Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
235
Views
1
Helpful
6
Replies

What is the minimum port configuration necessary to profile host?

DamianRCL
Level 1
Level 1

‎04-15-2024 09:46 AM

Hello,

If I simply want to profile network hosts without subjecting them to dot1x, what is the minimum port configuration necessary to accomplish this?

0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎04-15-2024 09:52 AM

@DamianRCL you'd need to configure MAB

You'd probably also want to ensure you configure device sensor to learn about the endpoints from the switch and send to ISE in the RADIUS packet, so you have more information to profile the endpoints.

Refer to the IBNS1.0 configuration for monitor mode and device sensor sections. https://community.cisco.com/t5/security-knowledge-base/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515#toc-hId--657806293

0 Helpful

DamianRCL
Level 1
Level 1
In response to Rob Ingram

‎04-15-2024 11:21 AM

Thanks, Rob. I'll take a look.

0 Helpful

Aref Alsouqi
VIP
VIP

‎04-16-2024 04:22 AM

If you rely on device sensor then I would say nothing would be required from the switch ports perspective because the device sensor feeds will be sent by the switch to ISE regardless if the port is configured for dot1x or MAB.

0 Helpful

ahollifield
VIP
VIP

‎04-16-2024 04:26 AM

@Matt Albrecht - didn't you have a "profile/visibility only" config?

Matt Albrecht
Level 1
Level 1
In response to ahollifield

‎04-16-2024 09:21 AM - edited ‎04-16-2024 02:42 PM

I do, take a look at the attached template file.

@DamianRCL you may adapt the sensor filters as needed for your environment, the below is an IBNS2.0-based config that puts the interfaces into an authorized state, with no MAB or 802.1x needed, to pull device-sensor information and ship it to ISE for profiling unintrusively.

The key commands are access-session monitor, which creates an access session for ALL ports on the switch, and the language of the service-policy which, essentially, says to immediately authorize the port if a session exists, which it will thanks to the access-session monitor command:

policy-map type control subscriber ISE_VISIBILITY
 event session-started match-all
  10 class always do-until-failure
   10 authorize

This results in all interfaces having an up session, in an authorized state without having to interact with the end station at all, and the switch can gather data and send via device-sensor.

The attached template is distilled directly from here - https://community.cisco.com/t5/security-knowledge-base/ise-profiling-design-guide/ta-p/3739456

Hope this helps.

Matt Albrecht
CCIE Security #68011
Preview file
4 KB
0 Helpful

DamianRCL
Level 1
Level 1
In response to Matt Albrecht

‎04-16-2024 11:43 AM

This is tremendous, Matt. Thank you!

0 Helpful
Customers Also Viewed These Support Documents