Anyone can explain to me, how the CDP device sensor probe works with ISE ???
What I am trying to do, is to identify different Cisco Wireless Access Point models (i.e. LAP 1142) with ISE.
Since the APs do speak CDP (I can see the AP devices on the switch), this should be possible with the CDP device sensor on the switch, shouldn't it ....
I have done the following so far:
Configured the switch to talk to ISE via radius accounting:
aaa group server radius SERVERGROUP_radius_accounting
server name ISE02
radius server ISE02
address ipv4 [ISE02 ip address] auth-port 1645 acct-port 1646
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute nas-port-id include remote-id
radius-server dead-criteria time 30 tries 3
radius-server retry method reorder
radius-server retransmit 2
radius-server timeout 2
radius-server deadtime 1
radius-server key 7 [ISE02 radius key]
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication
aaa accounting dot1x default start-stop group SERVERGROUP_radius_accounting
Configured SNMP traps to be sent to ISE:
snmp-server host [ISE02 ip address] [SNMP RO Community]
authentication mac-move permit
authentication critical recovery delay 120
mac address-table notification change interval 60
mac address-table notification change
mac address-table notification mac-move
snmp trap mac-notification change added
snmp trap mac-notification change removed
Configured logging to ISE:
logging host [ISE02 ip address] transport udp port 20514
aaa server radius dynamic-author
client [ISE02 ip address] server-key 7 [ISE02 radius key]
Configured DHCP snooping, device tracking and device sensors:
ip dhcp snooping vlan xyz
no ip dhcp snooping information option
ip dhcp snooping
ip device tracking
device-sensor filter-list dhcp list DSFL_dhcp
option name domain-name-servers
option name host-name
option name domain-name
option name class-identifier
option name client-identifier
device-sensor filter-list lldp list DSFL_lldp
tlv name system-name
tlv name system-description
tlv name system-capabilities
tlv name management-address
device-sensor filter-list cdp list DSFL_cdp
tlv name device-name
tlv name port-id-type
tlv name capabilities-type
tlv name version-type
tlv name platform-type
tlv name duplex-type
tlv number 34
device-sensor filter-spec dhcp include list DSFL_dhcp
device-sensor filter-spec lldp include list DSFL_lldp
device-sensor filter-spec cdp include list DSFL_cdp
device-sensor notify all-changes
Configured an additional IP helper on the AP vlan pointing to ISE:
interface vlan xyz
ip helper-address [ISE02 ip address]
I have configured new profiling conditions on ISE, which use the cdp attributes:
and used these conditions in a new profiling policy for the 114x AP:
ISE is configured to listen to DHCP, radius, DNS and SNMP traps ....
However, the only thing ISE sees of this AP, is the dhcp probe:
and therefore, the 114x policy has no effect .......
ISE version is the following:
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.4.018
ADE-OS System Architecture: i386
Copyright (c) 2005-2011 by Cisco Systems, Inc.
All rights reserved.
Version information of installed applications
Cisco Identity Services Engine
Version : 220.127.116.11
Build Date : Fri Oct 26 21:10:35 2012
Install Date : Fri Jan 18 07:18:49 2013
Cisco Identity Services Engine Patch
Version : 2
Install Date : Mon Jan 21 07:36:50 2013
Cisco Identity Services Engine Patch
Version : 3
Install Date : Mon Jan 21 07:42:11 2013
Version of the switch:
cisco WS-C3560CG-8PC-S (PowerPC) processor (revision C0) with 131072K bytes of memory.
Processor board ID FOC1619Y180
Last reset from power-on
7 Virtual Ethernet interfaces
10 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
512K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 58:BF:EA:B9:AC:80
Motherboard assembly number : 73-13272-06
Power supply part number : 341-0407-01
Motherboard serial number : FOC16174ZZ5
Power supply serial number : LIT16120XR8
Model revision number : C0
Motherboard revision number : A0
Model number : WS-C3560CG-8PC-S
System serial number : FOC1619Y180
Top Assembly Part Number : 800-33676-02
Top Assembly Revision Number : A0
Version ID : V02
CLEI Code Number : CMMD900ARB
Hardware Board Revision Number : 0x00
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 10 WS-C3560CG-8PC-S 15.0(2)SE C3560c405ex-UNIVERSALK9-M
What am I missing ??? Should this config make the switch send CDP information about connected devices to the ISE (via radius accounting) ???
How do the device sensors work ???
Solved! Go to Solution.
@Tymofii Dmytrenko thanks! Yeah I wasted a bit of time with this too. Then got TAC involved since device sensor wasn't working as I had expected, and we had an snmpquery probe issue as well. Funnily enough even TAC at first wasn't too sure about device-sensor, only after I showed them your discussion about authentication needing to pass first for it to work, did they confirm the behaviour. looks like there is a major misunderstanding with this feature.
Anyway I did some further tests and also confirmed device-sensor via radius probe works only when radius access-accept received. Originally I had my default mab authz policy with the default "DenyAccess" which is an Access-Reject. I created a new authz profile using Access-Accept with a deny ip any any dACL, applied it to the authz policy and then radius probe starts working.
Same issues here, I also created a "pre-device-sensor" rule in my MAB policy to do an "Access-Accept in conjunction with a DACL "Deny ip any any". This is enough to get Accounting up and running.
I should have found this thread earlier, it would have saved me some major headaches!
@Tymofii DmytrenkoDid you receive any updates about it? Will Cisco update their documentation?
The latest update I've got from TAC before we closed the case was this one...
Kindly note that I had engaged further resources to re-open this enhancement request “CSCvn03049 Need to add note that device sensor info is dependent on dot1x auth/authz” and currently is just employee visible and sent their an email to let it as customer visible if possible, so now the document should be updated based on this enhancement bug.
Hope this is helpful.
I have the opposite issue.
All of our switches are configured to perform dot1x or mab authentication but we did not configure device-sensor
We are gradually migrating from ACS and ISE and I doscovered that ISE endpoint database is populated with endpoints that did not undergo any authentication.
Looking deeper at the issue I found that those endpoints where created becuase of some switches sending accounting packet labelled with "radiusprobe"
I suppose this is because of this default configuration
SWITCH#show running-config all | in device-sen
device-sensor notify new-tlvs
For instance on ISE endpoints t database I can find mac addresses of distribution switches interfaces connected to dot1x access switches.This is quite puzzling because that "accounting only" endpoints are shown by ISE as connected endpoints.
I am pretty sure they are not consuming a base licenses but their presence could be quite annoying (not to speak of the fact that those switches are sending those accounting packets even for wireless endpoint connected to flex connected ap ....)
I have opened a SR with TAC but the engineer is not able to address the issue.
Does anyone know if
device-sensor notify new-tlvs
may actually be the cause of the issue and why Cisco does not document this configuration?