cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2088
Views
2
Helpful
3
Replies
laposilaszlo
Beginner

ISE profiling on wired using radius probe and accounting(no authentication)

Hi Everyone,

I have been struggling with problem since a couple of weeks now and seems that I need some help.

I would be grateful if some could give me some hints or ideas regarding this.

The situation is the following:

We are planning to roll out wired 8021x in our organization using ISE and the switches are mostly 3850, 3750 and 3560.

Now because there are more than 30k switch ports I’m trying to do the simplest configuration for a start.

We would like to start with just profiling the devices for a couple of months maybe even a year.

I was thinking to use device sensor and radius probe to achieve this. Data will be sent using accounting to ISE.

The important thing is that authentication and authorization will not be configured for now! So the switch port configuration will not be touched, nothing new will be added here.

I am following Craig Hyps trustsec guide regarding profiling(and other official documentation), and based on them this type of configuration is a valid one. It just needs a couple of global commands on the switches.

Now the problem that I am facing is that it’s not working on any of the switch models for now.

Device senor cache is populated on all switch types, but

on the 3850 and 3560 the accounting is not sent no matter what I do.

On the 3750 the accounting is sent and contains sensor data but no calling station ID, so ISE cannot create and endpoint.

(of course if I configure authentication and accounting and use the standard switch port configuration for 8021x this works, but as I said this is not what we want for now)

I am working with TAC but no notable result for now.

At this point I beginning to lose my hope that this is even doable.

Did someone ever manage to do this king of configuration that also worked? Can you let me know the exact IOS version and maybe an example of the configuration.

Any ideas are welcome.

Thanks,

laszlo

1 ACCEPTED SOLUTION

Accepted Solutions

Hi,

If that is the case, you would need to find a way to send RADIUS accounting because it holds the profiling data as you are aware.  At the same time, a monitor mode deployment where no enforcement is taking place could be another option.  Check out the below doc for more information.

How-To: Monitor Mode Deployment with ISE

Regards,

-Tim

View solution in original post

3 REPLIES 3
Timothy Abbott
Cisco Employee

IOS Device Sensor requires RADIUS to work.  If you're not doing any AAA, you won't get any information from Device Sensor.  You may want to look at other profiling methods such as DHCP probe (using IP helpers) or SNMP query while you are in monitor mode for the deployment.  You could also try NMAP as well as the AD probe but be sure ISE is getting the hostname of the endpoint.

Regards,

-Tim

Hi Tim,

Correct, that is what I was thinking also.

Accounting usually happens after authentication.

But then there is this part in the TrustSec document:

Note:

RADIUS accounting is required to forward sensor data to ISE. However, RADIUS authentication and authorization are not required to collect and send sensor data to ISE. Therefore, it is possible to use the Device Sensor for pre-ISE deployments during a network discovery phase when an organization is not yet ready to enable RADIUS authentication, even if only Monitor Mode. This support extends to deployments using ISE Profiling Services with Cisco NAC Appliance where RADIUS access control is not deployed.

Page 78

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_30_ise_profiling.pdf

And I have talked to Craig Hyps and he confirmed that this should work.

So its confusing. I'm am still not sure if this is possible or not.

Thanks,

laszlo

Hi,

If that is the case, you would need to find a way to send RADIUS accounting because it holds the profiling data as you are aware.  At the same time, a monitor mode deployment where no enforcement is taking place could be another option.  Check out the below doc for more information.

How-To: Monitor Mode Deployment with ISE

Regards,

-Tim

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube