Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
1
Replies

ISE Profiling using NMAP with L2 Adjacent Endpoints

Go to solution
kpapadop@cisco.com
Cisco Employee
Cisco Employee

‎06-18-2018 03:13 PM

Hi,

   I have a quick question. Can ISE (PSN) gather IP-to-MAC address bindings using its own local ARP table if it is directly connected (L2 adjacent or same VLAN/subnet) to end-points it is scanning with NMAP, hence avoid having configuring switches and probes for profiling?

If that can happen could customers use this as an alternative design if they don’t want to configure any commands for ISE probes on switches?

I have read the below from the ISE Profiling Design Guide – not sure I have interpreted this correctly hence my question to you. Can we view the local ARP cache of a PSN node by the way?

""" START """"

  1. NMAP is based on a known IP address. If the NMAP probe collects attributes for an endpoint but cannot correlate that to a specific MAC address, that data is discarded. If the Policy Service node is on the same segment as the endpoint it is scanning, it can learn the IP-to-MAC address binding from its local ARP cache and add the endpoint directly into the Internal Endpoints database. Consequently, it is required to learn the IP-to-MAC address binding via another probe prior to collecting NMAP probe data. Probes that can be used to provide this information include the following:
    • RADIUS (via Framed-IP-Address)
    • DHCP (via dhcp-requested-address)
    • SNMP Query (via SNMP polling)

""""  END '""""

  

Kind Regards,

Kostas

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎06-19-2018 05:35 AM

Per direct email response to same query...

I believe the info provided for origin al guide is still valid, although honestly I have not tested such in years.  The assumption is that PSN is rarely or never L2 adjacent to the endpoints it supports.  I would not rely on that assumption to avoid basic profiling. 

If RADIUS is configured to ISE, then ISE will acquire MAC and IPs via Calling Station ID and Framed IP.

ARP cache alone will not acquire DHCP data.

I do not understand the need to upgrade switches to collect profile data.  You may be confusing basic profile collection with Device Sensor feature, an advanced option to optimize profile data collection from switches/wireless controllers.  Device Sensor is not a requirement, although it is recommended to optimize collection and reduce ISE load.

Craig

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Craig Hyps
Level 10
Level 10

‎06-19-2018 05:35 AM

Per direct email response to same query...

I believe the info provided for origin al guide is still valid, although honestly I have not tested such in years.  The assumption is that PSN is rarely or never L2 adjacent to the endpoints it supports.  I would not rely on that assumption to avoid basic profiling. 

If RADIUS is configured to ISE, then ISE will acquire MAC and IPs via Calling Station ID and Framed IP.

ARP cache alone will not acquire DHCP data.

I do not understand the need to upgrade switches to collect profile data.  You may be confusing basic profile collection with Device Sensor feature, an advanced option to optimize profile data collection from switches/wireless controllers.  Device Sensor is not a requirement, although it is recommended to optimize collection and reduce ISE load.

Craig

0 Helpful
Customers Also Viewed These Support Documents