Solved: Deploying ISE for Wired Visibility on Switches

pacavell · ‎01-04-2019

My customer is evaluating ISE 2.4 primarily for visibility. A large part of that is getting visibility about the wired endpoints on their network. We would like to set up Device Sensor probes for them on their switches. I've gone through the new ISE Profiling Design Guide and looked at the info about a deployment on switches that does not pre-suppose any previous configurations for RADIUS AAA. We've added what we think are the needed config lines on a test switch (2960X) and defined the switch to ISE. We've done the "test aaa group....." command and confirmed the switch can speak RADIUS to ISE. A running of the "show device-sensor cache all" command displays the expected output. However, we have not added any RADIUS port level commands on the switch (only global commands). The switch is not showing up in ISE (Context Visibility--> Network Devices) and we don't see any endpoints that are connected to the switch being reported in ISE. Also note that wireless visibility is working fine.

Any guidance on what we may be missing? We did not include any port level configs because we are not doing any authentication/authorization but I'm thinking that may be the problem. I'm wondering that I really need to apply the port level RADIUS configs to place the switch in "Monitor Mode" to get it to start sending the RADIUS info to ISE without forcing any access control. In my ISE 2.4 lab I have 2 switches defined along with all the global AND port level RADIUS configs and my switches are showing up and reporting on their attached endpoints via RADIUS probes.

Thanks for any assistance.

mnagired · ‎01-07-2019

Hi,

Please refer to Device-Sensor section in the below deployment guide for configurations related to device-sensor and CLI are more or less same for 2960X as well.

https://community.cisco.com/t5/mcc-security-archive-documents/cisco-ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3759910

You need below configuration for Device-Sensor data

   1. Enabling Accounting Augmentation under respective sections..

   aaa new-model
   aaa accounting dot1x default start-stop group radius

   radius-server host{hostname|ip-address}[auth-port port-number][acct-port port-number][timeout seconds][retransmit retries][key string]

   radius-server vsa send accounting
   device-sensor accounting
   device-sensor notify all-changes

   2. Gather Raw Endpoint data from protocols such as CDP, LLDP, DHCP - Refer to the URL for configs..

Hope this helps..

View solution in original post

Mohammed al Baqari · ‎01-04-2019

Hi, when you configure radius server on the switch, you need to define
radius ports 1812 and 1813 which ISE is using for authorization,
authentication , accounting. Even if you don't use aaa you need to point to
right ports.

By default the switch uses 1645 and 1646.

pacavell · ‎01-06-2019

Thanks Mohammed. I have defined ports 1812 and 1813.

gbekmezi-DD · ‎01-07-2019

Please share your switch configuration.

Sheraz.Salim · ‎01-05-2019

curious if you have the right config. here what i remember.

=======================================

aaa new-model

aaa authentication dot1x default group ISE

aaa authorization network default group ISE

aaa accounting dot1x default start-stop group ISE

aaa group server radius ISE

radius name CISCO

aaa radius server dynamic author

client 1.1.1.1 server key cisco

radius server CISCO

address ipv4 1.1.1.1 auth-port 1812 acct-port 1813

key cisco

!

radius-server attributes 6 on

radius-server attributes 8

radius-server attriibutes 25

radius-server attributes 31

radius-server vsa sen auth

radius-server vsa sen acct

!

ip device tracking

!

epm logging

!

dot1x system auth

!

dot1x logg verb

!

======================================

kindly make sure you have radius port correctly configured on both ISE and the switch.

please do not forget to rate.

mnagired · ‎01-07-2019

Hi,

Please refer to Device-Sensor section in the below deployment guide for configurations related to device-sensor and CLI are more or less same for 2960X as well.

https://community.cisco.com/t5/mcc-security-archive-documents/cisco-ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3759910

You need below configuration for Device-Sensor data

   1. Enabling Accounting Augmentation under respective sections..

   aaa new-model
   aaa accounting dot1x default start-stop group radius

   radius-server host{hostname|ip-address}[auth-port port-number][acct-port port-number][timeout seconds][retransmit retries][key string]

   radius-server vsa send accounting
   device-sensor accounting
   device-sensor notify all-changes

   2. Gather Raw Endpoint data from protocols such as CDP, LLDP, DHCP - Refer to the URL for configs..

Hope this helps..

pacavell · ‎01-07-2019

I’ve included all those lines in my config. What I don’t have are any port level config commands. I’m thinking that is the issue.

Sheraz.Salim · ‎01-07-2019

port level config is only need when you doing dot1x authentication or doing mab etc. or unless you have cts running on to ports where you core is actiing as seed switch

please do not forget to rate.

mnagired · ‎01-07-2019

Yes, thats right you need port-level authentication configs and yeah it can be in monitor-mode either..

Found this old doc.. Refer to the troubleshooting section..

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200292-Configure-Device-Sensor-for-ISE-Profilin.html

Sheraz.Salim · ‎01-07-2019

I am sorry i mixed up my post. do apologies i thought this post if for cts trouble.

to many windows open in my browser. so please forgive me.

please do not forget to rate.