Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1541
Views
0
Helpful
9
Replies

Is ISE end point profiling using LLDP MED attributes possible?

Go to solution
wags
Level 1
Level 1

‎06-10-2022 07:12 AM

I have a LLDP device that I would like to use the LLDP MED attributes of Manufacturer and Model to profile against.  When I am in ISE under policy/policy elements/conditions/profiling/profiler conditions and select LLDP, the dropdown only seems to list the basic LLDP attributes.  aka those listed first in the IOS show LLDP neighbor detail output prior to the "MED information:" line of the output.

 

Is that all the are available to use?  Do I need to look somewhere else, or make custom attributes somewhere in ISE?

 

Thanks in Advance.

 

ISE version 3.1+

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎06-12-2022 05:28 PM

Once you can confirm that Device-Sensor is providing you with the LLDP data you need

e.g.

show device-sensor cache interface gig 1/0/1

Then you must enable RADIUS Accounting (Interim Update) on the switches since that is what IOS uses to convey this data to ISE.

 

A great profiling guide is this one.

View solution in original post

0 Helpful

Go to solution
wags
Level 1
Level 1
In response to andrewswanson

‎06-13-2022 03:47 AM

I don't see how this would work in our situation.  The devices in question will not be doing DHCP until after we authenticate with profiling that would basically do MAB (check OUI, check Mfg., check model, then authenticate with a "profiled dynamic MAB entry" vs manually entered MAB entry).  The OUI is not unique to the specific device (aka Mfg. has more then one type of device and we only want this one specific type device to authenticate this way).  

View solution in original post

0 Helpful
9 Replies 9

Go to solution
ahollifield
VIP
VIP

‎06-10-2022 12:26 PM

What is your NAD?  Does it have the ability to send LLDP information via Device Sensor probe to ISE in RADIUS Accounting packets?  

0 Helpful

Go to solution
wags
Level 1
Level 1
In response to ahollifield

‎06-10-2022 03:25 PM

A large fleet of Cisco 3K, 4K, 6K and 9K devices.

0 Helpful

Go to solution
wags
Level 1
Level 1
In response to wags

‎06-10-2022 03:27 PM

forgot second question about accounting, I am unsure because I've never looked into it.  They are various fairly current IOS devices (not bleeding edge).

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to wags

‎06-11-2022 01:00 AM

Do you have DHCP profiler enabled? This could be another option (other than LLDP) of getting device manufacturer etc to ISE - see below.

 

hth
Andy

 

The Internet Assigned Numbers Authority (IANA) assigned DHCPv4 Option 161 and DHCPv6 Option 112 to allow clients to advertise their Manufacturer Usage Description (MUD) URL. The MUD URL is unique to different device types or device classes. As device manufacturers leverage these options, ISE can dynamically classify the endpoints based on the string values contained in the URL.

0 Helpful

Go to solution
wags
Level 1
Level 1
In response to andrewswanson

‎06-13-2022 03:47 AM

I don't see how this would work in our situation.  The devices in question will not be doing DHCP until after we authenticate with profiling that would basically do MAB (check OUI, check Mfg., check model, then authenticate with a "profiled dynamic MAB entry" vs manually entered MAB entry).  The OUI is not unique to the specific device (aka Mfg. has more then one type of device and we only want this one specific type device to authenticate this way).  

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎06-12-2022 05:28 PM

Once you can confirm that Device-Sensor is providing you with the LLDP data you need

e.g.

show device-sensor cache interface gig 1/0/1

Then you must enable RADIUS Accounting (Interim Update) on the switches since that is what IOS uses to convey this data to ISE.

 

A great profiling guide is this one.

0 Helpful

Go to solution
wags
Level 1
Level 1
In response to Arne Bier

‎06-13-2022 06:54 AM

This looks like the best potential option, but....

 

The device-sensor display only shows LLDP TLV types 0,1,2,3 and 7 for the "bad" device in question.   Comparing with another LLDP device, LLDP is sending more and the switch sees and reports more in the LLDP neighbor detail display for both devices.  Totally unsure where/how LLDP's sh neig maps to sh device-sensor.  On other LLDP devices I see TLV 5 in the device-sensor display, which by chance lists the Mfg, Model, etc.  This is however on another switch type.  Maybe it is switch/IOS dependent. 

 

0 Helpful

Go to solution
MUllrich
Level 1
Level 1
In response to Arne Bier

‎09-13-2023 04:23 AM

That´s not the answer to the question.

I have the same topic (Accounting is already transporting device-sensor data) - but lldp information is limited to TLV types 0,1,2,3 and 7. On the switch i find additionally lldp med attributes which would be perfect for profiling but they are not included in device sensor data. 

Is there a configuration option to extend lldp device sensor data to use lldp med attributes?

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to MUllrich

‎09-13-2023 06:23 PM

LLDP-MED is an extension of LLDP. There are no options related to LLDP-MED in the Device Sensor configuration or any of the documentation. There are also no ISE system dictionaries related to LLDP-MED.

The answer to your question appears to be no and this capability would likely require significant development effort on both the switch and ISE side.

0 Helpful
Customers Also Viewed These Support Documents