cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1832
Views
15
Helpful
5
Replies

Switch Device Discovery Using ISE SNMP Profiling

Arne Bier
VIP
VIP

Hello

 

I have a customer who wants to discover what devices are connected to his switches. They already have ISE 2.6

They have not enabled their switches with 802.1X ... yet.

 

I proposed that they allow ISE to probe one switch using SNMP - but I noticed in my lab that it only collects CDP/LLDP/ARP information of connected devices.

 

What about the Windows workstations attached? Would I need to enable DHCP Snooping on the switch to provide that data into the SNMP MIB? Or do I also need to enable Device Sensor?  Remember that I don't want to enable 802.1X for the purpose of discovery - I want to use SNMP as much as possible.  I don't have device Sensor enabled in my lab - if anyone has a clue about this please let me know. Customer wants to do 802.1X eventually but first scoping out the landscape to see what they are in for.

 

There is the Profile Manual Scan option - but this is by IP subnet (not by switch) - I want to be able to limit this to a specific switch.

 

regards

Arne

 

2 Accepted Solutions

Accepted Solutions

Colby LeMaire
VIP Alumni
VIP Alumni

With just SNMP polling, ISE will grab the MAC addresses and only be able to profile based on the MAC OUI for those Windows machines, which as you know doesn't help much.  To really be able to determine whether it is Windows or not, you need the DHCP information.  I doubt that DHCP Snooping would populate any MIBs with DHCP Class Identifiers or similar for ISE to pull so you would need device sensor.  SNMP is pulling basic information.

View solution in original post


@Colby LeMaire wrote:

With just SNMP polling, ISE will grab the MAC addresses and only be able to profile based on the MAC OUI for those Windows machines, which as you know doesn't help much.  To really be able to determine whether it is Windows or not, you need the DHCP information.  I doubt that DHCP Snooping would populate any MIBs with DHCP Class Identifiers or similar for ISE to pull so you would need device sensor.  SNMP is pulling basic information.


What about forwarding ip helper to ISE? with ip arp and dns probe it might work? I am not sure though. You'd still need MAB enabled with monitor mode and have a RADIUS session right?

View solution in original post

5 Replies 5

Colby LeMaire
VIP Alumni
VIP Alumni

With just SNMP polling, ISE will grab the MAC addresses and only be able to profile based on the MAC OUI for those Windows machines, which as you know doesn't help much.  To really be able to determine whether it is Windows or not, you need the DHCP information.  I doubt that DHCP Snooping would populate any MIBs with DHCP Class Identifiers or similar for ISE to pull so you would need device sensor.  SNMP is pulling basic information.


@Colby LeMaire wrote:

With just SNMP polling, ISE will grab the MAC addresses and only be able to profile based on the MAC OUI for those Windows machines, which as you know doesn't help much.  To really be able to determine whether it is Windows or not, you need the DHCP information.  I doubt that DHCP Snooping would populate any MIBs with DHCP Class Identifiers or similar for ISE to pull so you would need device sensor.  SNMP is pulling basic information.


What about forwarding ip helper to ISE? with ip arp and dns probe it might work? I am not sure though. You'd still need MAB enabled with monitor mode and have a RADIUS session right?

Hi @Jason Kunst 

 

Your suggestion was spot on!

 

Thanks. I configured ip helper on one VLAN to point to the ISE PSN and enabled DHCP profiling on that PSN.

 

I was able to glean hostname and some other stuff that gave me a rough idea of the OS type as well. In my case, Windows-Workstation (based on the MSFT string courtesy of DHCP). 

At this point I wanted more details about the OS and I considered fiddling with the Cisco-provided Profiler Policies to force an NMAP OS scan when it met the condition for Windows-Workstation.

But I took the easier approach to enable Active Directory Profiling option on that PSN. Now I can see it's a Windows-10 workstation.

 

Lesson learned: as @Colby LeMaire correctly pointed out, SNMP probing only gets you so far. It doesn't tap into the DHCP snooping bindings table, and nor does it seem to integrate with the Device Sensor cache. This implies that, if you want only visibility of connected endpoints, and you want to see devices that do not use CDP/LLDP (e.g. workstations, printers, etc.) then you need to push DHCP discovery messages to ISE to glean that info. And finish off the job with an Active Directory profiling task to refine the results. I guess you could throw in an NMAP scan too, if you need data on non AD joined machines.

 

Possibilities are almost endless. :-)

 

thanks!

wow i helped the master!!! :)

Thanks @Jason Kunst  but I have a lot of grey areas in my ISE knowledge - I think I have grasped profiling a bit better now. Even with the Community, I find it helps to struggle through these things in order to learn them inside out - learning by doing.

 

BTW: Don't ask me anything about Posture. Never needed it, and I have zero interest in it.  But there may come a time ... :-p