Cisco ISE Profiling using Device Sensor

The Device Sensor feature on Cisco Catalyst switches can be used for profiling on ISE. It collects additional information about endpoints connected to the switch using LLDP, CDP and DHCP protocols which other ISE Probes may not collect. The endpoint information is encapsulated in a RADIUS accounting packet and then forwarded to ISE. The Device Sensor utilises the ISE RADIUS Probe that should be enabled as default, therefore no additional probes need enabling.

Step 1 – Configured RADIUS

Refer to the previous post here on how to configure AAA on the switches

Step 2 – Enable LLDP/CDP

lldp run
cdp run

Step 3 – Configure Device Sensor

device-sensor accounting
device-sensor notify all-changes

device-sensor filter-list lldp list LLDP_LIST
tlv name system-description

device-sensor filter-spec lldp include list LLDP_LIST

Filter Lists can also be created for CDP and DHCP

Cisco Meraki AP Example

A good example of the usefulness of Device Sensor is when attempting to profile a Cisco Meraki Wireless Access Point. In a lab when ISE first discovered the device it was only identified as a “Cisco Switch”

By checking the ISE Profiling Policy of a Cisco-Meraki-Access-Point, we can determine that ISE uses LLDP to identify the device.

By enabling LLDP on the switch using the command “lldp run” the device was subsequently identified as a “Cisco Meraki Device”, close but not 100% correctly profiled.

After creating an LLDP filter list and including the required TLV attributes “lldp:SystemDescription” required to correctly profiling a Cisco Meraki Access Point, we can see that now the device is correctly profiled.

An Authorisation Rule can now be created to match any Cisco Meraki Access Point


Use the command “show lldp neighbors interfacename x/x detail

Use “show device-sensor cache all” to identify all of the CDP/LLDP attributes. If you include additional LLDP tlv’s in the filter list they would appear in the device sensor cache.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.