cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22004
Views
65
Helpful
24
Replies

ISE and CDP device sensor

Hi, all.

Anyone can explain to me, how the CDP device sensor probe works with ISE ???

What I am trying to do, is to identify different Cisco Wireless Access Point models (i.e. LAP 1142) with ISE.

Since the APs do speak CDP (I can see the AP devices on the switch), this should be possible with the CDP device sensor on the switch, shouldn't it  ....

I have done the following so far:

Configured the switch to talk to ISE via radius accounting:

aaa group server radius SERVERGROUP_radius_accounting

     server name ISE02

    radius server ISE02

          address ipv4 [ISE02 ip address] auth-port 1645 acct-port 1646

    radius-server attribute 6 on-for-login-auth

    radius-server attribute 6 support-multiple

    radius-server attribute 8 include-in-access-req

    radius-server attribute 25 access-request include

    radius-server attribute nas-port-id include remote-id

    radius-server dead-criteria time 30 tries 3

    radius-server retry method reorder

    radius-server retransmit 2

    radius-server timeout 2

    radius-server deadtime 1

    radius-server key 7 [ISE02 radius key]

    radius-server vsa send cisco-nas-port

    radius-server vsa send accounting

    radius-server vsa send authentication

    aaa accounting dot1x default start-stop group SERVERGROUP_radius_accounting

    Configured SNMP traps to be sent to ISE:

    snmp-server host [ISE02 ip address] [SNMP RO Community]

    authentication mac-move permit

    authentication critical recovery delay 120 

    mac address-table notification change interval 60

    mac address-table notification change

    mac address-table notification mac-move 

    interface GigabitEthernet0/1

    snmp trap mac-notification change added

    snmp trap mac-notification change removed 

    Configured logging to ISE:

    epm logging

    logging host [ISE02 ip address] transport udp port 20514

    Configured CoA:

    aaa server radius dynamic-author

    client [ISE02 ip address] server-key 7 [ISE02 radius key]

    Configured DHCP snooping, device tracking and device sensors:

    ip dhcp snooping vlan xyz

    no ip dhcp snooping information option

    ip dhcp snooping

    ip device tracking

    device-sensor filter-list dhcp list DSFL_dhcp

    option name domain-name-servers

    option name host-name

    option name domain-name

    option name class-identifier

    option name client-identifier

    device-sensor filter-list lldp list DSFL_lldp

    tlv name system-name

    tlv name system-description

    tlv name system-capabilities

    tlv name management-address

    device-sensor filter-list cdp list DSFL_cdp

    tlv name device-name

    tlv name port-id-type

    tlv name capabilities-type

    tlv name version-type

    tlv name platform-type

    tlv name duplex-type

    tlv number 34

    device-sensor filter-spec dhcp include list DSFL_dhcp

    device-sensor filter-spec lldp include list DSFL_lldp

    device-sensor filter-spec cdp include list DSFL_cdp

    device-sensor notify all-changes

    Configured an additional IP helper on the AP vlan pointing to ISE:

    interface vlan xyz

    ip helper-address [ISE02 ip address]

    I have configured new profiling conditions on ISE, which use the cdp attributes:

    and used these conditions in a new profiling policy for the 114x AP:

    ISE is configured to listen to DHCP, radius, DNS and SNMP traps ....

    However, the only thing ISE sees of this AP, is the dhcp probe:

    and therefore, the 114x policy has no effect .......

    ISE version is the following:

    Cisco Application Deployment Engine OS Release: 2.0

    ADE-OS Build Version: 2.0.4.018

    ADE-OS System Architecture: i386

    Copyright (c) 2005-2011 by Cisco Systems, Inc.

    All rights reserved.

    Hostname: deess01nise02

    Version information of installed applications

    ---------------------------------------------

    Cisco Identity Services Engine

    ---------------------------------------------

    Version      : 1.1.2.145

    Build Date   : Fri Oct 26 21:10:35 2012

    Install Date : Fri Jan 18 07:18:49 2013

    Cisco Identity Services Engine Patch

    ---------------------------------------------

    Version      : 2

    Install Date : Mon Jan 21 07:36:50 2013

    Cisco Identity Services Engine Patch

    ---------------------------------------------

    Version      : 3

    Install Date : Mon Jan 21 07:42:11 2013

    Version of the switch:

    cisco WS-C3560CG-8PC-S (PowerPC) processor (revision C0) with 131072K bytes of memory.

    Processor board ID FOC1619Y180

    Last reset from power-on

    7 Virtual Ethernet interfaces

    10 Gigabit Ethernet interfaces

    The password-recovery mechanism is enabled.

    512K bytes of flash-simulated non-volatile configuration memory.

    Base ethernet MAC Address       : 58:BF:EA:B9:AC:80

    Motherboard assembly number     : 73-13272-06

    Power supply part number        : 341-0407-01

    Motherboard serial number       : FOC16174ZZ5

    Power supply serial number      : LIT16120XR8

    Model revision number           : C0

    Motherboard revision number     : A0

    Model number                    : WS-C3560CG-8PC-S

    System serial number            : FOC1619Y180

    Top Assembly Part Number        : 800-33676-02

    Top Assembly Revision Number    : A0

    Version ID                      : V02

    CLEI Code Number                : CMMD900ARB

    Hardware Board Revision Number  : 0x00

    Switch Ports Model              SW Version            SW Image

    ------ ----- -----              ----------            ----------

    *    1 10    WS-C3560CG-8PC-S   15.0(2)SE             C3560c405ex-UNIVERSALK9-M   

    What am I missing ??? Should this config make the switch send CDP information about connected devices to the ISE (via radius accounting) ???

    How do the device sensors work ???

    Rgs

    Frank

    3 Accepted Solutions

    Accepted Solutions

    Hello. You're missing the following commands :

    access-session template monitor

    device-sensor accounting

    no macro auto monitor

    If that doesn't work then you need to remove the "aaa" config and re-apply it ( I think that's because of a bug).

    That worked for me and now my switches can detect Cisco Access Points and Cisco IP Phones very fast.

    Please rate if it's helpful.

    View solution in original post

    Anything done one ISE requires Authentication and accounting

    View solution in original post

    Hi All,

     

    Here are a few things those of you new to device sensor should understand

     

    1. Device Sensor is not a ISE probe but is a functionality of network devices ( Wired and Wireless controller) that gathers specific endpoint information and caches it. This is unique to Cisco. "From CLI you can execute "show device sensor cache xxx " to view the information gathered.

    2.  Device sensor gathers information about CDP, LLDP, HTTP, DHCP etc.

    3. The information gathered using device sensor is sent to ISE via Radius accounting.

    4. If visibility is your goal, you dont need to turn on aaa authentication and authorization and go through the MAB flow. You can configure aaa accounting and the magic will happen.

    5. If enforcement is your goal, yes you need to turn on MAB for AAA so that you authenticate the endpoint using MAB and then profile using ISE that does CoA at the end.

    6. You need to turn on for the device sensor to be sent via account packets to   ISE. This is for IBNS 1.0

    device-sensor accounting

    device-sensor notify all-changes

     

    and disable local analyzer

     

    no macro auto monitor

    access-session template monitor

     

    That said, the screen shot way above shows ISE 1.1.2. We End of Life and End of Supported that product long back as of April 30, 2015.

    Here is the End of Life link

    https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/eos-eol-notice-c51-734276.html

    Please use a recent and stable version ISE 2.4. You can download it from

    https://software.cisco.com/download/home/283801620/type/283802505/release/2.4.0

     

    Thanks

    Krishnan

    View solution in original post

    24 Replies 24

    Tarik Admani
    VIP Alumni
    VIP Alumni

    Frank,

    The cdp attributes are enacapsulated in the radius packet as a cisco-av-pair and sent to the ISE as an accounting packet. You may want to run the show device-sensor cache . Here are some helpful troubleshooting steps (you can also run the tcpdump utility on the monitoring side and set the ip host <3560 radius source interface>.

    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/15.0_1_se/device_sensor/guide/sensor_guide.html#wp1127934

    Tarik Admani
    *Please rate helpful posts*

    Detailed information on the function of the Probes and device-sensor can be found in the "ISE Profiling Design Guide":

    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_30_ise_profiling.pdf

    -- 
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

    I have the same problem ... Did you find a solution Frank?

    I am also having the same issue. Can anyone help???

    Venkatesh Attuluri
    Cisco Employee
    Cisco Employee

    A switch with sensor capability gathers  endpoint information from network devices using protocols such as Cisco  Discovery Protocol (CDP), LLDP, and DHCP, subject to statically configured  filters, and makes this information available to its registered clients in the  context of an access session. An access session represents an endpoint's  connection to the network device

    Client notifications and accounting  messages containing profiling data along with the session events, and other  session-related data, such as MAC address and ingress port are generated and  sent to the internal and external clients (ISE). By default, for each supported  peer protocol, client notifications and accounting events are only generated  where an incoming packet includes a TLV that has not previously been received in  the context of a given session. You can enable client notifications and  accounting events for all TLV changes, where either a new TLV has been received  or a previously received TLV has been received with a different value using CLI  commands.

    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/15.0_1_se/device_sensor/guide/sensor_guide.html#wp1112722

    Hello. You're missing the following commands :

    access-session template monitor

    device-sensor accounting

    no macro auto monitor

    If that doesn't work then you need to remove the "aaa" config and re-apply it ( I think that's because of a bug).

    That worked for me and now my switches can detect Cisco Access Points and Cisco IP Phones very fast.

    Please rate if it's helpful.

    I think what many people don't understand is the following

     

    Device Sensor information is delivered to Cisco ISE using Radius. In particular, Radius Accounting.

     

    I give it few minutes to read this few more times, before you will go "Oh... seariously?"

     

    What does it mean? Basically, if you want to rely on Device Sensor, endpoint MUST go through Authentication, and this Authentication/Authorization MUST succeed. No Authentication/Authorization? No Accounting. No Accounting? Nothing is delivered to Cisco ISE, even though switch possesses all information about this endpoint using DHCP snooping, CDP and LLDP databases.

     

    Device Sensor is amazing feature, but you cannot rely on it when port is not configured to authenticate connected endpoint. Period.

     

    Unfortunately, this is not obvious from Cisco documentation and it took me few days in a lab to realize how it really works. Welcome :)

    Anything done one ISE requires Authentication and accounting

    I think this is technically not correct :)

     

    I can deploy pure profiling without using ANY radius at all. So, by its nature, Profiling doesn't rely on Radius

     

    What I tried to point out here is that Device Sensor has changed this as it relies on Radius accounting and hence can only work if switchport has been authorized access.

     

    When I originally started with Device Sensor it took me few days to realize this. In fact, I even had to open TAC case as I didn't understand why I didn't see any profiling data... I think, Cisco can improve this by providing a text in bold against Device Sensor feature in al documentations saying "Device Sensor requires AAA enabled on the port (dot1X/MAB) and requires authentication to actually pass, otherwise Device Sensor information will not be delivered to Cisco ISE as it requires active Accounting session"

     

    Regards

    Hi All,

     

    Here are a few things those of you new to device sensor should understand

     

    1. Device Sensor is not a ISE probe but is a functionality of network devices ( Wired and Wireless controller) that gathers specific endpoint information and caches it. This is unique to Cisco. "From CLI you can execute "show device sensor cache xxx " to view the information gathered.

    2.  Device sensor gathers information about CDP, LLDP, HTTP, DHCP etc.

    3. The information gathered using device sensor is sent to ISE via Radius accounting.

    4. If visibility is your goal, you dont need to turn on aaa authentication and authorization and go through the MAB flow. You can configure aaa accounting and the magic will happen.

    5. If enforcement is your goal, yes you need to turn on MAB for AAA so that you authenticate the endpoint using MAB and then profile using ISE that does CoA at the end.

    6. You need to turn on for the device sensor to be sent via account packets to   ISE. This is for IBNS 1.0

    device-sensor accounting

    device-sensor notify all-changes

     

    and disable local analyzer

     

    no macro auto monitor

    access-session template monitor

     

    That said, the screen shot way above shows ISE 1.1.2. We End of Life and End of Supported that product long back as of April 30, 2015.

    Here is the End of Life link

    https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/eos-eol-notice-c51-734276.html

    Please use a recent and stable version ISE 2.4. You can download it from

    https://software.cisco.com/download/home/283801620/type/283802505/release/2.4.0

     

    Thanks

    Krishnan

    Ok, in that case let me know what is wrong with my configuration (taken from Catalyst 3850, running Everest 16.6.5)

     

    aaa group server radius LAB-ISE-2x
     server name LAB-ISE-2x-1
     ip radius source-interface Vlan1
    !
    aaa authentication login default group LAB-ISE-2x local
    aaa authentication enable default enable
    aaa authentication dot1x default group LAB-ISE-2x
    aaa authorization console
    aaa authorization exec default group LAB-ISE-2x local
    aaa authorization network default group LAB-ISE-2x
    aaa accounting update newinfo
    aaa accounting dot1x default start-stop group LAB-ISE-2x
    aaa accounting network default start-stop group LAB-ISE-2x
    aaa accounting system default start-stop group LAB-ISE-2x


    aaa server radius dynamic-author
     client 10.255.33.251
     server-key 7 <secret>


    ip dhcp snooping vlan 66,68-71
    ip dhcp snooping
    !
    device-sensor filter-list lldp list w1lab-lldp-tlv
     tlv name port-id
     tlv name system-name
     tlv name system-description
     tlv name system-capabilities
     tlv name management-address
    !
    device-sensor filter-list cdp list w1lab-cdp-tlv
     tlv name device-name
     tlv name address-type
     tlv name capabilities-type
     tlv name platform-type
    !
    device-sensor filter-list dhcp list w1lab-dhcp-options
     option name host-name
     option name default-ip-ttl
     option name requested-address
     option name parameter-request-list
     option name class-identifier
     option name client-identifier
    !

    device-sensor filter-spec dhcp include list w1lab-dhcp-options
    device-sensor filter-spec lldp include list w1lab-lldp-tlv
    device-sensor filter-spec cdp include list w1lab-cdp-tlv
    device-sensor accounting
    device-sensor notify all-changes


    !

    access-session template monitor


    !

    dot1x system-auth-control


    !

    lldp run


    !

    template W1LAB-AP-PORT
     spanning-tree portfast
     spanning-tree bpduguard enable
     switchport access vlan 66
     switchport mode access
     description WAP
    !
    template W1LAB-UC-PORT
     spanning-tree portfast
     spanning-tree bpduguard enable
     switchport access vlan 68
     switchport mode access
     switchport voice vlan 70
     description PC/VoIP


    !

    interface GigabitEthernet1/0/46
     description IP Phone (Astra)
     source template W1LAB-UC-PORT
    !
    interface GigabitEthernet1/0/48
     power inline port perpetual-poe-ha
     power inline port poe-ha
     source template W1LAB-AP-PORT


    !

    radius-server attribute 6 on-for-login-auth
    radius-server attribute 6 support-multiple
    radius-server attribute 8 include-in-access-req
    radius-server attribute 25 access-request include
    !
    radius server LAB-ISE-2x-1
     address ipv4 10.255.33.251 auth-port 1812 acct-port 1813
     key 7 <secret>

     

    Device sensor sees devices on both interfaces:

     

    LAB-S3850-3#sh device-sensor cache int gi1/0/48
    Device: f4db.e62e.e63e on port GigabitEthernet1/0/48
    --------------------------------------------------
    Proto Type:Name Len Value
    DHCP 50:requested-address 6 32 04 0A FF 42 66
    DHCP 55:parameter-request-list 11 37 09 01 0F 03 1C 0C 06 07 1A 2B
    DHCP 60:class-identifier 16 3C 0E 43 69 73 63 6F 20 41 50 20 63 33 38 30 30
    DHCP 12:host-name 15 0C 0D 4C 41 42 2D 41 50 33 38 30 32 69 2D 32
    DHCP 61:client-identifier 9 3D 07 01 F4 DB E6 2E E6 3E
    LLDP 8:management-address 14 10 0C 05 01 0A FF 42 66 03 00 00 00 00 00
    LLDP 6:system-description 199 0C C5 43 69 73 63 6F 20 41 50 20 53 6F 66 74 77
    61 72 65 2C 20 61 70 33 67 33 2D 6B 39 77 38 20
    56 65 72 73 69 6F 6E 3A 20 38 2E 35 2E 31 33 35
    2E 30 0A 54 65 63 68 6E 69 63 61 6C 20 53 75 70
    70 6F 72 74 3A 20 68 74 74 70 3A 2F 2F 77 77 77
    2E 63 69 73 63 6F 2E 63 6F 6D 2F 74 65 63 68 73
    75 70 70 6F 72 74 0A 43 6F 70 79 72 69 67 68 74
    20 28 63 29 20 31 39 38 36 2D 32 30 31 38 20 62
    79 20 43 69 73 63 6F 20 53 79 73 74 65 6D 73 2C
    20 49 6E 63 2E 0A 43 6F 6D 70 69 6C 65 64 20 46
    72 69 20 4A 75 6C 20 32 30 20 31 33 3A 35 32 3A
    35 39 20 50 44 54 20 32 30 31 38 20 62 79 20 76
    69 70 65 6E 64 79 61
    LLDP 5:system-name 15 0A 0D 4C 41 42 2D 41 50 33 38 30 32 69 2D 32
    LLDP 7:system-capabilities 6 0E 04 00 04 00 04
    LLDP 2:port-id 4 04 02 01 30
    CDP 6:platform-type 26 00 06 00 1A 63 69 73 63 6F 20 41 49 52 2D 41 50
    33 38 30 32 49 2D 45 2D 4B 39
    CDP 4:capabilities-type 8 00 04 00 08 00 00 00 03
    CDP 2:address-type 45 00 02 00 2D 00 00 00 02 01 01 CC 00 04 0A FF 42
    66 02 08 AA AA 03 00 00 00 86 DD 00 10 FE 80 00
    00 00 00 00 00 F6 DB E6 FF FE 2E E6 3E
    CDP 1:device-name 17 00 01 00 11 4C 41 42 2D 41 50 33 38 30 32 69 2D
    32

    On ISE end I have disabled ALL probes intentionally, except Radius

     

    It cannot discover anything

     

    MAB/DOT1X are not configured on interfaces.

    Once I configure MAB and send Access Accept in case if MAC not found - it works like a charm. It doesn't work though if Authentication is REJECTED

     

    So, back to my original point... Radius Probe requires successful Authorization and it won't work without MAB/DOT1X config on the port. Unless you can tell me I've done something wrong and/or there's a bug in this IOS

    @Tymofii Dmytrenko  I am seeing the exact same behaviour as you describe with device-sensor - endpoint "MUST go through Authentication, and this Authentication/Authorization MUST succeed" for ISE to profile with device-sensor.

    @Madura Malwatteyes. It does seem like every Cisco's documentation on Device Sensor was misleading so far. I have raised with Cisco TAC and once they conffirm my observations I will be in touch with BU through our Account Manager to make sure they update everything to stop this bad practice. Always liked Cisco documents for a level of detail and truthfulness... until now :)

     

    Ok guys @kthiruve @Jason Kunst 

    I had to reach out Cisco TAC. Here's the TAC response

     

    =================

    Kindly note that it is possible to force authorize as session without authentication to trigger RADIUS accounting in absence of authentication with old version, There is change in behavior after 15.0(2)SE. Till 15.0(2)SE​, monitoring sessions were authorized by default. So, we used to see device-sensor accounting for monitoring sessions. After 15,0(2)SE, monitoring sessions are unauthorized by default. Consequently, you won't see device-sensor accounting for monitoring sessions.

     

    So, we need to have a dot1x/mab session to get the device sensor information into ISE, based on that, this document should be upgraded.

    =================

     

    Everything I said above is indeed valid - Radius probe with Device Sensor requires valid Authentication/Authorization session, otherwis there's no Accounting. I have asked TAC engineer to reach out to BU to make sure all documentation is up to date. I will also get in touch with our Account Manager to make sure this really happens.

     

    At least this is now clear, the behavior is not buggy but rather expected. And... this discovery makes our project a bit more challanging as I am unable to rely on Radius probe only :(