cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

67
Views
0
Helpful
2
Replies
Cisco Employee

Visibility into Devices not Authenticated via ISE

I have a customer that would like to inventory their device that connect to a PSK WLAN not tied to ISE in any way. The WLC is connected to ISE for other WLANs.  Is there a way to identify the devices without authenticating them?  Here is a summary:

  • Many of the GE and other Medical Devices connect via PSK to SSIDs
  • They want to run a report on ISE (not the WLC) to see what devices connected via PSK
  • Then they want to filter those devices to locate the Medical devices
  • This would allow them to make sure those devices (based on device name or mac address) get moved over to the correct SSID

I was thinking that I could one of two things:

1) Enable AAA accounting on the PSK WLAN and look for accounting packets.  Not sure if this is enough to build a device entry

2) Enable AAA on the PSK WLAN and set up an AuthZ rule to allow all devices on that connect on that particular network.  (Req license)

They would like to use the visibility portion of ISE to help identify devices.  They prefer not to authenticate the device and consume a license.

Any other suggestions?  NMAP scan?

Thanks.

Sam

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advocate

Re: Visibility into Devices not Authenticated via ISE

So customer wants to know how they can use ISE to bypass ISE?!

ISE does not require Auth to discover endpoints and we can query WLCs via SNMP like we do switches.  Since this is a case of truly trying to leverage ISE visibility and tracking, they should consider just performing auth.  In WLC 8.5 there is also the option to integrate with ISE for Identity-PSK for per group or endpoint PSK.

Many of the GE and Philips devices should also be profiled using the current Medical NAC Profile Library so could use that to track these endpoints that are connected to correct / unexpected SSIDs, or where may have dual connections for wired and wireless.

View solution in original post

2 REPLIES 2
Highlighted
Advocate

Re: Visibility into Devices not Authenticated via ISE

So customer wants to know how they can use ISE to bypass ISE?!

ISE does not require Auth to discover endpoints and we can query WLCs via SNMP like we do switches.  Since this is a case of truly trying to leverage ISE visibility and tracking, they should consider just performing auth.  In WLC 8.5 there is also the option to integrate with ISE for Identity-PSK for per group or endpoint PSK.

Many of the GE and Philips devices should also be profiled using the current Medical NAC Profile Library so could use that to track these endpoints that are connected to correct / unexpected SSIDs, or where may have dual connections for wired and wireless.

View solution in original post

Highlighted
Cisco Employee

Re: Visibility into Devices not Authenticated via ISE

Not sure if will work correctly with NMAP or accounting as we don’t have the mac to ip binding that is present with AAA. You could try it out but sounds like they are trying to work around inexpensive functionality of ISE with base. These methods may provide basic info but why wouldn’t you want to profile them and do this automatically? This will a cleaner solution working correctly with ISE.