11-08-2022 06:25 AM
Hello All,
From my understanding of documentation, CDP/LLDP would not be allowed until a port is authenticated when in closed mode. Low impact mode can be used for DHCP/DNS etc but CDP/LLDP being a layer 2 protocol what options do we have if using for profiling?
Or should I try to use DHCP for profiling for this reason?
KT
Solved! Go to Solution.
11-14-2022 06:46 PM
Chapter 23 Closed Mode of the book Cisco ISE for BYOD and Secure Unified Access has a figure, showing EAP and CDP allowed before authentication.
11-08-2022 06:52 AM
@KatherineTran you'll get more information of the connected endpoints if you use CDP, LLDP and DHCP via device sensor.
On ISE you can configure a Change of Authorisation (CoA) to be sent when a device is matched against a new profile, this can enabled globally or per profile. So therefore when the device connect for the first time, once profiled, a CoA is automatically sent and the device re-runs through authorisation and potentially matches a different authorisation rule.
11-10-2022 02:21 AM
Hi Rob,
I believe dot1x in closed mode will not allow CDP/LLDP/DHCP to function and therefore profile the device initially so it will not be able to get to that state?
Thanks
KT
11-10-2022 03:30 AM
@KatherineTran correct, CDP/LLDP/DHCP is only sent if the interface is authenticated/authorised.
Even if the device fails to authenticate, at a minimum ISE should be able to determine the vendor by the MAC OUI and create a database entry. When a device does successfully authenticate/authorise, ISE will learn more information from CDP/LLDP, the endpoint profile is updated.
Regardless, in an ISE deployment you'd normally start in open/monitor mode, so the endpoints should already be profiled before moving to closed mode.
11-14-2022 06:46 PM
Chapter 23 Closed Mode of the book Cisco ISE for BYOD and Secure Unified Access has a figure, showing EAP and CDP allowed before authentication.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide