cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

989
Views
5
Helpful
6
Replies
Highlighted
VIP Advocate

Device Sensor and Cat 9300 working IOS-XE version ?

Hi

 

I have a Cat 9300-24T switch running IOS-XE 16.10.01 and configured with Device Sensor.  I am testing Endpoint Profiling using the Cisco Device Sensor feature.

 

RADIUS accounting is configured to send Device Sensor data to ISE, but I don't see it in the RADIUS Accounting requests. 

 

A quick Google search revealed that in earlier versions some folks had similar issues.

 

Is there a version of IOS-XE where Device Sensor data is sent via RADIUS ?  If so, can someone please recommend a version?  It would have to be 16.10 or later.

 

I am also getting conflicting information from Cisco web site about configuring these switches.  The commands get deprecated so quickly, it's hard to keep up.  Even the excellent Wired 802.1X Prescriptive Guide is mostly outdated because of the commands.

 

I have a standard RADIUS config and then these command specifically for the Device Sensor Accounting stuff:

 

CORE-01#show device-sensor details

        Device-Sensor Details
--------------------------------------

Status = Enabled

Protocols:
-----------
CDP            registered  Proto Tlv Limit = 128
LLDP           registered  Proto Tlv Limit = 128
DHCP           registered  Proto Tlv Limit = 128

Protocol Filter Configuration:
---------------------------------
CDP             Include List - CDP-LIST
LLDP            Include List - LLDP-LIST
DHCP            Include List - DHCP-LIST




CORE-01#show device-sensor cache interface gig 1/0/20
Device: 78bc.1a34.4ad4 on port GigabitEthernet1/0/20
----------------------------------------------------------------------------
Proto Type:Name                       Len Value                       Text
LLDP     6:system-description         199 0C C5 43 69 73 63 6F 20 41  ..Cisco A
                                          50 20 53 6F 66 74 77 61 72  P Softwar
                                          65 2C 20 61 70 33 67 33 2D  e, ap3g3-
                                          6B 39 77 38 20 56 65 72 73  k9w8 Vers
                                          69 6F 6E 3A 20 38 2E 37 2E  ion: 8.7.
                                          31 30 36 2E 30 0A 54 65 63  106.0.Tec
                                          68 6E 69 63 61 6C 20 53 75  hnical Su
                                          70 70 6F 72 74 3A 20 68 74  pport: ht
                                          74 70 3A 2F 2F 77 77 77 2E  tp://www.
                                          63 69 73 63 6F 2E 63 6F 6D  cisco.com
                                          2F 74 65 63 68 73 75 70 70  /techsupp
                                          6F 72 74 0A 43 6F 70 79 72  ort.Copyr
                                          69 67 68 74 20 28 63 29 20  ight (c)
                                          31 39 38 36 2D 32 30 31 38  1986-2018
                                          20 62 79 20 43 69 73 63 6F   by Cisco
                                          20 53 79 73 74 65 6D 73 2C   Systems,
                                          20 49 6E 63 2E 0A 43 6F 6D   Inc..Com
                                          70 69 6C 65 64 20 54 68 75  piled Thu
                                          20 4D 61 79 20 32 34 20 31   May 24 1
                                          32 3A 35 30 3A 32 33 20 50  2:50:23 P
                                          44 54 20 32 30 31 38 20 62  DT 2018 b
                                          79 20 76 69 70 65 6E 64 79  y vipendy
                                          61                          a
LLDP     5:system-name                 18 0A 10 41 50 37 38 42 43 2E  ..AP78BC.
                                          31 41 33 34 2E 34 41 44 34
LLDP     7:system-capabilities          6 0E 04 00 04 00 04           ......
CDP      6:platform-type               25 00 06 00 19 63 69 73 63 6F  ....cisco
                                          20 41 49 52 2D 41 50 34 38   AIR-AP48
                                          30 30 2D 5A 2D 4B 39        00-Z-K9
CDP      5:version-type               151 00 05 00 97 43 69 73 63 6F  ...^WCisco
                                          20 41 50 20 53 6F 66 74 77   AP Softw
                                          61 72 65 2C 20 61 70 33 67  are, ap3g
                                          33 2D 6B 39 77 38 20 56 65  3-k9w8 Ve
                                          72 73 69 6F 6E 3A 20 38 2E  rsion: 8.
                                          37 2E 31 30 36 2E 30 0A 54  7.106.0.T
                                          65 63 68 6E 69 63 61 6C 20  echnical
                                          53 75 70 70 6F 72 74 3A 20  Support:
                                          68 74 74 70 3A 2F 2F 77 77  http://ww
                                          77 2E 63 69 73 63 6F 2E 63  w.cisco.c
                                          6F 6D 2F 74 65 63 68 73 75  om/techsu
                                          70 70 6F 72 74 0A 43 6F 70  pport.Cop
                                          79 72 69 67 68 74 20 28 63  yright (c
                                          29 20 32 30 31 34 2D 32 30  ) 2014-20
                                          31 35 20 62 79 20 43 69 73  15 by Cis
                                          63 6F 20 53 79 73 74 65 6D  co System
                                          73 2C 20 49 6E 63 2E        s, Inc.
CDP      4:capabilities-type            8 00 04 00 08 00 00 00 03     ........
CDP      2:address-type                45 00 02 00 2D 00 00 00 02 01  ...-.....
                                          01 CC 00 04 AC 1F 19 25 02  .L..,..%.
                                          08 AA AA 03 00 00 00 86 DD  .**....^F]
                                          00 10 FE 80 00 00 00 00 00  ...^@.....
                                          00 7A BC 1A FF FE 34 4A D4
CDP      1:device-name                 20 00 01 00 14 41 50 37 38 42  ....AP78B
                                          43 2E 31 41 33 34 2E 34 41  C.1A34.4A
                                          44 34                       D4

 

 

 

aaa accounting update newinfo periodic 2880
aaa accounting identity default start-stop group ISE-RADIUS

device-sensor notify all-changes
CORE-01#show radius server-group ISE-RADIUS
Server group ISE-RADIUS
    Sharecount = 1  sg_unconfigured = FALSE
    Type = standard  Memlocks = 1
    Server(192.168.0.221:1812,1813) Transactions:
    Authen: 0   Author: 0       Acct: 14
    Server_auto_test_enabled: TRUE
     Keywrap enabled: FALSE

 

I have analysed the ISE tcpdump in Wireshark.  I can see Interim Accounting updates, but they don't contain any Device Sensor Data.  

 

 

 

Everyone's tags (4)
6 REPLIES 6
VIP Advocate

Re: Device Sensor and Cat 9300 working IOS-XE version ?

Are you using the automated tester with ignore accounting option? I just logged a new bug where the switch doesn't send device sensor cache.
VIP Advocate

Re: Device Sensor and Cat 9300 working IOS-XE version ?

Hey Damien

 

I was using exactly that feature (as recommended in the Prescriptive Guide).  I have just removed that command, cleared the access-session and shut/no shut the port.  But the tcpdump still doesn't show any Device Sensor data :-(

 

What version of IOS-XE are you using?  Did that work for you as a work-around?

 

Am I missing any crucial commands?  I also have the following commands in there for good measure.

 

There is a legacy command that the IOS-XE no longer accepts - I often wonder whether this is an issue

radius-server vsa send accounting

 

radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server attribute 31 mac format ietf upper-case
radius-server attribute 31 send nas-port-detail mac-only 

 

VIP Advocate

Re: Device Sensor and Cat 9300 working IOS-XE version ?

I tested and encountered the issue with both 16.6.6 and 16.9.3, the bug notes indicate less reach than I found. I believe this is not platform dependent but an issue with the software.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq78911

Switching "automate-tester username test ignore-acct-port probe-on" to "automate-tester username test probe-on" fixed my device sensor issue. I used the following. Hit me up on teams and I can send you over the full config if you need. I intentionally avoided snmp query probe, otherwise I think it would have masked the issue, I suspect this is an issue a lot of deployments have since Hari's guide suggests the "ignore-acct-port" option.

accounting/device sensor specific config.

aaa accounting update newinfo periodic 2880
!
device-sensor filter-list cdp list cdp-list
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name version-type
tlv name platform-type
!
device-sensor filter-list lldp list lldp-list
tlv name system-name
tlv name system-description
tlv name system-capabilities
!
device-sensor filter-list dhcp list dhcp-list
option name host-name
option name requested-address
option name parameter-request-list
option name class-identifier
option name client-identifier
!
device-sensor filter-spec lldp include list lldp-list
device-sensor filter-spec cdp include list cdp-list
device-sensor filter-spec dhcp include list dhcp-list
!
access-session attributes filter-list list DS_LIST
vlan-id
cdp
lldp
dhcp
http
!
access-session authentication attributes filter-spec include list DS_LIST
access-session accounting attributes filter-spec include list DS_LIST
device-sensor notify all-changes
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server vsa send



Hall of Fame Community Legend

Re: Device Sensor and Cat 9300 working IOS-XE version ?

Be careful when using 16.10.1 in a stack: CSCvn30950
Beginner

Re: Device Sensor and Cat 9300 working IOS-XE version ?

Hi,

 

I happen to have the same issue, also with an AP4800 in my test environment. Have you had the chance to test with something else?

 

ISE 2.4 Patch 9

Cat9300 IOS 16.9.3

AP4800

 

Thanks

Beginner

Re: Device Sensor and Cat 9300 working IOS-XE version ?

Do you have DHCP Snooping turned on? My understanding is it's required in order for device sensor to work otherwise you need to use IP Helpers. 

 

Mitch