09-16-2019 07:27 AM
Working on an IBNS 2.0 setup and I have the VLAN ID being sent to ISE. I added the following command to the switch to get the VLAN information to show up in the authentication request:
mab request format attribute 32 vlan access-vlan
I also have the access-session authentication commands as well on the sw
access-session attributes filter-list list Def_Auth_List
vlan-id
access-session authentication attributes filter-spec include list Def_Auth_List
I can see the VLAN ID showing up in the authentication request details as a Cisco AV pair.
I see how I could use that information in a condition in the authorization phase. What I am unsure of is it possible to use that information to profile a device? i.e. if vlan-id=29 then profile device as a certain device type.
I don't see this information showing up under the attributes tab in Context Visibility so my guess would be this information can't be used in profiling. Can someone confirm?
09-16-2019 07:38 AM
I am not sure if the information from the authentication request would be stored in a particular attribute that you can use for profiling. Never tried that before. My guess is that if it isn't showing up in Context Visibility, then it probably isn't getting stored. But I do know that you can profile based on VLAN assignment using the SNMP Probe. I usually don't like enabling the SNMP Probe but I have had situations in the past in environments where static IP's were used and we needed to profile certain mission-specific systems. The only way we had to tell one mission system from another was by what VLAN they were on. That would be the SNMP::Vlan or Vlan Name attribute.
09-16-2019 08:25 AM
09-16-2019 08:32 AM
Yes, we have used it before. Not SNMP Trap, but SNMP Polling. It has been a while and was with ISE 1.0.4. It may be switch/IOS dependent. I will set it up in my lab today and post my results/screenshots.
09-17-2019 06:51 AM
I am unable to get it working using ISE 2.4 and a 2960L. Something must have changed within ISE since 1.0.4 related to storing the VLAN information from the SNMP Probe. That is unfortunate.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide