Using Device Sensor with Cisco ISE Profiling

The Device Sensor feature on Cisco Catalyst switches can be used for profiling on ISE. It collects additional information about endpoints connected to the switch using LLDP, CDP and DHCP protocols which other ISE Probes may not collect. The endpoint information is encapsulated in a RADIUS accounting packet and then forwarded to ISE. The Device Sensor utilises the ISE RADIUS Probe that should be enabled as default, therefore no additional probes need enabling.

Configuration

Step 1 – Configured RADIUS

Refer to the previous post here on how to configure AAA on the switches

Step 2 – Enable LLDP/CDP

lldp run
cdp run


Step 3 – Configure Device Sensor

device-sensor accounting
device-sensor notify all-changes

device-sensor filter-list lldp list LLDP_LIST
tlv name system-description

device-sensor filter-spec lldp include list LLDP_LIST

Filter Lists can also be created for CDP and DHCP

Cisco Meraki AP Example

A good example of the usefulness of Device Sensor is when attempting to profile a Cisco Meraki Wireless Access Point. In a lab when ISE first discovered the device it was only identified as a “Cisco Switch”


By checking the ISE Profiling Policy of a Cisco-Meraki-Access-Point, we can determine that ISE uses LLDP to identify the device.


By enabling LLDP on the switch using the command “lldp run” the device was subsequently identified as a “Cisco Meraki Device”, close but not 100% correctly profiled.


After creating an LLDP filter list and including the required TLV attributes “lldp:SystemDescription” required to correctly profiling a Cisco Meraki Access Point, we can see that now the device is correctly profiled.


An Authorisation Rule can now be created to match any Cisco Meraki Access Point


Verification

Use the command “show lldp neighbors interfacename x/x detail

Use “show device-sensor cache all” to identify all of the CDP/LLDP attributes. If you include additional LLDP tlv’s in the filter list they would appear in the device sensor cache.

References
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200292-Configure-Device-Sensor-for-ISE-Profilin.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s