Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1200
Views
0
Helpful
1
Replies

Prime Infrastructure Integration with ISE query

andrewswanson
Level 7
Level 7

‎01-10-2017 08:16 AM

I'm looking at integrating Prime Infrastructure 3.1.4 (patch 1) with ISE 2.1.0.474 (patch 1)

integration works fine but the information shown isn't "realtime" especially for wired 802.1x PCs where machine and user are authenticated.

I'm trying to get some documentation together for front line support - can anyone confirm my understanding of how Prime integrates with ISE:

When a PC boots up and authenticates successfully with ISE using machine credentials:

  • NAD switch sends an snmp trap to Prime - Prime displays the device with status of "associated"
  • no IP address, username or switch interface information is displayed

When the scheduled Prime system job "wired device status" runs (every 2 hours by default):

  • Prime learns the IP Address of the connected PC
  • Prime syncs with ISE and shows the PC username and switch interface ( as well as other ISE attributes)
  • Now that the device is listed in Prime as "Clients known by ISE", when the device is selected Prime displays an additional "ISE" tab
  • The "ISE" tab gives access to search ISE for Authentication Records - these records display the times/outcomes of authentication attempts as well as a hyperlink to ISE which displayes more detail e.g. username

When a user logs into the PC:

  • username of the PC is displayed until "wired device status" runs again - then Prime displays the user's username
  • If a user logs in and out between "wired device status" jobs their username will not appear in Prime
  • The only way to see the User's username is to go to the ISE tab and check the authentication records on ISE

When the PC is powered off or disconnected from the network:

  • NAD switch sends an snmp trap to Prime - Prime displays the device with status of "disassociated"
  • IP address, username etc is removed from Prime


Am I correct in saying that:

  1. Prime only sysncs with ISE after the "wired device status" job runs
  2. In this scenario is it good practice to run the "wired device status" job more frequently

Thanks
Andy

Labels:
0 Helpful
1 Reply 1

andrewswanson
Level 7
Level 7

‎01-26-2017 03:56 AM

I think I may have a clearer idea on how Prime polls ISE for client data. As I said in the original post, I'm only having an issue with the username Prime displays for wired 802.1x clients (machine or user authentication) where the username can change frequently. Can anyone confirm my findings below?

switch configuration excerpt:

aaa accounting update newinfo periodic 5
!
mab logging verbose
dot1x logging verbose
!
logging host <PRIME-IP>
!
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps mac-notification change move threshold
snmp-server host <PRIME-IP> version 3 priv <SNMP-USER> auth-framework mac-notification snmp
!

1 wired 802.1x client connects to network

2 the client's mac address appears in Monitor / Monitoring Tools / Clients and Users (no ip address) - client appears due to switch sending snmp mac notification trap to Prime. Client status is "Associated" with the association time matching when the trap was sent


Selecting the client opens Monitor / Monitoring Tools / Clients and Users /
This opens a window with 3 tabs - Overview, Events, Location
Overview tab is split into 2 parts:
Client Attributes (showing username which is currently "unknown")
Session History - association times tied to when mac notification traps were received
Events Tab:
this shows the syslogs received from the switch (dot1x logging verbose) and shows time/date of successful/failed authentications

3 Prime's "Wired Client Status" scheduled job runs and Prime learns the clients IP Address


4 Prime then syncs with ISE:


Selecting the client opens Monitor / Monitoring Tools / Clients and Users /
This opens a window with 5 tabs - Overview, Events, Location, ISE , Troubleshooting and Debug


ISE tab:
Allows user to poll ISE for Authentication records for the client - the records shown do not show the username but contain a hyperlink to view the actual records on ISE (login required)

5 switch sends periodic accounting updates to ISE every 5 minutes. Every 15 minutes (not user configuarable), Prime sysncs with ISE and displays this updated accounting info on the client Overview tab - this ISE sync only updates accounting info and not the username

So it seems that Prime displays the 802.1x username that was current when the last "wired Client Status" job was run.
The Event and ISE tabs indicate that there has been a newer 802.1x authentication but no detail is given (although the ISE tab does provide a hyperlink to open the authentication record on ISE to view the username)

Thanks

Andy

0 Helpful
Customers Also Viewed These Support Documents