New endpoint not being automatically added to Internal Endpoints

Doorahlek · ‎05-11-2025

Hello,

I have an issue with AP's that during NAC implementation on the port they should first get profiled by sending device-sensor attributes to ISE and once they get profiled they should do CoA and hit the rule that allows them communication to WLC , and then once they get EAP-FAST credentials they should authenticate via dot1x.

However it seems like even though I created a catch-all profiling rule for these AP's their MAC is not being added to Internal Endpoints database/ Context Visibility database hence I can't see if ISE receives the device-sensor attributes to profile the AP. From switch perspective I can see the device-sensor cache on the port , here is a snippet of it that I use to assign the profile for specific AP :

CDP 6:platform-type 20 00 06 00 14 63 69 73 63 6F ....cisco
20 43 39 31 33 30 41 58 45 C9130AXE
2D 45 -E

This issue basically ruins the whole idea of automated process of performing NAC on the AP port of it getting initial profiling + then getting dACL towards WLC CAPWAP and then receiving dot1x EAP-FAST credentials for full access.

Kindly asking for your opinion on this

Arne Bier · ‎05-11-2025

This should work, if the MAB Authentication is working, and Profiling is doing its job. What version & patch of ISE?

Do you not see the endpoint at all in Context Visibility? Do you see the MAB request in Live Logs?

If answer is no to the above, then have you seen the RADIUS MAB request in a tcpdump to the switch's ISE server?

I have recently seen a case in ISE 3.2 where an endpoint is MAB'd successfully (I can see it in Live Logs) but the endpoint is neither in Context Visibility, nor is is in the endpoint database (PAN node, "application configure ise" and then by selecting the option to "Get all endpoints"). We did a Reset Context Visibility, and Resync. but the endpoint doesn't appear. I suggested to the customer to open a TAC case.

Doorahlek · ‎05-12-2025

Yes, I see both MAB/dot1x as we run them concurrent. Last week we were doing the resync of the monitoring nodes, as we were having some issues with NMAP scans.

Even more interesting is that in MAB auth attempts initially there was no CiscoAVPair with all the cdp and lldp attributes, but after some auth restarts as the suppression of 10 minutes ended it started sending CisvoAVPair with all the cdp/lldp TLV's attributes. Even though it contains the cdpCachePlatform , ISE still does not profile the endpoint correctly.

Seems like an unusual issue. I tested also scenario with the profiling catch-all rule and without. Either way I can see cdp/lldp attributes in CiscoAvPair after some time but still the profiling is not happening.

We are running ISE 3.3.5

Doorahlek · ‎05-12-2025

I even created a separate profiling rule that matches on cdpCachePlatform and gives 200 points but still no luck with this. Was thinking also about Endpoint Attribute Filter that is enabled, but still as this attribute is used in profiling rule it shouldnt be suppressed I think.