Hello

After a bit of tweaking I have Cisco ISE 1.4 Radius probe working with the ios device sensor on a C6880-X-LE running 152-1.SY1.

I ran a radius accounting debug and could see that the cdp tlv's sent to ISE looked like they were blank:

Aug 25 12:40:10.635: SW1: RADIUS:  Vendor, Cisco       [26]  22                
Aug 25 12:40:10.635: SW1: RADIUS:   Cisco AVpair       [1]   16  "cdp-tlv=     
"                                                                              
Aug 25 12:40:10.635: SW1: RADIUS:  Vendor, Cisco       [26]  21                
Aug 25 12:40:10.635: SW1: RADIUS:   Cisco AVpair       [1]   15  "cdp-tlv=     "
Aug 25 12:40:10.635: SW1: RADIUS:  Vendor, Cisco       [26]  28                
Aug 25 12:40:10.635: SW1: RADIUS:   Cisco AVpair       [1]   22  "cdp-tlv=     
      "                                                                        
Aug 25 12:40:10.635: SW1: RADIUS:  Vendor, Cisco       [26]  39                
Aug 25 12:40:10.635: SW1: RADIUS:   Cisco AVpair       [1]   33  "cdp-tlv=     
                 "                                                             
Aug 25 12:40:10.635: SW1: RADIUS:  Vendor, Cisco       [26]  38                
Aug 25 12:40:10.635: SW1: RADIUS:   Cisco AVpair       [1]   32  "cdp-tlv=     
                "                                                              
Aug 25 12:40:10.635: SW1: RADIUS:  Vendor, Cisco       [26]  24                
Aug 25 12:40:10.635: SW1: RADIUS:   Cisco AVpair       [1]   18  "cdp-tlv=     
  "                                                                            
Aug 25 12:40:10.635: SW1: RADIUS:  Vendor, Cisco       [26]  26                
Aug 25 12:40:10.635: SW1: RADIUS:   Cisco AVpair       [1]   20  "cdp-tlv=     
    "                                                                          
Aug 25 12:40:10.635: SW1: RADIUS:  Vendor, Cisco       [26]  33                
Aug 25 12:40:10.635: SW1: RADIUS:   Cisco AVpair       [1]   27  "cdp-tlv=     
           "                                                                   
Aug 25 12:40:10.635: SW1: RADIUS:  Vendor, Cisco       [26]  23                
Aug 25 12:40:10.635: SW1: RADIUS:   Cisco AVpair       [1]   17  "cdp-tlv=     
 "                                                                             
Aug 25 12:40:10.635: SW1: RADIUS:  Vendor, Cisco       [26]  35                
Aug 25 12:40:10.635: SW1: RADIUS:   Cisco AVpair       [1]   29  "cdp-tlv=     
             "                                                            

I was curious as to how ISE was getting the device-sensor tlv's if they weren't being sent in the radius accounting packets. I found the following trustsec document:

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_30_ise_profiling.pdf

it states on page 13:

Note: The RADIUS probe does not listen directly to RADIUS traffic, but rather listens and parses RADIUS attributes sent in syslog to the Monitoring node on default UDP port 20514. Captured RADIUS profile attributes are then forwarded to an internal logger on default UDP port 30514.

I carried out a packet capture on the 6880 switch and found:

• The device-sensor tlv's are actually being sent to ISE in the radius accounting packets - for some reason these don't appear in the debugs
• The syslogs sent to ISE don't appear to have any radius attributes at all - just events etc.

Can anyone explain what the radius probe and syslog link refered to in the trustsec document actually means?

Thanks
Andy