cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
535
Views
1
Helpful
6
Replies

What is the minimum port configuration necessary to profile host?

DamianRCL
Level 1
Level 1

Hello,

If I simply want to profile network hosts without subjecting them to dot1x, what is the minimum port configuration necessary to accomplish this?

6 Replies 6

@DamianRCL you'd need to configure MAB

You'd probably also want to ensure you configure device sensor to learn about the endpoints from the switch and send to ISE in the RADIUS packet, so you have more information to profile the endpoints.

Refer to the IBNS1.0 configuration for monitor mode and device sensor sections. https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--657806293

Thanks, Rob. I'll take a look.

If you rely on device sensor then I would say nothing would be required from the switch ports perspective because the device sensor feeds will be sent by the switch to ISE regardless if the port is configured for dot1x or MAB.

@Matt Albrecht - didn't you have a "profile/visibility only" config?

I do, take a look at the attached template file.

@DamianRCL you may adapt the sensor filters as needed for your environment, the below is an IBNS2.0-based config that puts the interfaces into an authorized state, with no MAB or 802.1x needed, to pull device-sensor information and ship it to ISE for profiling unintrusively.

The key commands are access-session monitor, which creates an access session for ALL ports on the switch, and the language of the service-policy which, essentially, says to immediately authorize the port if a session exists, which it will thanks to the access-session monitor command:

policy-map type control subscriber ISE_VISIBILITY
 event session-started match-all
  10 class always do-until-failure
   10 authorize

This results in all interfaces having an up session, in an authorized state without having to interact with the end station at all, and the switch can gather data and send via device-sensor.

The attached template is distilled directly from here - https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456

Hope this helps.

Matt Albrecht
CCIE Security #68011

This is tremendous, Matt. Thank you!