Solved: Visibility into Devices not Authenticated via ISE

scamarda · ‎04-25-2018

I have a customer that would like to inventory their device that connect to a PSK WLAN not tied to ISE in any way. The WLC is connected to ISE for other WLANs. Is there a way to identify the devices without authenticating them? Here is a summary:

Many of the GE and other Medical Devices connect via PSK to SSIDs
They want to run a report on ISE (not the WLC) to see what devices connected via PSK
Then they want to filter those devices to locate the Medical devices
This would allow them to make sure those devices (based on device name or mac address) get moved over to the correct SSID

I was thinking that I could one of two things:

1) Enable AAA accounting on the PSK WLAN and look for accounting packets. Not sure if this is enough to build a device entry

2) Enable AAA on the PSK WLAN and set up an AuthZ rule to allow all devices on that connect on that particular network. (Req license)

They would like to use the visibility portion of ISE to help identify devices. They prefer not to authenticate the device and consume a license.

Any other suggestions? NMAP scan?

Thanks.

Sam

Craig Hyps · ‎04-25-2018

So customer wants to know how they can use ISE to bypass ISE?!

ISE does not require Auth to discover endpoints and we can query WLCs via SNMP like we do switches. Since this is a case of truly trying to leverage ISE visibility and tracking, they should consider just performing auth. In WLC 8.5 there is also the option to integrate with ISE for Identity-PSK for per group or endpoint PSK.

Many of the GE and Philips devices should also be profiled using the current Medical NAC Profile Library so could use that to track these endpoints that are connected to correct / unexpected SSIDs, or where may have dual connections for wired and wireless.

View solution in original post

Craig Hyps · ‎04-25-2018

So customer wants to know how they can use ISE to bypass ISE?!

ISE does not require Auth to discover endpoints and we can query WLCs via SNMP like we do switches. Since this is a case of truly trying to leverage ISE visibility and tracking, they should consider just performing auth. In WLC 8.5 there is also the option to integrate with ISE for Identity-PSK for per group or endpoint PSK.

Many of the GE and Philips devices should also be profiled using the current Medical NAC Profile Library so could use that to track these endpoints that are connected to correct / unexpected SSIDs, or where may have dual connections for wired and wireless.

Jason Kunst · ‎04-25-2018

Not sure if will work correctly with NMAP or accounting as we don’t have the mac to ip binding that is present with AAA. You could try it out but sounds like they are trying to work around inexpensive functionality of ISE with base. These methods may provide basic info but why wouldn’t you want to profile them and do this automatically? This will a cleaner solution working correctly with ISE.