We are tying to profile Cisco IP phones via CDP information sent in response to SNMP interface query.
We are seeing Accounting start packet on ISE (we are implementing default access as restrictive DACL) but no SNMP query is initiated after that.
Does the accounting start also needs to have an IP address ?
Because in our case the IP phone does not get IP address until it is profiled correclty.
Solved! Go to Solution.
Your statement saying "Of course it doesn't get an IP address until it is profiled correctly" is a statement that shouldn't be true. If you are using profiling in your ISE install at a minimum you should allow unknown devices onto the network but apply a DACL that only allows them to respond to the PSNs that may be probing them, i.e. NMAP or SNMP scans. I know that necessarily won't help you here, but it sounds like you are rejecting in your default rule which can hinder ISE profiling.
I have seen this issue in the past, but can’t remember what the solution was. A couple other things:
1) If the switch supports device sensor that would be the ideal route, but I am guessing since you are relying on SNMP polls it probably doesn’t support device sensor.
2) I usually have periodic SNMP polling setup on the NAD definitions in ISE. The periodic polling will fix the issue, but of course that doesn’t help you get the phone on in a timely fashion.
If you pushing a DACL and allowing the phone on the network you should be getting DHCP attributes from the phone which should also be profiling the device correctly. Do you have DHCP forwarding to the PSNs configured?
Yes. you got that right. Its working with periodic SNMP polling and DHCP forwarding.
Its always worked in the past for me using Interface level SNMP query because that's the best ways to profile endpoints in closed mode.
Anyways I've got tied up in other stuff so will revisit this issue.
Appreciate your time on this.