cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7687
Views
30
Helpful
21
Replies
Cisco Employee

Re: ISE and CDP device sensor

TAC is pretty much correct. However with newer IOS platform code, it's possible to perform local authorization using IBNS 2 and to send device sensor data to ISE via RADIUS accounting interim updates.

Participant

Re: ISE and CDP device sensor

@Tymofii Dmytrenko thanks! Yeah I wasted a bit of time with this too. Then got TAC involved since device sensor wasn't working as I had expected, and we had an snmpquery probe issue as well. Funnily enough even TAC at first wasn't too sure about device-sensor, only after I showed them your discussion about authentication needing to pass first for it to work, did they confirm the behaviour. looks like there is a major misunderstanding with this feature.

Anyway I did some further tests and also confirmed device-sensor via radius probe works only when radius access-accept received. Originally I had my default mab authz policy with the default "DenyAccess" which is an Access-Reject. I created a new authz profile using Access-Accept with a deny ip any any dACL, applied it to the authz policy and then radius probe starts working. 

 

 

Beginner

Re: ISE and CDP device sensor

Same issues here, I also created a "pre-device-sensor" rule in my MAB policy to do an "Access-Accept in conjunction with a DACL "Deny ip any any". This is enough to get Accounting up and running.

I should have found this thread earlier, it would have saved me some major headaches!

@Tymofii DmytrenkoDid you receive any updates about it? Will Cisco update their documentation?

Re: ISE and CDP device sensor

Hi @FvMoll 

 

The latest update I've got from TAC before we closed the case was this one...

 

=========

Kindly note that I had engaged further resources to re-open this enhancement request  “CSCvn03049    Need to add note that device sensor info is dependent on dot1x auth/authz” and currently is just employee visible and sent their an email to let it as customer visible if possible, so now the document should be updated based on this enhancement bug.

=========

 

Hope this is helpful.

Beginner

Re: ISE and CDP device sensor

@Tymofii Dmytrenko

Thanks for the quick response :)

Let's hope they will do something about it soon

Re: ISE and CDP device sensor

Do I need to send syslogs to ISE for the device sensor to work?

Highlighted
VIP Engager

Re: ISE and CDP device sensor

No, device sensor data is sent from the NADs via radius accounting. You do not need to send syslogs from the network device to ISE.