Showing results for 
Search instead for 
Did you mean: 

Who Me Too'd this topic

ISE and CDP device sensor

Hi, all.

Anyone can explain to me, how the CDP device sensor probe works with ISE ???

What I am trying to do, is to identify different Cisco Wireless Access Point models (i.e. LAP 1142) with ISE.

Since the APs do speak CDP (I can see the AP devices on the switch), this should be possible with the CDP device sensor on the switch, shouldn't it  ....

I have done the following so far:

Configured the switch to talk to ISE via radius accounting:

aaa group server radius SERVERGROUP_radius_accounting

     server name ISE02

    radius server ISE02

          address ipv4 [ISE02 ip address] auth-port 1645 acct-port 1646

    radius-server attribute 6 on-for-login-auth

    radius-server attribute 6 support-multiple

    radius-server attribute 8 include-in-access-req

    radius-server attribute 25 access-request include

    radius-server attribute nas-port-id include remote-id

    radius-server dead-criteria time 30 tries 3

    radius-server retry method reorder

    radius-server retransmit 2

    radius-server timeout 2

    radius-server deadtime 1

    radius-server key 7 [ISE02 radius key]

    radius-server vsa send cisco-nas-port

    radius-server vsa send accounting

    radius-server vsa send authentication

    aaa accounting dot1x default start-stop group SERVERGROUP_radius_accounting

    Configured SNMP traps to be sent to ISE:

    snmp-server host [ISE02 ip address] [SNMP RO Community]

    authentication mac-move permit

    authentication critical recovery delay 120 

    mac address-table notification change interval 60

    mac address-table notification change

    mac address-table notification mac-move 

    interface GigabitEthernet0/1

    snmp trap mac-notification change added

    snmp trap mac-notification change removed 

    Configured logging to ISE:

    epm logging

    logging host [ISE02 ip address] transport udp port 20514

    Configured CoA:

    aaa server radius dynamic-author

    client [ISE02 ip address] server-key 7 [ISE02 radius key]

    Configured DHCP snooping, device tracking and device sensors:

    ip dhcp snooping vlan xyz

    no ip dhcp snooping information option

    ip dhcp snooping

    ip device tracking

    device-sensor filter-list dhcp list DSFL_dhcp

    option name domain-name-servers

    option name host-name

    option name domain-name

    option name class-identifier

    option name client-identifier

    device-sensor filter-list lldp list DSFL_lldp

    tlv name system-name

    tlv name system-description

    tlv name system-capabilities

    tlv name management-address

    device-sensor filter-list cdp list DSFL_cdp

    tlv name device-name

    tlv name port-id-type

    tlv name capabilities-type

    tlv name version-type

    tlv name platform-type

    tlv name duplex-type

    tlv number 34

    device-sensor filter-spec dhcp include list DSFL_dhcp

    device-sensor filter-spec lldp include list DSFL_lldp

    device-sensor filter-spec cdp include list DSFL_cdp

    device-sensor notify all-changes

    Configured an additional IP helper on the AP vlan pointing to ISE:

    interface vlan xyz

    ip helper-address [ISE02 ip address]

    I have configured new profiling conditions on ISE, which use the cdp attributes:

    and used these conditions in a new profiling policy for the 114x AP:

    ISE is configured to listen to DHCP, radius, DNS and SNMP traps ....

    However, the only thing ISE sees of this AP, is the dhcp probe:

    and therefore, the 114x policy has no effect .......

    ISE version is the following:

    Cisco Application Deployment Engine OS Release: 2.0

    ADE-OS Build Version:

    ADE-OS System Architecture: i386

    Copyright (c) 2005-2011 by Cisco Systems, Inc.

    All rights reserved.

    Hostname: deess01nise02

    Version information of installed applications


    Cisco Identity Services Engine


    Version      :

    Build Date   : Fri Oct 26 21:10:35 2012

    Install Date : Fri Jan 18 07:18:49 2013

    Cisco Identity Services Engine Patch


    Version      : 2

    Install Date : Mon Jan 21 07:36:50 2013

    Cisco Identity Services Engine Patch


    Version      : 3

    Install Date : Mon Jan 21 07:42:11 2013

    Version of the switch:

    cisco WS-C3560CG-8PC-S (PowerPC) processor (revision C0) with 131072K bytes of memory.

    Processor board ID FOC1619Y180

    Last reset from power-on

    7 Virtual Ethernet interfaces

    10 Gigabit Ethernet interfaces

    The password-recovery mechanism is enabled.

    512K bytes of flash-simulated non-volatile configuration memory.

    Base ethernet MAC Address       : 58:BF:EA:B9:AC:80

    Motherboard assembly number     : 73-13272-06

    Power supply part number        : 341-0407-01

    Motherboard serial number       : FOC16174ZZ5

    Power supply serial number      : LIT16120XR8

    Model revision number           : C0

    Motherboard revision number     : A0

    Model number                    : WS-C3560CG-8PC-S

    System serial number            : FOC1619Y180

    Top Assembly Part Number        : 800-33676-02

    Top Assembly Revision Number    : A0

    Version ID                      : V02

    CLEI Code Number                : CMMD900ARB

    Hardware Board Revision Number  : 0x00

    Switch Ports Model              SW Version            SW Image

    ------ ----- -----              ----------            ----------

    *    1 10    WS-C3560CG-8PC-S   15.0(2)SE             C3560c405ex-UNIVERSALK9-M   

    What am I missing ??? Should this config make the switch send CDP information about connected devices to the ISE (via radius accounting) ???

    How do the device sensors work ???



    Everyone's tags (4)
    Who Me Too'd this topic