Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1490
Views
1
Helpful
4
Replies

ISE used for visibility only, new device notification

Go to solution
greg2.0
Cisco Employee
Cisco Employee

‎01-29-2018 10:10 AM

If ISE is being used for visibility only, (not authentication), is there a way to have it provide notification when a new, previously unseen, MAC address connects to the network? There would not be a static list of MAC addresses within ISE, it would be a dynamically built list that once it has been monitoring for a while could provide notice of a new MAC.

Any creative ideas?

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to greg2.0

‎01-31-2018 05:43 PM

I can't find any alarm or report on this so I do not think ISE tracking such.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Craig Hyps
Level 10
Level 10

‎01-29-2018 03:52 PM

SNMP traps can be used--either link up or MAC notification traps.  It is also possible to discover endpoints via SNMP polling, DHCP, and import via file, LDAP, or API.  It is also possible to learn new endpoints via streamlined visibility mode (prior to placing system into a production, distributed deployment).

Go to solution
greg2.0
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎01-30-2018 06:07 AM

Thanks. Understood on how endpoint data is collected. How does one receive notification of new endpoints though?

I see there is a profiled endpoints summary report. The description of the report is not very detailed. It appears that SNMPQuery probe is constantly updating the date so that existing devices are always appearing with a current "logged at" date making it impossible to see what is a newly seen device compared to devices that have been on the network for a long time.

Goal is to find a way to receive notification only for devices that are new to the network. Any thoughts?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to greg2.0

‎01-31-2018 05:43 PM

I can't find any alarm or report on this so I do not think ISE tracking such.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to hslai

‎01-31-2018 10:07 PM

Correct.  No alarm for new devices as alarms typically focused on anomalous events, and new devices typically not considered anomalous.  Of course, that is more of a matter of customer policy.  In most environments, this would be considered common and noise if trigger event on each new endpoint.

That said, you could potentially trigger on MAB log events where host not found, but ISE continued to authorization.  Or check for endpoints that hit a default which is only for hosts matching such a condition.

You can also generate report for all endpoints and check for creation time based on ElapsedDays.  From PAN CLI, run "app config ise" and select option to get all endpoints.  You can also collect data via standalone Endpoint Analysis Tool (iseeat.cisco.com)

Lastly, you can ask Cisco account team to request feature enhancement.

Craig

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents