Solved: LLDP & CDP Closed DOT1X Mode

KatherineTran · ‎11-08-2022

Hello All,

From my understanding of documentation, CDP/LLDP would not be allowed until a port is authenticated when in closed mode. Low impact mode can be used for DHCP/DNS etc but CDP/LLDP being a layer 2 protocol what options do we have if using for profiling?

Or should I try to use DHCP for profiling for this reason?

KT

hslai · ‎11-14-2022

Chapter 23 Closed Mode of the book Cisco ISE for BYOD and Secure Unified Access has a figure, showing EAP and CDP allowed before authentication.

View solution in original post

Rob Ingram · ‎11-08-2022

@KatherineTran you'll get more information of the connected endpoints if you use CDP, LLDP and DHCP via device sensor.

On ISE you can configure a Change of Authorisation (CoA) to be sent when a device is matched against a new profile, this can enabled globally or per profile. So therefore when the device connect for the first time, once profiled, a CoA is automatically sent and the device re-runs through authorisation and potentially matches a different authorisation rule.

KatherineTran · ‎11-10-2022

Hi Rob,

I believe dot1x in closed mode will not allow CDP/LLDP/DHCP to function and therefore profile the device initially so it will not be able to get to that state?

Thanks

KT

Rob Ingram · ‎11-10-2022

@KatherineTran correct, CDP/LLDP/DHCP is only sent if the interface is authenticated/authorised.

Even if the device fails to authenticate, at a minimum ISE should be able to determine the vendor by the MAC OUI and create a database entry. When a device does successfully authenticate/authorise, ISE will learn more information from CDP/LLDP, the endpoint profile is updated.

Regardless, in an ISE deployment you'd normally start in open/monitor mode, so the endpoints should already be profiled before moving to closed mode.

hslai · ‎11-14-2022

Chapter 23 Closed Mode of the book Cisco ISE for BYOD and Secure Unified Access has a figure, showing EAP and CDP allowed before authentication.