Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
981
Views
5
Helpful
4
Replies

ISE profiling behaviour close mode

Go to solution
Madura Malwatte
Level 4
Level 4

‎04-30-2019 06:11 AM - edited ‎04-30-2019 06:11 AM

How is everyone else doing profiling of MAB devices without allowing complete access? Is it mainly via just dhcp and snmp probes? I did some test and seems that device-sensor via radius probe is completely useless as it requires authentication to succeed before device-sensor info can be seen by ISE. So if no authentication = no cdp/lldp/dhcp data = no profiling. 

My default MAB policy is "deny access", so my access points are failing into this authz policy because ISE never gets to know anything about the AP (i.e. cdpCachePlatform) via device-sensor, because device-sensor requires the AP to be authenticated, and so it goes....

What's the best way to get around this, would it be making the default MAB policy an access accept with a deny ip any any dACL, so then we can get the radius accounting packets with device-sensor data? 

Or has anyone tried what Craig Hyps has suggested here - "Session-Aware Networking to force Device Sensor to send RDIUS Accounting even if Auth fails to transmit the CDP/LLDP info"

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎04-30-2019 11:39 PM

If you consider not using Auth for your AP endpoints but would like to be able to actually see them you can try

 

Try setting up an interface with no Auth configurations at all

Use ip helper-address <ISE NODE Address> command to forward the request to your ISE node as well.

SNMP polling and see if you get any information (CDP,LLDP) , obviously make sure you have snmp setup on your device.

DNS can be used (if enabled) and once IP is know ISE can run a FQDN check.

NMAP as well will be triggered (if enabled) once IP is known.

 

As you can see these are options to profile endpoints  without actually having to authenticate your endpoint

 

 

 

 

 

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎04-30-2019 07:27 AM

I recommend that you use a limited access ACL.  That ACL could permit access to limited network services such as DHCP, DNS, NTP, TFTP, etc. without giving the endpoint complete access.  My experience has been that by the time the endpoint (IP Phone, AP, etc.) gets that initial limited access ACL, profiling occurs and ISE then issues a CoA for the correct level of network access.

 

Regards,

-Tim

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Timothy Abbott

‎04-30-2019 08:01 AM

Hi Timothy,

I already have a limited access ACL in the form of a pre-auth acl applied directly on the switchport interface allowing DHCP, DNS, ISE traffic. But this doesn't seem to allow the device-sensor radius accounting packets to get through because the endpoint has already gone into the default deny access authz policy.

0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Timothy Abbott

‎04-30-2019 08:03 AM

Hi Timothy,

I already have a limited access ACL in the form of a pre-auth acl applied directly on the switchport interface allowing DHCP, DNS, ISE traffic. I am not sure when you say "by the time the endpoint (IP Phone, AP, etc.) gets that initial limited access ACL",  the interface ACL will be active from the beginning would it not? 

And it doesn't seem to allow the device-sensor radius accounting packets to get through because the endpoint has already gone into the default deny access authz policy.

0 Helpful

Go to solution
ldanny
Cisco Employee
Cisco Employee

‎04-30-2019 11:39 PM

If you consider not using Auth for your AP endpoints but would like to be able to actually see them you can try

 

Try setting up an interface with no Auth configurations at all

Use ip helper-address <ISE NODE Address> command to forward the request to your ISE node as well.

SNMP polling and see if you get any information (CDP,LLDP) , obviously make sure you have snmp setup on your device.

DNS can be used (if enabled) and once IP is know ISE can run a FQDN check.

NMAP as well will be triggered (if enabled) once IP is known.

 

As you can see these are options to profile endpoints  without actually having to authenticate your endpoint

 

 

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents