04-05-2017 01:35 PM
We are tying to profile Cisco IP phones via CDP information sent in response to SNMP interface query.
We are seeing Accounting start packet on ISE (we are implementing default access as restrictive DACL) but no SNMP query is initiated after that.
Does the accounting start also needs to have an IP address ?
Because in our case the IP phone does not get IP address until it is profiled correclty.
Solved! Go to Solution.
04-05-2017 02:38 PM
Either RADIUS accounting start or SNMP traps. See pages 20 ~ 27 for profiling using SNMP traps in How To: ISE Profiling Design Guide
04-05-2017 02:38 PM
Either RADIUS accounting start or SNMP traps. See pages 20 ~ 27 for profiling using SNMP traps in How To: ISE Profiling Design Guide
04-06-2017 03:33 PM
Your statement saying "Of course it doesn't get an IP address until it is profiled correctly" is a statement that shouldn't be true. If you are using profiling in your ISE install at a minimum you should allow unknown devices onto the network but apply a DACL that only allows them to respond to the PSNs that may be probing them, i.e. NMAP or SNMP scans. I know that necessarily won't help you here, but it sounds like you are rejecting in your default rule which can hinder ISE profiling.
04-06-2017 03:47 PM
Yes I am pushing a restricted DACL from ISE and I can see that ISE PSN is receiving accounting start from the switch .
Buy no SNMP query is initiate from the PSN which it should according to the document
Thanks for the comments . Will investigate more
Thanks,
Utkarsh
04-06-2017 03:56 PM
I have seen this issue in the past, but can’t remember what the solution was. A couple other things:
1) If the switch supports device sensor that would be the ideal route, but I am guessing since you are relying on SNMP polls it probably doesn’t support device sensor.
2) I usually have periodic SNMP polling setup on the NAD definitions in ISE. The periodic polling will fix the issue, but of course that doesn’t help you get the phone on in a timely fashion.
If you pushing a DACL and allowing the phone on the network you should be getting DHCP attributes from the phone which should also be profiling the device correctly. Do you have DHCP forwarding to the PSNs configured?
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
04-11-2017 09:44 AM
Yes. you got that right. Its working with periodic SNMP polling and DHCP forwarding.
Its always worked in the past for me using Interface level SNMP query because that's the best ways to profile endpoints in closed mode.
Anyways I've got tied up in other stuff so will revisit this issue.
Appreciate your time on this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide