11-29-2022 08:06 AM
Hi,
I am attempting to discover laptops connecting to a VPN endpoint that terminates on an F5 Load balancer using the DHCP Probe, but none of the devices get added as ISE Endpoints!
This was my approach:
The firewall shows the DHCP traffic is permitted, and the TCPDump from ISE shows the following:
12:43:06.932974 IP (tos 0x0, ttl 252, id 59525, offset 0, flags [DF], proto UDP (17), length 361)
192.168.150.1.13711 > redacted.bootps: BOOTP/DHCP, Request, length 333, htype 20, hlen 4, hops 1, xid 0x36655a71, Flags [none]
Gateway-IP XXX.XXX.207.254
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Client-ID Option 61, length 7: ether e8:6a:64:xx:xx:xx
Vendor-Class Option 60, length 6: "f5-APM"
Hostname Option 12, length 10: "TESTLAPTOP"
MSZ Option 57, length 2: 1344
Lease-Time Option 51, length 4: 4294967295
Agent-Information Option 82, length 48:
Circuit-ID SubOption 1, length 14: XXX.XXX.150.16
Remote-ID SubOption 2, length 20: XXX.XXX.36.105:65381
Subscriber-ID SubOption 6, length 8: testuser
12:43:06.936788 IP (tos 0x0, ttl 252, id 28432, offset 0, flags [DF], proto UDP (17), length 373)
192.168.150.1.bootps > redacted.bootps: BOOTP/DHCP, Request, length 345, htype 20, hlen 4, hops 1, xid 0x36655a71, Flags [none]
Gateway-IP 172.30.207.254
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Request
Client-ID Option 61, length 7: ether e8:6a:64:xx:xx:xx
Server-ID Option 54, length 4: TESTLAPTOP.redacted-domain.uk
Requested-IP Option 50, length 4: TESTLAPTOP.redacted-domain.uk
Vendor-Class Option 60, length 6: "f5-APM"
Hostname Option 12, length 10: "TESTLAPTOP"
MSZ Option 57, length 2: 1344
Lease-Time Option 51, length 4: 4294967295
Agent-Information Option 82, length 48:
Circuit-ID SubOption 1, length 14: XXX.XXX.150.16
Remote-ID SubOption 2, length 20: XXX.XXX.36.105:65381
Subscriber-ID SubOption 6, length 8: testuser
In ISE under "WorkCenter | Profiler | Endpoint Classification", the endpoint with MAC address shown in the TCPDUMP (e8:6a:64:xx:xx:xx) does not exist, even though the TCPDump shows traffic is arriving.
I have double checked that the PSN's have the "Policy service" checked and that the DHCP Probe is enabled.
All LAN Devices are using device sensors on the switches, so this is the first real use of the DHCP probe and I've run out of things to check. Any suggestions on where I should look next would be greatly appreciated.
Thanks in advance,
Si.
Solved! Go to Solution.
11-29-2022 01:17 PM
It sounds like you are trying to have ISE add an endpoint to the database solely on information from the DHCP Probe, which will not work. ISE needs to learn the endpoint MAC address from a RADIUS session. I can then supplement that endpoint data with profiling information it may learn from the DHCP Probe.
The MAC address is not typically something a RADIUS server learns about a VPN endpoint. With Cisco VPN endpoints, the MAC address is provided to ISE by the AnyConnect client via ACIDEX (AnyConnect Identity Extensions).
11-29-2022 01:17 PM
It sounds like you are trying to have ISE add an endpoint to the database solely on information from the DHCP Probe, which will not work. ISE needs to learn the endpoint MAC address from a RADIUS session. I can then supplement that endpoint data with profiling information it may learn from the DHCP Probe.
The MAC address is not typically something a RADIUS server learns about a VPN endpoint. With Cisco VPN endpoints, the MAC address is provided to ISE by the AnyConnect client via ACIDEX (AnyConnect Identity Extensions).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: