cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

476
Views
5
Helpful
4
Replies
Madura Malwatte
Enthusiast

ISE profiling behaviour close mode

How is everyone else doing profiling of MAB devices without allowing complete access? Is it mainly via just dhcp and snmp probes? I did some test and seems that device-sensor via radius probe is completely useless as it requires authentication to succeed before device-sensor info can be seen by ISE. So if no authentication = no cdp/lldp/dhcp data = no profiling. 

My default MAB policy is "deny access", so my access points are failing into this authz policy because ISE never gets to know anything about the AP (i.e. cdpCachePlatform) via device-sensor, because device-sensor requires the AP to be authenticated, and so it goes....

What's the best way to get around this, would it be making the default MAB policy an access accept with a deny ip any any dACL, so then we can get the radius accounting packets with device-sensor data? 

Or has anyone tried what Craig Hyps has suggested here - "Session-Aware Networking to force Device Sensor to send RDIUS Accounting even if Auth fails to transmit the CDP/LLDP info"

1 ACCEPTED SOLUTION

Accepted Solutions
ldanny
Cisco Employee

If you consider not using Auth for your AP endpoints but would like to be able to actually see them you can try

 

Try setting up an interface with no Auth configurations at all

Use ip helper-address <ISE NODE Address> command to forward the request to your ISE node as well.

SNMP polling and see if you get any information (CDP,LLDP) , obviously make sure you have snmp setup on your device.

DNS can be used (if enabled) and once IP is know ISE can run a FQDN check.

NMAP as well will be triggered (if enabled) once IP is known.

 

As you can see these are options to profile endpoints  without actually having to authenticate your endpoint

 

 

 

 

 

 

View solution in original post

4 REPLIES 4
Timothy Abbott
Cisco Employee

I recommend that you use a limited access ACL.  That ACL could permit access to limited network services such as DHCP, DNS, NTP, TFTP, etc. without giving the endpoint complete access.  My experience has been that by the time the endpoint (IP Phone, AP, etc.) gets that initial limited access ACL, profiling occurs and ISE then issues a CoA for the correct level of network access.

 

Regards,

-Tim

Hi Timothy,

I already have a limited access ACL in the form of a pre-auth acl applied directly on the switchport interface allowing DHCP, DNS, ISE traffic. But this doesn't seem to allow the device-sensor radius accounting packets to get through because the endpoint has already gone into the default deny access authz policy.

Hi Timothy,

I already have a limited access ACL in the form of a pre-auth acl applied directly on the switchport interface allowing DHCP, DNS, ISE traffic. I am not sure when you say "by the time the endpoint (IP Phone, AP, etc.) gets that initial limited access ACL",  the interface ACL will be active from the beginning would it not? 

And it doesn't seem to allow the device-sensor radius accounting packets to get through because the endpoint has already gone into the default deny access authz policy.

ldanny
Cisco Employee

If you consider not using Auth for your AP endpoints but would like to be able to actually see them you can try

 

Try setting up an interface with no Auth configurations at all

Use ip helper-address <ISE NODE Address> command to forward the request to your ISE node as well.

SNMP polling and see if you get any information (CDP,LLDP) , obviously make sure you have snmp setup on your device.

DNS can be used (if enabled) and once IP is know ISE can run a FQDN check.

NMAP as well will be triggered (if enabled) once IP is known.

 

As you can see these are options to profile endpoints  without actually having to authenticate your endpoint

 

 

 

 

 

 

View solution in original post

Content for Community-Ad