12-11-2015 10:40 AM - edited 03-10-2019 11:19 PM
Hi friends ,
can anybody else help me ? i am using ISE 2.0 ,but it doesnt profiles device truly ,printers are profiled like cisco routers or switches .
Thanks .
Solved! Go to Solution.
12-14-2015 10:44 AM
Couple of questions:
1. What profiling sensors do you have turned on
2. Is this for wired or wireless
Thank you for rating helpful posts!
12-15-2015 01:09 PM
Pls answer my questions above :)
12-14-2015 10:44 AM
Couple of questions:
1. What profiling sensors do you have turned on
2. Is this for wired or wireless
Thank you for rating helpful posts!
12-14-2015 11:19 AM
For example I am adding printer ,it seems like a cisco router
12-15-2015 01:09 PM
Pls answer my questions above :)
12-16-2015 07:48 AM
Hello Neno ,
I am uploading screenshot from ISE probing .
Also I have added just ip helper under the interface vlan for both DHCP server and ISE.
12-21-2015 12:34 PM
So in order for the DHCP profiler to send you good information the clients must be configured for dynamic IPs. Usually printers are statically configured instead, thus the DHCP information is never seen by ISE.
Can you confirm whether the printers are statically configured with IP or set to use DHCP?
Also, please past the output from the following:
show run | sec aaa
show run | sec radius
show run | sec tracking
Thank you for rating helpful posts!
12-25-2015 01:28 AM
a) AZPBTASW001#sh running-config | sec aaa
aaa new-model
aaa group server radius ISE-group
server name AZPBTPAN001
ip radius source-interface Vlan150
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group radius
aaa authorization exec default group tacacs+ local
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 7 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa server radius dynamic-author
client 192.168.14.50 server-key 7 094F471A1A0A464058
aaa session-id common
12-25-2015 01:29 AM
AZPBTASW001#show run | sec radius
aaa group server radius ISE-group
server name AZPBTPAN001
ip radius source-interface Vlan150
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa server radius dynamic-author
client 192.168.14.50 server-key 7 094F471A1A0A464058
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius server ISE
address ipv4 192.168.14.50 auth-port 1812 acct-port 1813
key 7 121A0C0411045D5679
12-25-2015 01:30 AM
AZPBTASW001#sh running-config interface gigabitEthernet 1/0/2
Building configuration...
Current configuration : 727 bytes
!
interface GigabitEthernet1/0/2
switchport access vlan 100
switchport mode access
switchport voice vlan 200
ip device tracking probe count 10
ip device tracking maximum 10
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority mab dot1x
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
12-28-2015 12:08 PM
Thank you for the detailed info. Can you also answer this question:
Can you confirm whether the printers are statically configured with IP or set to use DHCP?
12-28-2015 12:10 PM
All of them are with static IP.
12-28-2015 12:17 PM
I am guessing this the cause of your problem. ISE is not getting any of the DHCP information in order to use that for profiling. Can you set one of the printers to DHCP and test this to see if that is the issue?
I have faced this issue before and have addressed it by:
- Setting the printers to DHCP instead of static
- Configured static DHCP assignments on the DHCP server based on the printers MAC (that way the printer gets the same IP address)
- This gets the printer the same IP address while using DHCP which provides ISE with the DHCP information that can be used for profiling
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide