cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1431
Views
0
Helpful
6
Replies
Mo Pourmirza
Beginner

IBNS 2.0 Device Sensor not working on Cisco IOS Denali 16.3.5b

Hi All,

 

We recently enabled device-sensor feature on our Cisco Catalyst 3850 switches running IOS Denali 16.3.5b. For some reason ISE doesn't receive DHCP/CDP information of the endpoints. Has anyone experienced this issue before? Here is the switch global and interface config:

 

device-tracking policy Tracking_Policy
trusted-port
tracking enable

!

device-sensor filter-list lldp list LLDP-LIST
tlv name system-name
tlv name system-description
!
device-sensor filter-list cdp list CDP-LIST
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name platform-type
!
device-sensor filter-list dhcp list DHCP-LIST
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
device-sensor filter-spec dhcp include list DHCP-LIST
device-sensor filter-spec lldp include list LLDP-LIST
device-sensor filter-spec cdp include list CDP-LIST
device-sensor notify all-changes
access-session attributes filter-list list DEVICE-SENSOR
cdp
lldp
dhcp
access-session authentication attributes filter-spec include list DEVICE-SENSOR
access-session accounting attributes filter-spec include list DEVICE-SENSOR
access-session monitor

###Interface Config###

interface GigabitEthernet6/0/13
switchport access vlan 123
switchport mode access

switchport voice vlan 25
device-tracking attach-policy Tracking_Policy
authentication periodic
authentication timer reauthenticate server
access-session control-direction in
access-session port-control auto
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 10
spanning-tree portfast
service-policy type control subscriber POLICY_V3
end

 

Switch-01#sh device-sensor cache int Gi6/0/13
Device: 1c17.d341.bf8d on port GigabitEthernet6/0/13
--------------------------------------------------
Proto Type:Name Len Value
DHCP 55:parameter-request-list 9 37 07 01 42 06 03 0F 96 23
DHCP 60:class-identifier 40 3C 26 43 69 73 63 6F 20 53 79 73 74 65 6D 73 2C
20 49 6E 63 2E 20 49 50 20 50 68 6F 6E 65 20 43
50 2D 37 39 36 35 47 00
DHCP 12:host-name 17 0C 0F 53 45 50 31 43 31 37 44 33 34 31 42 46 38
44
DHCP 61:client-identifier 9 3D 07 01 1C 17 D3 41 BF 8D
LLDP 6:system-description 45 0C 2B 43 69 73 63 6F 20 49 50 20 50 68 6F 6E 65
20 37 39 36 35 47 2C 56 38 2C 20 53 43 43 50 34
35 2E 39 2D 34 2D 32 53 52 33 2D 31 53
LLDP 5:system-name 28 0A 1A 53 45 50 31 43 31 37 44 33 34 31 42 46 38
44 2E 49 54 56 70 6C 63 2E 61 64 73
CDP 2:address-type 17 00 02 00 11 00 00 00 01 01 01 CC 00 04 0A 96 16
D4
CDP 28:secondport-status-type 7 00 1C 00 07 00 02 80
CDP 6:platform-type 23 00 06 00 17 43 69 73 63 6F 20 49 50 20 50 68 6F
6E 65 20 37 39 36 35
CDP 4:capabilities-type 8 00 04 00 08 00 00 04 90
CDP 1:device-name 19 00 01 00 13 53 45 50 31 43 31 37 44 33 34 31 42
46 38 44

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
ldanny
Cisco Employee

I would try using image 16.8.1a and see if this helps.

I recommend you raise a case with TAC.

View solution in original post

6 REPLIES 6
paul
Advocate

Do you have your AAA accounting properly configure:

 

aaa accounting identity default start-stop group ISE-RADIUS
aaa accounting update newinfo

Hi Paul,

 

Yes we have. Please see below:

 

aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group ISE-Servers

 

 

jalemanp
Cisco Employee

Since "Switch-01#sh device-sensor cache int Gi6/0/13" shows the sensor information I believe you need to check in the accounting packets that the information is sent to ISE. Also, you may need to collect packet capture in ISE to confirm if the accounting information that is received contains the CDP/DHCP/LLDP info.
Check the following document for radius accounting debug. The packet capture in ISE can be collected under Operations>Troubleshoot>Diagnostic Tools>TCP Dump.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200292-Configure-Device-Sensor-for-ISE-Profilin.html
ldanny
Cisco Employee

I would try using image 16.8.1a and see if this helps.

I recommend you raise a case with TAC.

Hi ,

 

We have already raised a case with TAC but we haven't got the fix yet. 

I noticed that "aaa accounting delay-start" has been added as part of dot1x/aaa config.

I removed this line but didn't help either. Also, the CDP/DHCP  information is not in the TCP dump I collected from ISE.

 

 

 

Hello 

i m having the same issue (ios xe16.6.3), did version upgrade solved this or you had new recommendations from tac?

regards

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube