cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8281
Views
40
Helpful
24
Replies
Cisco Employee

Re: ISE and CDP device sensor

TAC is pretty much correct. However with newer IOS platform code, it's possible to perform local authorization using IBNS 2 and to send device sensor data to ISE via RADIUS accounting interim updates.

Participant

Re: ISE and CDP device sensor

@Tymofii Dmytrenko thanks! Yeah I wasted a bit of time with this too. Then got TAC involved since device sensor wasn't working as I had expected, and we had an snmpquery probe issue as well. Funnily enough even TAC at first wasn't too sure about device-sensor, only after I showed them your discussion about authentication needing to pass first for it to work, did they confirm the behaviour. looks like there is a major misunderstanding with this feature.

Anyway I did some further tests and also confirmed device-sensor via radius probe works only when radius access-accept received. Originally I had my default mab authz policy with the default "DenyAccess" which is an Access-Reject. I created a new authz profile using Access-Accept with a deny ip any any dACL, applied it to the authz policy and then radius probe starts working. 

 

 

Beginner

Re: ISE and CDP device sensor

Same issues here, I also created a "pre-device-sensor" rule in my MAB policy to do an "Access-Accept in conjunction with a DACL "Deny ip any any". This is enough to get Accounting up and running.

I should have found this thread earlier, it would have saved me some major headaches!

@Tymofii DmytrenkoDid you receive any updates about it? Will Cisco update their documentation?

Re: ISE and CDP device sensor

Hi @FvMoll 

 

The latest update I've got from TAC before we closed the case was this one...

 

=========

Kindly note that I had engaged further resources to re-open this enhancement request  “CSCvn03049    Need to add note that device sensor info is dependent on dot1x auth/authz” and currently is just employee visible and sent their an email to let it as customer visible if possible, so now the document should be updated based on this enhancement bug.

=========

 

Hope this is helpful.

Beginner

Re: ISE and CDP device sensor

@Tymofii Dmytrenko

Thanks for the quick response :)

Let's hope they will do something about it soon

Beginner

Re: ISE and CDP device sensor

Do I need to send syslogs to ISE for the device sensor to work?

VIP Advocate

Re: ISE and CDP device sensor

No, device sensor data is sent from the NADs via radius accounting. You do not need to send syslogs from the network device to ISE.
Beginner

Re: ISE and CDP device sensor

Hi,

I have the opposite issue.

All of our switches are configured to perform dot1x or mab authentication but we did not configure device-sensor

We are gradually migrating from ACS and ISE and I doscovered that ISE endpoint database is populated with endpoints that did not undergo any authentication.

Looking deeper at the issue I found that those endpoints where created becuase of some switches sending accounting packet labelled with "radiusprobe"

I suppose this is because of this default configuration

SWITCH#show running-config all | in device-sen
device-sensor notify new-tlvs

For instance on ISE endpoints t database I can find   mac addresses of distribution switches interfaces connected to dot1x access switches.This is quite puzzling because that "accounting only" endpoints are shown by ISE as connected endpoints.

I am pretty sure they are not consuming a base licenses but their presence could be quite annoying (not to speak of the fact that those switches are sending those accounting packets even for wireless endpoint connected to flex connected ap ....)

I have opened a SR with TAC but the engineer is not able to address the issue.

Does anyone know if 

 device-sensor notify new-tlvs

may actually be the cause of the issue and why Cisco does not document this configuration?

Regards

MM

 

 

 

 

Beginner

Re: ISE and CDP device sensor

Hi For us, none ISE device ports started populating as radius probe after we added the DHCP helper address on the SVI to point to ISE.

Highlighted
VIP Advocate

Re: ISE and CDP device sensor

I have a suspicion that these two things are not related. Are you using the snmp query probe or just the radius probe? Both collect CDP information but in different ways. There are some known issues with device sensor / radius probe not working. What IOS release and switch platform are you using?