Solved: ISE and CDP device sensor

Frank Lothar Weber · ‎01-25-2013

Hi, all.

Anyone can explain to me, how the CDP device sensor probe works with ISE ???

What I am trying to do, is to identify different Cisco Wireless Access Point models (i.e. LAP 1142) with ISE.

Since the APs do speak CDP (I can see the AP devices on the switch), this should be possible with the CDP device sensor on the switch, shouldn't it ....

I have done the following so far:

Configured the switch to talk to ISE via radius accounting:

aaa group server radius SERVERGROUP_radius_accounting

server name ISE02

radius server ISE02

address ipv4 [ISE02 ip address] auth-port 1645 acct-port 1646

radius-server attribute 6 on-for-login-auth

radius-server attribute 6 support-multiple

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server attribute nas-port-id include remote-id

radius-server dead-criteria time 30 tries 3

radius-server retry method reorder

radius-server retransmit 2

radius-server timeout 2

radius-server deadtime 1

radius-server key 7 [ISE02 radius key]

radius-server vsa send cisco-nas-port

radius-server vsa send accounting

radius-server vsa send authentication

aaa accounting dot1x default start-stop group SERVERGROUP_radius_accounting

Configured SNMP traps to be sent to ISE:

snmp-server host [ISE02 ip address] [SNMP RO Community]

authentication mac-move permit

authentication critical recovery delay 120

mac address-table notification change interval 60

mac address-table notification change

mac address-table notification mac-move

interface GigabitEthernet0/1

snmp trap mac-notification change added

snmp trap mac-notification change removed

Configured logging to ISE:

epm logging

logging host [ISE02 ip address] transport udp port 20514

Configured CoA:

aaa server radius dynamic-author

client [ISE02 ip address] server-key 7 [ISE02 radius key]

Configured DHCP snooping, device tracking and device sensors:

ip dhcp snooping vlan xyz

no ip dhcp snooping information option

ip dhcp snooping

ip device tracking

device-sensor filter-list dhcp list DSFL_dhcp

option name domain-name-servers

option name host-name

option name domain-name

option name class-identifier

option name client-identifier

device-sensor filter-list lldp list DSFL_lldp

tlv name system-name

tlv name system-description

tlv name system-capabilities

tlv name management-address

device-sensor filter-list cdp list DSFL_cdp

tlv name device-name

tlv name port-id-type

tlv name capabilities-type

tlv name version-type

tlv name platform-type

tlv name duplex-type

tlv number 34

device-sensor filter-spec dhcp include list DSFL_dhcp

device-sensor filter-spec lldp include list DSFL_lldp

device-sensor filter-spec cdp include list DSFL_cdp

device-sensor notify all-changes

Configured an additional IP helper on the AP vlan pointing to ISE:

interface vlan xyz

ip helper-address [ISE02 ip address]

I have configured new profiling conditions on ISE, which use the cdp attributes:

and used these conditions in a new profiling policy for the 114x AP:

ISE is configured to listen to DHCP, radius, DNS and SNMP traps ....

However, the only thing ISE sees of this AP, is the dhcp probe:

and therefore, the 114x policy has no effect .......

ISE version is the following:

Cisco Application Deployment Engine OS Release: 2.0

ADE-OS Build Version: 2.0.4.018

ADE-OS System Architecture: i386

Hostname: deess01nise02

Version information of installed applications

---------------------------------------------

Cisco Identity Services Engine

---------------------------------------------

Version : 1.1.2.145

Build Date : Fri Oct 26 21:10:35 2012

Install Date : Fri Jan 18 07:18:49 2013

Cisco Identity Services Engine Patch

---------------------------------------------

Version : 2

Install Date : Mon Jan 21 07:36:50 2013

Cisco Identity Services Engine Patch

---------------------------------------------

Version : 3

Install Date : Mon Jan 21 07:42:11 2013

Version of the switch:

cisco WS-C3560CG-8PC-S (PowerPC) processor (revision C0) with 131072K bytes of memory.

Processor board ID FOC1619Y180

Last reset from power-on

7 Virtual Ethernet interfaces

10 Gigabit Ethernet interfaces

The password-recovery mechanism is enabled.

512K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address : 58:BF:EA:B9:AC:80

Motherboard assembly number : 73-13272-06

Power supply part number : 341-0407-01

Motherboard serial number : FOC16174ZZ5

Power supply serial number : LIT16120XR8

Model revision number : C0

Motherboard revision number : A0

Model number : WS-C3560CG-8PC-S

System serial number : FOC1619Y180

Top Assembly Part Number : 800-33676-02

Top Assembly Revision Number : A0

Version ID : V02

CLEI Code Number : CMMD900ARB

Hardware Board Revision Number : 0x00

Switch Ports Model SW Version SW Image

------ ----- ----- ---------- ----------

* 1 10 WS-C3560CG-8PC-S 15.0(2)SE C3560c405ex-UNIVERSALK9-M

What am I missing ??? Should this config make the switch send CDP information about connected devices to the ISE (via radius accounting) ???

How do the device sensors work ???

Rgs

Frank

Eduardo Aliaga · ‎06-22-2013

Hello. You're missing the following commands :

access-session template monitor

device-sensor accounting

no macro auto monitor

If that doesn't work then you need to remove the "aaa" config and re-apply it ( I think that's because of a bug).

That worked for me and now my switches can detect Cisco Access Points and Cisco IP Phones very fast.

Please rate if it's helpful.

View solution in original post

Jason Kunst · ‎04-08-2019

Anything done one ISE requires Authentication and accounting

View solution in original post

kthiruve · ‎04-09-2019

Hi All,

Here are a few things those of you new to device sensor should understand

1. Device Sensor is not a ISE probe but is a functionality of network devices ( Wired and Wireless controller) that gathers specific endpoint information and caches it. This is unique to Cisco. "From CLI you can execute "show device sensor cache xxx " to view the information gathered.

2. Device sensor gathers information about CDP, LLDP, HTTP, DHCP etc.

3. The information gathered using device sensor is sent to ISE via Radius accounting.

4. If visibility is your goal, you dont need to turn on aaa authentication and authorization and go through the MAB flow. You can configure aaa accounting and the magic will happen.

5. If enforcement is your goal, yes you need to turn on MAB for AAA so that you authenticate the endpoint using MAB and then profile using ISE that does CoA at the end.

6. You need to turn on for the device sensor to be sent via account packets to ISE. This is for IBNS 1.0

device-sensor accounting

device-sensor notify all-changes

and disable local analyzer

no macro auto monitor

access-session template monitor

That said, the screen shot way above shows ISE 1.1.2. We End of Life and End of Supported that product long back as of April 30, 2015.

Here is the End of Life link

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/eos-eol-notice-c51-734276.html

Please use a recent and stable version ISE 2.4. You can download it from

https://software.cisco.com/download/home/283801620/type/283802505/release/2.4.0

Thanks

Krishnan

View solution in original post

Tarik Admani · ‎01-25-2013

Frank,

The cdp attributes are enacapsulated in the radius packet as a cisco-av-pair and sent to the ISE as an accounting packet. You may want to run the show device-sensor cache . Here are some helpful troubleshooting steps (you can also run the tcpdump utility on the monitoring side and set the ip host <3560 radius source interface>.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/15.0_1_se/device_sensor/guide/sensor_guide.html#wp1127934

Tarik Admani
*Please rate helpful posts*

Karsten Iwen · ‎01-25-2013

Detailed information on the function of the Probes and device-sensor can be found in the "ISE Profiling Design Guide":

http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_30_ise_profiling.pdf

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Khaled El-Metwaly · ‎05-28-2013

I have the same problem ... Did you find a solution Frank?

r.gergis · ‎05-29-2013

I am also having the same issue. Can anyone help???

Venkatesh Attuluri · ‎06-19-2013

A switch with sensor capability gathers endpoint information from network devices using protocols such as Cisco Discovery Protocol (CDP), LLDP, and DHCP, subject to statically configured filters, and makes this information available to its registered clients in the context of an access session. An access session represents an endpoint's connection to the network device

Client notifications and accounting messages containing profiling data along with the session events, and other session-related data, such as MAC address and ingress port are generated and sent to the internal and external clients (ISE). By default, for each supported peer protocol, client notifications and accounting events are only generated where an incoming packet includes a TLV that has not previously been received in the context of a given session. You can enable client notifications and accounting events for all TLV changes, where either a new TLV has been received or a previously received TLV has been received with a different value using CLI commands.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/15.0_1_se/device_sensor/guide/sensor_guide.html#wp1112722

Eduardo Aliaga · ‎06-22-2013

Hello. You're missing the following commands :

access-session template monitor

device-sensor accounting

no macro auto monitor

If that doesn't work then you need to remove the "aaa" config and re-apply it ( I think that's because of a bug).

That worked for me and now my switches can detect Cisco Access Points and Cisco IP Phones very fast.

Please rate if it's helpful.

Tymofii Dmytrenko · ‎04-07-2019

I think what many people don't understand is the following

Device Sensor information is delivered to Cisco ISE using Radius. In particular, Radius Accounting.

I give it few minutes to read this few more times, before you will go "Oh... seariously?"

What does it mean? Basically, if you want to rely on Device Sensor, endpoint MUST go through Authentication, and this Authentication/Authorization MUST succeed. No Authentication/Authorization? No Accounting. No Accounting? Nothing is delivered to Cisco ISE, even though switch possesses all information about this endpoint using DHCP snooping, CDP and LLDP databases.

Device Sensor is amazing feature, but you cannot rely on it when port is not configured to authenticate connected endpoint. Period.

Unfortunately, this is not obvious from Cisco documentation and it took me few days in a lab to realize how it really works. Welcome :)

Jason Kunst · ‎04-08-2019

Anything done one ISE requires Authentication and accounting

Tymofii Dmytrenko · ‎04-09-2019

I think this is technically not correct :)

I can deploy pure profiling without using ANY radius at all. So, by its nature, Profiling doesn't rely on Radius

What I tried to point out here is that Device Sensor has changed this as it relies on Radius accounting and hence can only work if switchport has been authorized access.

When I originally started with Device Sensor it took me few days to realize this. In fact, I even had to open TAC case as I didn't understand why I didn't see any profiling data... I think, Cisco can improve this by providing a text in bold against Device Sensor feature in al documentations saying "Device Sensor requires AAA enabled on the port (dot1X/MAB) and requires authentication to actually pass, otherwise Device Sensor information will not be delivered to Cisco ISE as it requires active Accounting session"

Regards

kthiruve · ‎04-09-2019

Hi All,

Here are a few things those of you new to device sensor should understand

1. Device Sensor is not a ISE probe but is a functionality of network devices ( Wired and Wireless controller) that gathers specific endpoint information and caches it. This is unique to Cisco. "From CLI you can execute "show device sensor cache xxx " to view the information gathered.

2. Device sensor gathers information about CDP, LLDP, HTTP, DHCP etc.

3. The information gathered using device sensor is sent to ISE via Radius accounting.

4. If visibility is your goal, you dont need to turn on aaa authentication and authorization and go through the MAB flow. You can configure aaa accounting and the magic will happen.

5. If enforcement is your goal, yes you need to turn on MAB for AAA so that you authenticate the endpoint using MAB and then profile using ISE that does CoA at the end.

6. You need to turn on for the device sensor to be sent via account packets to ISE. This is for IBNS 1.0

device-sensor accounting

device-sensor notify all-changes

and disable local analyzer

no macro auto monitor

access-session template monitor

That said, the screen shot way above shows ISE 1.1.2. We End of Life and End of Supported that product long back as of April 30, 2015.

Here is the End of Life link

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/eos-eol-notice-c51-734276.html

Please use a recent and stable version ISE 2.4. You can download it from

https://software.cisco.com/download/home/283801620/type/283802505/release/2.4.0

Thanks

Krishnan

Tymofii Dmytrenko · ‎04-10-2019

Ok, in that case let me know what is wrong with my configuration (taken from Catalyst 3850, running Everest 16.6.5)

aaa group server radius LAB-ISE-2x
 server name LAB-ISE-2x-1
 ip radius source-interface Vlan1
!
aaa authentication login default group LAB-ISE-2x local
aaa authentication enable default enable
aaa authentication dot1x default group LAB-ISE-2x
aaa authorization console
aaa authorization exec default group LAB-ISE-2x local
aaa authorization network default group LAB-ISE-2x
aaa accounting update newinfo
aaa accounting dot1x default start-stop group LAB-ISE-2x
aaa accounting network default start-stop group LAB-ISE-2x
aaa accounting system default start-stop group LAB-ISE-2x


aaa server radius dynamic-author
 client 10.255.33.251
 server-key 7 <secret>


ip dhcp snooping vlan 66,68-71
ip dhcp snooping
!
device-sensor filter-list lldp list w1lab-lldp-tlv
 tlv name port-id
 tlv name system-name
 tlv name system-description
 tlv name system-capabilities
 tlv name management-address
!
device-sensor filter-list cdp list w1lab-cdp-tlv
 tlv name device-name
 tlv name address-type
 tlv name capabilities-type
 tlv name platform-type
!
device-sensor filter-list dhcp list w1lab-dhcp-options
 option name host-name
 option name default-ip-ttl
 option name requested-address
 option name parameter-request-list
 option name class-identifier
 option name client-identifier
!

device-sensor filter-spec dhcp include list w1lab-dhcp-options
device-sensor filter-spec lldp include list w1lab-lldp-tlv
device-sensor filter-spec cdp include list w1lab-cdp-tlv
device-sensor accounting
device-sensor notify all-changes


!

access-session template monitor


!

dot1x system-auth-control


!

lldp run


!

template W1LAB-AP-PORT
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport access vlan 66
 switchport mode access
 description WAP
!
template W1LAB-UC-PORT
 spanning-tree portfast
 spanning-tree bpduguard enable
 switchport access vlan 68
 switchport mode access
 switchport voice vlan 70
 description PC/VoIP


!

interface GigabitEthernet1/0/46
 description IP Phone (Astra)
 source template W1LAB-UC-PORT
!
interface GigabitEthernet1/0/48
 power inline port perpetual-poe-ha
 power inline port poe-ha
 source template W1LAB-AP-PORT


!

radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
!
radius server LAB-ISE-2x-1
 address ipv4 10.255.33.251 auth-port 1812 acct-port 1813
 key 7 <secret>

Device sensor sees devices on both interfaces:

LAB-S3850-3#sh device-sensor cache int gi1/0/48
Device: f4db.e62e.e63e on port GigabitEthernet1/0/48
--------------------------------------------------
Proto Type:Name Len Value
DHCP 50:requested-address 6 32 04 0A FF 42 66
DHCP 55:parameter-request-list 11 37 09 01 0F 03 1C 0C 06 07 1A 2B
DHCP 60:class-identifier 16 3C 0E 43 69 73 63 6F 20 41 50 20 63 33 38 30 30
DHCP 12:host-name 15 0C 0D 4C 41 42 2D 41 50 33 38 30 32 69 2D 32
DHCP 61:client-identifier 9 3D 07 01 F4 DB E6 2E E6 3E
LLDP 8:management-address 14 10 0C 05 01 0A FF 42 66 03 00 00 00 00 00
LLDP 6:system-description 199 0C C5 43 69 73 63 6F 20 41 50 20 53 6F 66 74 77
61 72 65 2C 20 61 70 33 67 33 2D 6B 39 77 38 20
56 65 72 73 69 6F 6E 3A 20 38 2E 35 2E 31 33 35
2E 30 0A 54 65 63 68 6E 69 63 61 6C 20 53 75 70
70 6F 72 74 3A 20 68 74 74 70 3A 2F 2F 77 77 77
2E 63 69 73 63 6F 2E 63 6F 6D 2F 74 65 63 68 73
75 70 70 6F 72 74 0A 43 6F 70 79 72 69 67 68 74
20 28 63 29 20 31 39 38 36 2D 32 30 31 38 20 62
79 20 43 69 73 63 6F 20 53 79 73 74 65 6D 73 2C
20 49 6E 63 2E 0A 43 6F 6D 70 69 6C 65 64 20 46
72 69 20 4A 75 6C 20 32 30 20 31 33 3A 35 32 3A
35 39 20 50 44 54 20 32 30 31 38 20 62 79 20 76
69 70 65 6E 64 79 61
LLDP 5:system-name 15 0A 0D 4C 41 42 2D 41 50 33 38 30 32 69 2D 32
LLDP 7:system-capabilities 6 0E 04 00 04 00 04
LLDP 2:port-id 4 04 02 01 30
CDP 6:platform-type 26 00 06 00 1A 63 69 73 63 6F 20 41 49 52 2D 41 50
33 38 30 32 49 2D 45 2D 4B 39
CDP 4:capabilities-type 8 00 04 00 08 00 00 00 03
CDP 2:address-type 45 00 02 00 2D 00 00 00 02 01 01 CC 00 04 0A FF 42
66 02 08 AA AA 03 00 00 00 86 DD 00 10 FE 80 00
00 00 00 00 00 F6 DB E6 FF FE 2E E6 3E
CDP 1:device-name 17 00 01 00 11 4C 41 42 2D 41 50 33 38 30 32 69 2D
32

On ISE end I have disabled ALL probes intentionally, except Radius

It cannot discover anything

MAB/DOT1X are not configured on interfaces.

Once I configure MAB and send Access Accept in case if MAC not found - it works like a charm. It doesn't work though if Authentication is REJECTED

So, back to my original point... Radius Probe requires successful Authorization and it won't work without MAB/DOT1X config on the port. Unless you can tell me I've done something wrong and/or there's a bug in this IOS

Madura Malwatte · ‎04-30-2019

@Tymofii Dmytrenko I am seeing the exact same behaviour as you describe with device-sensor - endpoint "MUST go through Authentication, and this Authentication/Authorization MUST succeed" for ISE to profile with device-sensor.

Tymofii Dmytrenko · ‎04-30-2019

@Madura Malwatteyes. It does seem like every Cisco's documentation on Device Sensor was misleading so far. I have raised with Cisco TAC and once they conffirm my observations I will be in touch with BU through our Account Manager to make sure they update everything to stop this bad practice. Always liked Cisco documents for a level of detail and truthfulness... until now :)

Tymofii Dmytrenko · ‎05-05-2019

Ok guys @kthiruve @Jason Kunst

I had to reach out Cisco TAC. Here's the TAC response

=================

Kindly note that it is possible to force authorize as session without authentication to trigger RADIUS accounting in absence of authentication with old version, There is change in behavior after 15.0(2)SE. Till 15.0(2)SE, monitoring sessions were authorized by default. So, we used to see device-sensor accounting for monitoring sessions. After 15,0(2)SE, monitoring sessions are unauthorized by default. Consequently, you won't see device-sensor accounting for monitoring sessions.

So, we need to have a dot1x/mab session to get the device sensor information into ISE, based on that, this document should be upgraded.

=================

Everything I said above is indeed valid - Radius probe with Device Sensor requires valid Authentication/Authorization session, otherwis there's no Accounting. I have asked TAC engineer to reach out to BU to make sure all documentation is up to date. I will also get in touch with our Account Manager to make sure this really happens.

At least this is now clear, the behavior is not buggy but rather expected. And... this discovery makes our project a bit more challanging as I am unable to rely on Radius probe only :(