Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1833
Views
15
Helpful
5
Replies

Switch Device Discovery Using ISE SNMP Profiling

Go to solution
Arne Bier
VIP
VIP

‎12-16-2019 10:39 PM

Hello

 

I have a customer who wants to discover what devices are connected to his switches. They already have ISE 2.6

They have not enabled their switches with 802.1X ... yet.

 

I proposed that they allow ISE to probe one switch using SNMP - but I noticed in my lab that it only collects CDP/LLDP/ARP information of connected devices.

 

What about the Windows workstations attached? Would I need to enable DHCP Snooping on the switch to provide that data into the SNMP MIB? Or do I also need to enable Device Sensor?  Remember that I don't want to enable 802.1X for the purpose of discovery - I want to use SNMP as much as possible.  I don't have device Sensor enabled in my lab - if anyone has a clue about this please let me know. Customer wants to do 802.1X eventually but first scoping out the landscape to see what they are in for.

 

There is the Profile Manual Scan option - but this is by IP subnet (not by switch) - I want to be able to limit this to a specific switch.

 

regards

Arne

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎12-17-2019 09:46 AM

With just SNMP polling, ISE will grab the MAC addresses and only be able to profile based on the MAC OUI for those Windows machines, which as you know doesn't help much.  To really be able to determine whether it is Windows or not, you need the DHCP information.  I doubt that DHCP Snooping would populate any MIBs with DHCP Class Identifiers or similar for ISE to pull so you would need device sensor.  SNMP is pulling basic information.

View solution in original post

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Colby LeMaire

‎12-17-2019 01:32 PM

@Colby LeMaire wrote:

With just SNMP polling, ISE will grab the MAC addresses and only be able to profile based on the MAC OUI for those Windows machines, which as you know doesn't help much.  To really be able to determine whether it is Windows or not, you need the DHCP information.  I doubt that DHCP Snooping would populate any MIBs with DHCP Class Identifiers or similar for ISE to pull so you would need device sensor.  SNMP is pulling basic information.

What about forwarding ip helper to ISE? with ip arp and dns probe it might work? I am not sure though. You'd still need MAB enabled with monitor mode and have a RADIUS session right?

View solution in original post

5 Replies 5

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎12-17-2019 09:46 AM

With just SNMP polling, ISE will grab the MAC addresses and only be able to profile based on the MAC OUI for those Windows machines, which as you know doesn't help much.  To really be able to determine whether it is Windows or not, you need the DHCP information.  I doubt that DHCP Snooping would populate any MIBs with DHCP Class Identifiers or similar for ISE to pull so you would need device sensor.  SNMP is pulling basic information.

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Colby LeMaire

‎12-17-2019 01:32 PM

@Colby LeMaire wrote:

With just SNMP polling, ISE will grab the MAC addresses and only be able to profile based on the MAC OUI for those Windows machines, which as you know doesn't help much.  To really be able to determine whether it is Windows or not, you need the DHCP information.  I doubt that DHCP Snooping would populate any MIBs with DHCP Class Identifiers or similar for ISE to pull so you would need device sensor.  SNMP is pulling basic information.

What about forwarding ip helper to ISE? with ip arp and dns probe it might work? I am not sure though. You'd still need MAB enabled with monitor mode and have a RADIUS session right?

Go to solution
Arne Bier
VIP
VIP
In response to Jason Kunst

‎12-18-2019 03:19 AM

Hi @Jason Kunst 

 

Your suggestion was spot on!

 

Thanks. I configured ip helper on one VLAN to point to the ISE PSN and enabled DHCP profiling on that PSN.

 

I was able to glean hostname and some other stuff that gave me a rough idea of the OS type as well. In my case, Windows-Workstation (based on the MSFT string courtesy of DHCP). 

At this point I wanted more details about the OS and I considered fiddling with the Cisco-provided Profiler Policies to force an NMAP OS scan when it met the condition for Windows-Workstation.

But I took the easier approach to enable Active Directory Profiling option on that PSN. Now I can see it's a Windows-10 workstation.

 

Lesson learned: as @Colby LeMaire correctly pointed out, SNMP probing only gets you so far. It doesn't tap into the DHCP snooping bindings table, and nor does it seem to integrate with the Device Sensor cache. This implies that, if you want only visibility of connected endpoints, and you want to see devices that do not use CDP/LLDP (e.g. workstations, printers, etc.) then you need to push DHCP discovery messages to ISE to glean that info. And finish off the job with an Active Directory profiling task to refine the results. I guess you could throw in an NMAP scan too, if you need data on non AD joined machines.

 

Possibilities are almost endless. :-)

 

thanks!

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Arne Bier

‎12-18-2019 08:34 AM

wow i helped the master!!! :)
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Jason Kunst

‎12-18-2019 01:30 PM

Thanks @Jason Kunst  but I have a lot of grey areas in my ISE knowledge - I think I have grasped profiling a bit better now. Even with the Community, I find it helps to struggle through these things in order to learn them inside out - learning by doing.

 

BTW: Don't ask me anything about Posture. Never needed it, and I have zero interest in it.  But there may come a time ... :-p

 

0 Helpful
Customers Also Viewed These Support Documents