Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
537
Views
5
Helpful
2
Replies

Profiling a Device Before Assigning it an IP Address Question

Go to solution
marceta
Cisco Employee
Cisco Employee

‎03-24-2019 07:24 PM

Hi Team,

 

We have a large banking customer in Singapore where we are looking to displace ForeScout. Essentially they want to profile IOT devices without them ever getting an IP address first. Traditionally with dot1x the device would have access to DHCP/DNS/EAPoL but the customer wants no connectivity until after the device is profiled. If we can't do that then they will keep ForeScout.

 

We think that using Device Sensor will achieve this. We are using the following document as reference - https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200292-Configure-Device-Sensor-for-ISE-Profilin.html

 

Basically with the above we think the Cisco switch will use MAC/LLDP/CDP/etc to gather info on the port, but the switch itself is the NAS talking to ISE. NAS IP is 10.229.20.43 but we can not confirm this is the switch IP and not the host IP.

 

It looks like the device on the switchport will not have an IP address as per below

piborowi#show authentication sessions int g1/0/13 details
            Interface:  GigabitEthernet1/0/13
          MAC Address:  20bb.c0de.06ae
         IPv6 Address:  Unknown
         IPv4 Address:  Unknown

 

Can we confirm that with a device sensor we can profile a device before it has any connectivity/IP? If not, is there a way we can achieve this? 

 

Regards,

Pete

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎03-24-2019 09:00 PM

Hi

You can use device-sensors to profile your devices.
By viewing the device sensor cache you'll be able to see what attributes are visible using this method (command show in your link).
Also you can see what attributes are collected by ise for this device info context-visibility for validation or you can run a tcpdump on ise to see all attributes received and try to make your own profiler rule.
If you don't authorize dhcp before authentication (no pre-auth acl allowing dhcp). If so, only once it get profiled you can push a dacl authorizing dhcp to this guy

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

2 Replies 2

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎03-24-2019 09:00 PM

Hi

You can use device-sensors to profile your devices.
By viewing the device sensor cache you'll be able to see what attributes are visible using this method (command show in your link).
Also you can see what attributes are collected by ise for this device info context-visibility for validation or you can run a tcpdump on ise to see all attributes received and try to make your own profiler rule.
If you don't authorize dhcp before authentication (no pre-auth acl allowing dhcp). If so, only once it get profiled you can push a dacl authorizing dhcp to this guy

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
marceta
Cisco Employee
Cisco Employee
In response to Francesco Molino

‎03-27-2019 06:55 PM

Thanks for confirming mate!

0 Helpful
Customers Also Viewed These Support Documents