07-16-2018 07:33 AM
I have a customer who has disabled Radius probes on recommendation by TAC. I should get more clarity today.
It was my understanding that enabling Radius probes was a best practice recommendation.
Also Craig mentioned before on the below link that there was a plan to make Radius probe mandatory.
Re: MAC address using only DHCP probes
I have also seen some weird behaviour in lab while testing NMAP profiling without Radius probes enabled.
Solved! Go to Solution.
07-16-2018 12:16 PM
Hi Utkarsh,
What is the use case here.
ISE profiling requires MAC and IP address as a neccessary attribute for profiling to work.
MAC and IP can be gathered by DHCP and RADIUS typically. Other probes that typically uses IP address such as NMAP needs this information. Also for NMAP to work you have to make sure to disable firewall on endpoints and try a manual scan as well.
Please use the Profiling best practices guide(pg 127 through 139) for information on what probes should be used in what situation.
Thanks
Krishnan
07-16-2018 09:10 AM
>> "It was my understanding that enabling Radius probes was a best practice recommendation."
This is False and RADIUS profiling is critical to support a number of core functions. It is actually enabled by default and runs without Plus license.
07-16-2018 09:14 AM
Craig, so RADIUS profiling should always be enabled even though there is an option to disable it ?
07-16-2018 12:16 PM
Hi Utkarsh,
What is the use case here.
ISE profiling requires MAC and IP address as a neccessary attribute for profiling to work.
MAC and IP can be gathered by DHCP and RADIUS typically. Other probes that typically uses IP address such as NMAP needs this information. Also for NMAP to work you have to make sure to disable firewall on endpoints and try a manual scan as well.
Please use the Profiling best practices guide(pg 127 through 139) for information on what probes should be used in what situation.
Thanks
Krishnan
07-17-2018 04:09 PM
I have to chime in here because this topic has bothered me since day 1. By default, the Profiling checkbox is enabled when you install ISE. And in the past I always unchecked that box for customers who don't have Plus licensing. I thought this made some logical sense. As Craig always says, only enable what needs to be enabled. Right??? I have no idea how much compute power I save by doing that.
But the murky details about what is really happening under the covers has never been properly explained (or at least I have not found that explanation). Here is what I believe is happening
The word "probe" is misleading in the case where NAD's are sending Device Sensor data via Radius Acct because ISE is not doing any active probing at all. It's a gratuitous piece of data from the NAD that ISE decodes and uses for various purposes.
Just to save myself the heartache , I just leave Profiling enabled even for customers who don't have Plus Licenses. On the upside, the application services don't restart when I do that (bonus!) and what's the worst that can happen, right? - customer who don't care about profiling for their AuthZ might still be interested to know what types of devices are on their network (just for statistical purposes)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide