Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3344
Views
0
Helpful
8
Replies

ISE profiling to get IP-to-MAC binding without radius, nmap or dhcp probes

Go to solution
Madura Malwatte
Level 4
Level 4

‎03-02-2021 05:46 AM

is there any alternatives for ISE profiling to get the IP-to-MAC bindings without radius, nmap or dhcp probes? I have workstations connected to my NAD (layer 2 switch), where i don't have radius authentication on the workstation ports. I also don't want to configure ip helper-addresses on the upstream L3 device to send to ISE as it will clutter the ISE endpoint database with unwanted endpoints. we are unable to turn on nmap due to security concerns.

 

So is there a way to get the profiling data and the IP-to-MAC binding of these workstations using an alternate probing method?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-13-2021 10:27 AM

ISE is a RADIUS and TACACS+ server at the core.

You are asking ISE to profile endpoints on ports it effectively does not manage/control via RADIUS.

You further cripple the options by not allowing NMAP or DHCP.

This pretty much leaves you with SPAN.

I don't understand the constraints here but there's your answer.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎03-02-2021 06:19 AM

Hi @Madura Malwatte 

Check out the Probe attributes section in this link

https://community.cisco.com/t5/security-documents/ise-profiling-design-guide/ta-p/3739456#toc-hId--2102379188

 

Use SNMP - "Polling of device ARP tables populates ISE MAC-to-IP bindings"


HTH

0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Rob Ingram

‎03-02-2021 06:28 AM

Hi @Rob Ingram that's provided if its a layer 3 device which has its arp table populated. For a layer 2 NAD switch, it will not have any arp entries for endpoints connected to its layer 2 ports.

0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4

‎03-03-2021 04:32 PM

What about using the pxgrid probe to solve this (getting workstation endpoint visibility without using dhcp helper on the upstream L3 device to get IP-to-MAC binding)? Set up pxgrid persona on ISE, enable pxgrid probes, set up passive identity, so on any login events on windows workstations, we should be able to get this profiling attributes to ISE, which will be able to give visibility into workstations and also profile them correctly? Without having to use radius/dhcp probes?

 

Screen Shot 2021-03-04 at 11.30.40 am.jpg

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎03-03-2021 08:05 PM

pxGrid is a publisher/subscriber API used to share contextual data between ISE and other systems. The pxGrid probe in ISE is used to allow ISE to learn contextual data from external systems (currently used by IOT solutions like FactoryTalk, Industrial Network Director, CyberVision, etc). The problem in your case is that you would need an external system that has knowledge of the endpoint attributes and can publish that to the Endpoint Asset pxGrid topic so that ISE can learn that information as a subscriber.

0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Greg Gibbs

‎03-03-2021 09:19 PM

So are you saying that if ISE is configured for passive identity to gather the WMI logon events, that it can't use this info to populate the endpoint database with the workstation details? Or using pxgrid integration to AD (is this possible?), so it can use pxgrid probe to grab attributes of the workstations once a logon event occurs?

 

 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎03-04-2021 02:54 PM

AD does not know the MAC address of the endpoint, it only sees the IP address. PassiveID works by using the MAB session info on the switchport, combined with the IP Device Tracking (IP-to-MAC mapping on the switch) and sending that info to ISE via RADIUS. ISE then 'stitches' that info together with the matching WMI (or MSRPC for ISE 3.0) login event from AD using the same IP address. Without at least MAB/RADIUS, there is no endpoint record as the primary key value in the endpoint DB is the MAC Address. All other endpoint attributes are tied to that MAC Address.

AD does not have any pxGrid capabilities.

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-13-2021 10:27 AM

ISE is a RADIUS and TACACS+ server at the core.

You are asking ISE to profile endpoints on ports it effectively does not manage/control via RADIUS.

You further cripple the options by not allowing NMAP or DHCP.

This pretty much leaves you with SPAN.

I don't understand the constraints here but there's your answer.

0 Helpful

Go to solution
chris-lawrence
Level 1
Level 1

‎04-15-2021 09:23 AM

Hi Madura,

I am concerned with this statement - we are unable to turn on nmap due to security concerns.

 

I'd be interested in what those concerns are - just if I should be concerned about nmap too.

 

Is it because you don't want your ISE to perform outbound scans to external devices you haven't authenticated as valid?

My thought is using device sensor on the L2 switch, sending the radius back to ISE, you get an understanding of mac, ip binding, and nad details before the nmap scan is allowed to ensure that it is one of your valid hosts which you then provide full network access to.

 

At least that is what I am developing - a multi-pass authentication method - adjusting port access accordingly with CoA as ISE gets more info from the endpoint.

0 Helpful
Customers Also Viewed These Support Documents