cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
22002
Views
65
Helpful
24
Replies

ISE and CDP device sensor

Hi, all.

Anyone can explain to me, how the CDP device sensor probe works with ISE ???

What I am trying to do, is to identify different Cisco Wireless Access Point models (i.e. LAP 1142) with ISE.

Since the APs do speak CDP (I can see the AP devices on the switch), this should be possible with the CDP device sensor on the switch, shouldn't it  ....

I have done the following so far:

Configured the switch to talk to ISE via radius accounting:

aaa group server radius SERVERGROUP_radius_accounting

     server name ISE02

    radius server ISE02

          address ipv4 [ISE02 ip address] auth-port 1645 acct-port 1646

    radius-server attribute 6 on-for-login-auth

    radius-server attribute 6 support-multiple

    radius-server attribute 8 include-in-access-req

    radius-server attribute 25 access-request include

    radius-server attribute nas-port-id include remote-id

    radius-server dead-criteria time 30 tries 3

    radius-server retry method reorder

    radius-server retransmit 2

    radius-server timeout 2

    radius-server deadtime 1

    radius-server key 7 [ISE02 radius key]

    radius-server vsa send cisco-nas-port

    radius-server vsa send accounting

    radius-server vsa send authentication

    aaa accounting dot1x default start-stop group SERVERGROUP_radius_accounting

    Configured SNMP traps to be sent to ISE:

    snmp-server host [ISE02 ip address] [SNMP RO Community]

    authentication mac-move permit

    authentication critical recovery delay 120 

    mac address-table notification change interval 60

    mac address-table notification change

    mac address-table notification mac-move 

    interface GigabitEthernet0/1

    snmp trap mac-notification change added

    snmp trap mac-notification change removed 

    Configured logging to ISE:

    epm logging

    logging host [ISE02 ip address] transport udp port 20514

    Configured CoA:

    aaa server radius dynamic-author

    client [ISE02 ip address] server-key 7 [ISE02 radius key]

    Configured DHCP snooping, device tracking and device sensors:

    ip dhcp snooping vlan xyz

    no ip dhcp snooping information option

    ip dhcp snooping

    ip device tracking

    device-sensor filter-list dhcp list DSFL_dhcp

    option name domain-name-servers

    option name host-name

    option name domain-name

    option name class-identifier

    option name client-identifier

    device-sensor filter-list lldp list DSFL_lldp

    tlv name system-name

    tlv name system-description

    tlv name system-capabilities

    tlv name management-address

    device-sensor filter-list cdp list DSFL_cdp

    tlv name device-name

    tlv name port-id-type

    tlv name capabilities-type

    tlv name version-type

    tlv name platform-type

    tlv name duplex-type

    tlv number 34

    device-sensor filter-spec dhcp include list DSFL_dhcp

    device-sensor filter-spec lldp include list DSFL_lldp

    device-sensor filter-spec cdp include list DSFL_cdp

    device-sensor notify all-changes

    Configured an additional IP helper on the AP vlan pointing to ISE:

    interface vlan xyz

    ip helper-address [ISE02 ip address]

    I have configured new profiling conditions on ISE, which use the cdp attributes:

    and used these conditions in a new profiling policy for the 114x AP:

    ISE is configured to listen to DHCP, radius, DNS and SNMP traps ....

    However, the only thing ISE sees of this AP, is the dhcp probe:

    and therefore, the 114x policy has no effect .......

    ISE version is the following:

    Cisco Application Deployment Engine OS Release: 2.0

    ADE-OS Build Version: 2.0.4.018

    ADE-OS System Architecture: i386

    Copyright (c) 2005-2011 by Cisco Systems, Inc.

    All rights reserved.

    Hostname: deess01nise02

    Version information of installed applications

    ---------------------------------------------

    Cisco Identity Services Engine

    ---------------------------------------------

    Version      : 1.1.2.145

    Build Date   : Fri Oct 26 21:10:35 2012

    Install Date : Fri Jan 18 07:18:49 2013

    Cisco Identity Services Engine Patch

    ---------------------------------------------

    Version      : 2

    Install Date : Mon Jan 21 07:36:50 2013

    Cisco Identity Services Engine Patch

    ---------------------------------------------

    Version      : 3

    Install Date : Mon Jan 21 07:42:11 2013

    Version of the switch:

    cisco WS-C3560CG-8PC-S (PowerPC) processor (revision C0) with 131072K bytes of memory.

    Processor board ID FOC1619Y180

    Last reset from power-on

    7 Virtual Ethernet interfaces

    10 Gigabit Ethernet interfaces

    The password-recovery mechanism is enabled.

    512K bytes of flash-simulated non-volatile configuration memory.

    Base ethernet MAC Address       : 58:BF:EA:B9:AC:80

    Motherboard assembly number     : 73-13272-06

    Power supply part number        : 341-0407-01

    Motherboard serial number       : FOC16174ZZ5

    Power supply serial number      : LIT16120XR8

    Model revision number           : C0

    Motherboard revision number     : A0

    Model number                    : WS-C3560CG-8PC-S

    System serial number            : FOC1619Y180

    Top Assembly Part Number        : 800-33676-02

    Top Assembly Revision Number    : A0

    Version ID                      : V02

    CLEI Code Number                : CMMD900ARB

    Hardware Board Revision Number  : 0x00

    Switch Ports Model              SW Version            SW Image

    ------ ----- -----              ----------            ----------

    *    1 10    WS-C3560CG-8PC-S   15.0(2)SE             C3560c405ex-UNIVERSALK9-M   

    What am I missing ??? Should this config make the switch send CDP information about connected devices to the ISE (via radius accounting) ???

    How do the device sensors work ???

    Rgs

    Frank

    24 Replies 24

    TAC is pretty much correct. However with newer IOS platform code, it's possible to perform local authorization using IBNS 2 and to send device sensor data to ISE via RADIUS accounting interim updates.

    @Tymofii Dmytrenko thanks! Yeah I wasted a bit of time with this too. Then got TAC involved since device sensor wasn't working as I had expected, and we had an snmpquery probe issue as well. Funnily enough even TAC at first wasn't too sure about device-sensor, only after I showed them your discussion about authentication needing to pass first for it to work, did they confirm the behaviour. looks like there is a major misunderstanding with this feature.

    Anyway I did some further tests and also confirmed device-sensor via radius probe works only when radius access-accept received. Originally I had my default mab authz policy with the default "DenyAccess" which is an Access-Reject. I created a new authz profile using Access-Accept with a deny ip any any dACL, applied it to the authz policy and then radius probe starts working. 

     

     

    Same issues here, I also created a "pre-device-sensor" rule in my MAB policy to do an "Access-Accept in conjunction with a DACL "Deny ip any any". This is enough to get Accounting up and running.

    I should have found this thread earlier, it would have saved me some major headaches!

    @Tymofii DmytrenkoDid you receive any updates about it? Will Cisco update their documentation?

    Hi @FvMoll 

     

    The latest update I've got from TAC before we closed the case was this one...

     

    =========

    Kindly note that I had engaged further resources to re-open this enhancement request  “CSCvn03049    Need to add note that device sensor info is dependent on dot1x auth/authz” and currently is just employee visible and sent their an email to let it as customer visible if possible, so now the document should be updated based on this enhancement bug.

    =========

     

    Hope this is helpful.

    @Tymofii Dmytrenko

    Thanks for the quick response :)

    Let's hope they will do something about it soon

    Do I need to send syslogs to ISE for the device sensor to work?

    No, device sensor data is sent from the NADs via radius accounting. You do not need to send syslogs from the network device to ISE.

    Hi,

    I have the opposite issue.

    All of our switches are configured to perform dot1x or mab authentication but we did not configure device-sensor

    We are gradually migrating from ACS and ISE and I doscovered that ISE endpoint database is populated with endpoints that did not undergo any authentication.

    Looking deeper at the issue I found that those endpoints where created becuase of some switches sending accounting packet labelled with "radiusprobe"

    I suppose this is because of this default configuration

    SWITCH#show running-config all | in device-sen
    device-sensor notify new-tlvs

    For instance on ISE endpoints t database I can find   mac addresses of distribution switches interfaces connected to dot1x access switches.This is quite puzzling because that "accounting only" endpoints are shown by ISE as connected endpoints.

    I am pretty sure they are not consuming a base licenses but their presence could be quite annoying (not to speak of the fact that those switches are sending those accounting packets even for wireless endpoint connected to flex connected ap ....)

    I have opened a SR with TAC but the engineer is not able to address the issue.

    Does anyone know if 

     device-sensor notify new-tlvs

    may actually be the cause of the issue and why Cisco does not document this configuration?

    Regards

    MM

     

     

     

     

    Hi For us, none ISE device ports started populating as radius probe after we added the DHCP helper address on the SVI to point to ISE.

    I have a suspicion that these two things are not related. Are you using the snmp query probe or just the radius probe? Both collect CDP information but in different ways. There are some known issues with device sensor / radius probe not working. What IOS release and switch platform are you using?