How is everyone else doing profiling of MAB devices without allowing complete access? Is it mainly via just dhcp and snmp probes? I did some test and seems that device-sensor via radius probe is completely useless as it requires authentication to succeed before device-sensor info can be seen by ISE. So if no authentication = no cdp/lldp/dhcp data = no profiling.
My default MAB policy is "deny access", so my access points are failing into this authz policy because ISE never gets to know anything about the AP (i.e. cdpCachePlatform) via device-sensor, because device-sensor requires the AP to be authenticated, and so it goes....
What's the best way to get around this, would it be making the default MAB policy an access accept with a deny ip any any dACL, so then we can get the radius accounting packets with device-sensor data?
Or has anyone tried what Craig Hyps has suggested here - "Session-Aware Networking to force Device Sensor to send RDIUS Accounting even if Auth fails to transmit the CDP/LLDP info"
