Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4899
Views
15
Helpful
7
Replies

IOS Device-Sensor and ISE profiling not working

desweiler
Level 1
Level 1

‎08-14-2014 04:45 AM - edited ‎03-10-2019 09:56 PM

Hello,

I configured IOS device-sensor on one 2960CG-8-TCL switch. IOS is 15.2(2)E.

Switchconfig:


device-sensor filter-list dhcp list dhcp-list
 option name host-name
device-sensor filter-spec dhcp include list dhcp-list
device-sensor accounting
device-sensor notify all-changes

Switch does DHCP-Snooping and "show device-sensor cache all" shows the DHCP name:

Device: b2b5.2fff.sa43 on port GigabitEthernet0/1
--------------------------------------------------
Proto Type:Name                       Len Value
DHCP    12:host-name                   17 0C 0F 11 31 22 41 50 43 33 31 32 30 30 30 37 38
                                          38

RADIUS probe on ISE is activated and TCPdump shows the accounting packets from the switch (see attachment).

I configured a profiling rule ot check for DHCP-Hostname with "contains". This rule does not work however. The device is getting profiled with a MAC-OUI via RADIUS-probe but the DHCP-Profile is not working.

 

Is this supposed to work?

 

 

 

3 people had this problem
Labels:
Preview file
22 KB
0 Helpful
7 Replies 7

nspasov
Cisco Employee
Cisco Employee

‎08-15-2014 03:35 PM

Can you post the a screenshot of the custom profiling rule that you created?

Thank you for rating helpful posts!
0 Helpful

desweiler
Level 1
Level 1
In response to nspasov

‎08-18-2014 12:43 AM

Here are the screenshot of the profile. It just checks if the dhcp hostname contains "615APC615".

I can see on the authenticator switch in the device-sensor cache that the hostname does contain this. I also see the accounting packtes in the tcpdump on the ise. So they are sent and are beeing received by the ise.

The Radius probe is active and it is working. It does profile the mac address of the client via radius probe and uses the profile "HP-Device" because of the OUI. I don't the see dhcp hostname in the endpoint details however. I think it should be there so that the profiler can use it.

I have another device-sensor using cdp which also does not work. It sends the cdp platform-type and device name. I also see those packets beeing received by the ise. The values are there in the VSA's. The switch (authenticated via MD5 and NEAT) is not profiled however.

Preview file
26 KB
Preview file
49 KB
0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to desweiler

‎08-20-2014 04:03 PM

Try this, set the certainty level of your custom profile rule from 10 to something higher. Let's say 50. Then try again and let me know what happens. 

 

Thank you for rating helpful posts!
0 Helpful

desweiler
Level 1
Level 1
In response to nspasov

‎08-21-2014 01:42 AM

Setting the certainty level higher does not help. I think this is not the problem.

The problem is that ISE does not show the values that are beeing sent by device sensor. Look at the attached screenshots. The endpoint details should show all information that is known about the endpoint which is derived from all available probes. There is no dhcp hostname!

Also the profiling does work which can be seen in the endpoint profiling details. There you see that it hits the HP-Device profile because of the OUI derived from the Radius probe. But the hostname filed is empty. There should be the value that is sent by the switch. The switch has it in it's device-sensor cache and it is sent and received by ise as shown in the first screenshot in the first post. The pcap shows the values send by the switch. They are there. But ISE does not take them. If they did show up and the profile did not hit it could b a problem of the profile rule but the values arn't there in the first place.

Preview file
128 KB
Preview file
40 KB
0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to desweiler

‎08-22-2014 12:29 PM

That is interesting. I haven't worked with the "Device Sensor" much so I am running out of ideas. I really thought the certainty level was going to fix your issue as I have had issues similar like yours in the past where the certainty level of my custom rule was the same as a default one so mine custom rule was never hit. . I thought this was the case with you since your device was hitting the parent policy of "HP-Device" but not moving any further. With that being  l would still recommend keeping your custom conditions with higher certainty levels to avoid such situations.

Couple of more things:

1. What profiling probes do you have enabled?

2. Have you tried retrieving the DHCP hostname via another sensor/method. For example, via the DHCP probe and ip-helper?

3. Do you have the following commands entered on your switch:

access-session template monitor
no macro auto monitor
device-sensor accounting
device-sensor notify all-changes

 

 

Thank you for rating helpful posts!
0 Helpful

parasup
Level 5
Level 5
In response to nspasov

‎01-19-2017 02:35 PM

Does anyone have a list of the common CDP, lldp and dhcp TLV's/Option values to send to ISE, the device sensor like all things is a bunch of screws and nails and painstaking research has to be done with each TLV value to know which to send to ISE, incredible!

Prakash

xxkozxx
Level 1
Level 1

‎08-28-2014 06:44 AM

Have you found a fix for this?

I've noticed this same problem. Device sensor doesn't seem to be sending cdp or dhcp information to the ise servers so it's getting the basic device profile information.

 

For example, I have some cisco ip phones that only show up as Cisco-Device and the endpoint profile has no cdp or dhcp information that it has scraped. 

Customers Also Viewed These Support Documents