The Device Sensor feature on Cisco Catalyst switches can be used for profiling on ISE. It collects additional information about endpoints connected to the switch using LLDP, CDP and DHCP protocols which other ISE Probes may not collect. The endpoint information is encapsulated in a RADIUS accounting packet and then forwarded to ISE. The Device Sensor utilises the ISE RADIUS Probe that should be enabled as default, therefore no additional probes need enabling.
Configuration
Step 1 – Configured RADIUS
Refer to the previous post here on how to configure AAA on the switches
Step 2 – Enable LLDP/CDP
lldp run
cdp run
Step 3 – Configure Device Sensor
device-sensor accounting
device-sensor notify all-changes
device-sensor filter-list lldp list LLDP_LIST
tlv name system-description
device-sensor filter-spec lldp include list LLDP_LIST
Filter Lists can also be created for CDP and DHCP
Cisco Meraki AP Example
A good example of the usefulness of Device Sensor is when attempting to profile a Cisco Meraki Wireless Access Point. In a lab when ISE first discovered the device it was only identified as a “Cisco Switch”
By checking the ISE Profiling Policy of a Cisco-Meraki-Access-Point, we can determine that ISE uses LLDP to identify the device.
By enabling LLDP on the switch using the command “lldp run” the device was subsequently identified as a “Cisco Meraki Device”, close but not 100% correctly profiled.
After creating an LLDP filter list and including the required TLV attributes “lldp:SystemDescription” required to correctly profiling a Cisco Meraki Access Point, we can see that now the device is correctly profiled.
An Authorisation Rule can now be created to match any Cisco Meraki Access Point
Verification
Use the command “show lldp neighbors interfacename x/x detail“
Use “show device-sensor cache all” to identify all of the CDP/LLDP attributes. If you include additional LLDP tlv’s in the filter list they would appear in the device sensor cache.
One thought on “ISE Profiling using Device Sensor”