Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1869
Views
0
Helpful
2
Replies

Profiling with Cisco ISE

Go to solution
Karry
Level 1
Level 1

‎03-12-2018 07:11 AM - edited ‎02-21-2020 10:48 AM

Hi All,

What are the recommended probes which  needs to be enabled for profiling. 

Also what is the best way to authenticate & Authorize the Avaya Phones.

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Octavian Szolga
Level 4
Level 4

‎03-12-2018 08:39 AM - edited ‎03-13-2018 12:38 AM

Hi Karry,

 

My two cents - use DHCP for IP phones (as an alternative to CDP).

 

  • Just place an extra IP helper command (for each PSN) on the SVI for the voice VLAN.
  • Make sure that any endpoint having an Avaya OUI gets placed in the voice VLAN + gets an dACL which allows him only DHCP access (so you don't end up having a chicken and egg issue, i.e. the phone dones not get any IP because he needs to be placed at first in the voice vlan to be profiled as a phone :) )
  • Once it gets IP, ISE will 'see' its dhcp class id and will profile it accordingly.

 

If it sounds too dificult, it's not. You can configure it multiple ways:

 

a) Just create a specific MAB authorization where the radius username starts with "YOUR_AVAYA_OUI" (from experience, you'll have max. 10 different OUIs, MACs)

Authorization profile = Voice VLAN permissions + dACL (DHCP only)

 

b) Create a second authorization rule: if MAB + profiling policy or group is Avaya_Phones

Authorization profile = Voice VLAN (no dACL = restriction lifted)

-------------------------

 

Alternative (same goal):

a) Create a parent profiling policy: if Avaya OUI => AVAYA_DEVICE

b) Create a child profiling policy: if Avaya DHCP class id => Avaya_Phone (assumes the fact that the parent condition has been satisfied)

Use the above profiling policies as:

Rule 1: if AVAYA_DEVICE => Voice VLAN + DHCP_dACL

Rule 2: if AVAYA_PHONE => Voice VLAN (no DHCP_dACL) - full access

 

Thanks,
Octavian

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Octavian Szolga
Level 4
Level 4

‎03-12-2018 08:39 AM - edited ‎03-13-2018 12:38 AM

Hi Karry,

 

My two cents - use DHCP for IP phones (as an alternative to CDP).

 

  • Just place an extra IP helper command (for each PSN) on the SVI for the voice VLAN.
  • Make sure that any endpoint having an Avaya OUI gets placed in the voice VLAN + gets an dACL which allows him only DHCP access (so you don't end up having a chicken and egg issue, i.e. the phone dones not get any IP because he needs to be placed at first in the voice vlan to be profiled as a phone :) )
  • Once it gets IP, ISE will 'see' its dhcp class id and will profile it accordingly.

 

If it sounds too dificult, it's not. You can configure it multiple ways:

 

a) Just create a specific MAB authorization where the radius username starts with "YOUR_AVAYA_OUI" (from experience, you'll have max. 10 different OUIs, MACs)

Authorization profile = Voice VLAN permissions + dACL (DHCP only)

 

b) Create a second authorization rule: if MAB + profiling policy or group is Avaya_Phones

Authorization profile = Voice VLAN (no dACL = restriction lifted)

-------------------------

 

Alternative (same goal):

a) Create a parent profiling policy: if Avaya OUI => AVAYA_DEVICE

b) Create a child profiling policy: if Avaya DHCP class id => Avaya_Phone (assumes the fact that the parent condition has been satisfied)

Use the above profiling policies as:

Rule 1: if AVAYA_DEVICE => Voice VLAN + DHCP_dACL

Rule 2: if AVAYA_PHONE => Voice VLAN (no DHCP_dACL) - full access

 

Thanks,
Octavian

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Octavian Szolga

‎03-12-2018 08:40 PM

Believe it or not, there is no option to disable profiling on an ISE PSN.  Even if you do not enable profiling under the PSN services, it will still perform Radius profiling.  And all of this works even if you don't have a Plus License installed.   Why, you ask?  Because Cisco WLC's and IOS switches have a feature called Device Sensor, that (when enabled) will send DHCP and HTTP data in Radius Accounting messages as a Cisco AVPair (if enabled) - which ISE then processes and populates the database about that endpoint.  It means you don't have to use IP Helpers and HTTP probes on ISE - you can get all that information from the radius accounting messages.

Therefore if you want OUI&DHCP&HTTP profiling for free, then you simply need to enable your NAS to send that stuff in Radius Accounting.  It might be more efficient than sending the DHCP to the PSN.

As for the profiling authorization rules - for that you will need a Plus license of course.

 

0 Helpful
Customers Also Viewed These Support Documents