOT configured for Profiling Service to ensure ISE can track Endpoint Authentication and Authorization details for use in Context Visibility Services ... "

 

Hope this helps !!!

View solution in original post

That's quite an odd way to implement a product in my opinion. If disabling RADIUS Probes still allows the RADIUS accounting data to be processed, then what have we achieved? Nada. And we should never disable RADIUS Accounting when using ISE because ISE relies on that data for session management. But we should be given the choice to NOT process the data. And quite honestly, I think this should be answered by the TAC since in my opinion it smells like a defect - the profiling has LLDP all over it - what has RADIUS probe got to do with that?

 

View solution in original post

Hi @Arne Bier ,

 I agree with you that " ... we should be given the choice to NOT process the data ... ".

 It is also important to make people aware that HTTP and RADIUS are partially enabled, as not all people know this.

View solution in original post

7 Replies 7

Arne Bier
VIP
VIP

Interesting - are you able to delete that endpoint and repeat the exercise and get the same result? 

I also don't understand why the EndpointSource says "RADIUS probe". It was my understanding that this would be flagged as RADIUS Probe if ISE was processing RADIUS Accounting Interim Update requests relating to that Calling-Station-ID. Is RADIUS Accounting enabled?  If it's a Cisco switch, do you have Device Tracking and/or Device Sensor enabled?

 

are you able to delete that endpoint and repeat the exercise and get the same result? 

yes, i've deleted and repeated for several times and get the same result.

Is RADIUS Accounting enabled?

Administration > System >
Logging > Logging Categories> RADIUS Accounting.           do you mean this option, i've tried to disable this, and luckily the  

EndPointSource shows SNMPQuery Probe now, although i'm not sure how this RADIUS Accounting option works.

Thanks!! Helps a lot!

 

snmpquery probe.png

If it's a Cisco switch, do you have Device Tracking and/or Device Sensor enabled?

it's not a cisco switch sadly.

 

 

 

Hi @jinyuanbao ,

 about " ... I'm not sure how this RADIUS Accounting option works ... ", if you are using Cisco SW:

(config)# aaa accounting network default start-stop group radius

. it sends a START Accounting notice at the beginning of the RADIUS Requested event and a STOP Accounting notice at the end of the event !!!

(config)# aaa accounting update newinfo periodic 2880

. when the newinfo keyword is used, Interim Accounting records are sent to the Accounting Server every time there is new accounting information to report !!!

. The periodic 2880 results in the SW sending an Interim Accounting update regardless if the SW observes a change for the Active Session or not.

 

Hope this helps !!!

Hi @jinyuanbao ,

 remember that (at ISE Administrator Guide - ISE Endpoint Profiling Policies)

" ... Not ALL Probes are enabled by default. Some Probes are partially enabled even when they are NOT explicitly enabled by a check mark ... "

HTTP and RADIUS are examples of partially enabled Probes.

" ... even when the HTTP Probe is disabled on the PSN, the Node will parse the Browser User Agent string from the Web Traffic and correlate the data to the Endpoint based on its associated Session ID ... "

" ... The RADIUS Probe is running by default, even for systems NOT configured for Profiling Service to ensure ISE can track Endpoint Authentication and Authorization details for use in Context Visibility Services ... "

 

Hope this helps !!!

That's quite an odd way to implement a product in my opinion. If disabling RADIUS Probes still allows the RADIUS accounting data to be processed, then what have we achieved? Nada. And we should never disable RADIUS Accounting when using ISE because ISE relies on that data for session management. But we should be given the choice to NOT process the data. And quite honestly, I think this should be answered by the TAC since in my opinion it smells like a defect - the profiling has LLDP all over it - what has RADIUS probe got to do with that?

 

Hi @Arne Bier ,

 I agree with you that " ... we should be given the choice to NOT process the data ... ".

 It is also important to make people aware that HTTP and RADIUS are partially enabled, as not all people know this.

Thanks!!