01-29-2018 10:10 AM
If ISE is being used for visibility only, (not authentication), is there a way to have it provide notification when a new, previously unseen, MAC address connects to the network? There would not be a static list of MAC addresses within ISE, it would be a dynamically built list that once it has been monitoring for a while could provide notice of a new MAC.
Any creative ideas?
Thanks!
Solved! Go to Solution.
01-31-2018 05:43 PM
I can't find any alarm or report on this so I do not think ISE tracking such.
01-29-2018 03:52 PM
SNMP traps can be used--either link up or MAC notification traps. It is also possible to discover endpoints via SNMP polling, DHCP, and import via file, LDAP, or API. It is also possible to learn new endpoints via streamlined visibility mode (prior to placing system into a production, distributed deployment).
01-30-2018 06:07 AM
Thanks. Understood on how endpoint data is collected. How does one receive notification of new endpoints though?
I see there is a profiled endpoints summary report. The description of the report is not very detailed. It appears that SNMPQuery probe is constantly updating the date so that existing devices are always appearing with a current "logged at" date making it impossible to see what is a newly seen device compared to devices that have been on the network for a long time.
Goal is to find a way to receive notification only for devices that are new to the network. Any thoughts?
01-31-2018 05:43 PM
I can't find any alarm or report on this so I do not think ISE tracking such.
01-31-2018 10:07 PM
Correct. No alarm for new devices as alarms typically focused on anomalous events, and new devices typically not considered anomalous. Of course, that is more of a matter of customer policy. In most environments, this would be considered common and noise if trigger event on each new endpoint.
That said, you could potentially trigger on MAB log events where host not found, but ISE continued to authorization. Or check for endpoints that hit a default which is only for hosts matching such a condition.
You can also generate report for all endpoints and check for creation time based on ElapsedDays. From PAN CLI, run "app config ise" and select option to get all endpoints. You can also collect data via standalone Endpoint Analysis Tool (iseeat.cisco.com)
Lastly, you can ask Cisco account team to request feature enhancement.
Craig
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide