cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3420
Views
5
Helpful
11
Replies

ISE is not profiling devices correctly

hacizeynal
Level 1
Level 1

Hi friends ,

can anybody else help me ? i am using ISE 2.0 ,but it doesnt profiles device truly ,printers are profiled like cisco routers or switches .

Thanks .

2 Accepted Solutions

Accepted Solutions

nspasov
Cisco Employee
Cisco Employee

Couple of questions:

1. What profiling sensors do you have turned on

2. Is this for wired or wireless

Thank you for rating helpful posts!

View solution in original post

Pls answer my questions above :)

View solution in original post

11 Replies 11

nspasov
Cisco Employee
Cisco Employee

Couple of questions:

1. What profiling sensors do you have turned on

2. Is this for wired or wireless

Thank you for rating helpful posts!

For example I am adding printer ,it seems like a cisco router 

Pls answer my questions above :)

Hello Neno ,

I am uploading screenshot from ISE probing .

Also I have added just ip helper under the interface vlan for both DHCP server and ISE.

So in order for the DHCP profiler to send you good information the clients must be configured for dynamic IPs. Usually printers are statically configured instead, thus the DHCP information is never seen by ISE. 

Can you confirm whether the printers are statically configured with IP or set to use DHCP?

Also, please past the output from the following:

show run | sec aaa

show run | sec radius

show run | sec tracking

Thank you for rating helpful posts!

a) AZPBTASW001#sh running-config | sec aaa
aaa new-model
aaa group server radius ISE-group
server name AZPBTPAN001
ip radius source-interface Vlan150
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+ local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa server radius dynamic-author
client 192.168.14.50 server-key 7 094F471A1A0A464058
aaa session-id common

AZPBTASW001#show run | sec radius
aaa group server radius ISE-group
server name AZPBTPAN001
ip radius source-interface Vlan150
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 192.168.14.50 server-key 7 094F471A1A0A464058
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius server ISE
address ipv4 192.168.14.50 auth-port 1812 acct-port 1813
key 7 121A0C0411045D5679

AZPBTASW001#sh running-config interface gigabitEthernet 1/0/2
Building configuration...

Current configuration : 727 bytes
!
interface GigabitEthernet1/0/2
switchport access vlan 100
switchport mode access
switchport voice vlan 200
ip device tracking probe count 10
ip device tracking maximum 10
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast

Thank you for the detailed info. Can you also answer this question:

Can you confirm whether the printers are statically configured with IP or set to use DHCP?

All of them are with static IP.

I am guessing this the cause of your problem. ISE is not getting any of the DHCP information in order to use that for profiling. Can you set one of the printers to DHCP and test this to see if that is the issue?

I have faced this issue before and have addressed it by:

- Setting the printers to DHCP instead of static

- Configured static DHCP assignments on the DHCP server based on the printers MAC (that way the printer gets the same IP address)

- This gets the printer the same IP address while using DHCP which provides ISE with the DHCP information that can be used for profiling