Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
12
Helpful
1
Replies

ISE 2.7 - DHCP Probe not working

Go to solution
Scaremonger
Level 1
Level 1

‎11-29-2022 08:06 AM

Hi,
I am attempting to discover laptops connecting to a VPN endpoint that terminates on an F5 Load balancer using the DHCP Probe, but none of the devices get added as ISE Endpoints!

This was my approach:

  • I added the ISE policy nodes as DHCP servers (Helpers) on the F5 alongside the real ones.
  • Opened up Port 67 on the Firewalls between the F5 and ISE
  • Disconnect my test laptop from the F5 VPN
  • Set up a TCPDump on ISE for traffic from the F5 on port 67.
  • Reconnect my test laptop to the F5 VPN.

The firewall shows the DHCP traffic is permitted, and the TCPDump from ISE shows the following:

 

12:43:06.932974 IP (tos 0x0, ttl 252, id 59525, offset 0, flags [DF], proto UDP (17), length 361)
  192.168.150.1.13711 > redacted.bootps: BOOTP/DHCP, Request, length 333, htype 20, hlen 4, hops 1, xid 0x36655a71, Flags [none]
    Gateway-IP XXX.XXX.207.254
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: Discover
        Client-ID Option 61, length 7: ether e8:6a:64:xx:xx:xx
        Vendor-Class Option 60, length 6: "f5-APM"
        Hostname Option 12, length 10: "TESTLAPTOP"
        MSZ Option 57, length 2: 1344
        Lease-Time Option 51, length 4: 4294967295
        Agent-Information Option 82, length 48: 
          Circuit-ID SubOption 1, length 14: XXX.XXX.150.16
          Remote-ID SubOption 2, length 20: XXX.XXX.36.105:65381
          Subscriber-ID SubOption 6, length 8: testuser
12:43:06.936788 IP (tos 0x0, ttl 252, id 28432, offset 0, flags [DF], proto UDP (17), length 373)
  192.168.150.1.bootps > redacted.bootps: BOOTP/DHCP, Request, length 345, htype 20, hlen 4, hops 1, xid 0x36655a71, Flags [none]
    Gateway-IP 172.30.207.254
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: Request
        Client-ID Option 61, length 7: ether e8:6a:64:xx:xx:xx
        Server-ID Option 54, length 4: TESTLAPTOP.redacted-domain.uk
        Requested-IP Option 50, length 4: TESTLAPTOP.redacted-domain.uk
        Vendor-Class Option 60, length 6: "f5-APM"
        Hostname Option 12, length 10: "TESTLAPTOP"
        MSZ Option 57, length 2: 1344
        Lease-Time Option 51, length 4: 4294967295
        Agent-Information Option 82, length 48: 
          Circuit-ID SubOption 1, length 14: XXX.XXX.150.16
          Remote-ID SubOption 2, length 20: XXX.XXX.36.105:65381
          Subscriber-ID SubOption 6, length 8: testuser

In ISE under "WorkCenter | Profiler | Endpoint Classification", the endpoint with MAC address shown in the TCPDUMP (e8:6a:64:xx:xx:xx) does not exist, even though the TCPDump shows traffic is arriving.

I have double checked that the PSN's have the "Policy service" checked and that the DHCP Probe is enabled.

All LAN Devices are using device sensors on the switches, so this is the first real use of the DHCP probe and I've run out of things to check. Any suggestions on where I should look next would be greatly appreciated.

Thanks in advance,
Si.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎11-29-2022 01:17 PM

It sounds like you are trying to have ISE add an endpoint to the database solely on information from the DHCP Probe, which will not work. ISE needs to learn the endpoint MAC address from a RADIUS session. I can then supplement that endpoint data with profiling information it may learn from the DHCP Probe.
The MAC address is not typically something a RADIUS server learns about a VPN endpoint. With Cisco VPN endpoints, the MAC address is provided to ISE by the AnyConnect client via ACIDEX (AnyConnect Identity Extensions).

 

View solution in original post

1 Reply 1

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎11-29-2022 01:17 PM

It sounds like you are trying to have ISE add an endpoint to the database solely on information from the DHCP Probe, which will not work. ISE needs to learn the endpoint MAC address from a RADIUS session. I can then supplement that endpoint data with profiling information it may learn from the DHCP Probe.
The MAC address is not typically something a RADIUS server learns about a VPN endpoint. With Cisco VPN endpoints, the MAC address is provided to ISE by the AnyConnect client via ACIDEX (AnyConnect Identity Extensions).

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents