cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1949
Views
2
Helpful
5
Replies

Comprehensive report of all endpoints on the network

jjahn
Level 1
Level 1

Looking for some advice on how to best extract a list of all of the endpoints on my network (or at least on ISE 802.1x authenticated ports!) We are in monitor mode at several sites, and trying to give a comprehensive answer about which endpoints are not meeting our policy and hitting the catch-all rule is proving more challenging than I was expecting.

Things I've looked at:

Live Sessions - seems like a good area, but I notice that long-lasting MAB sessions on the switch are still happily connected (and the switch access-session shows 'Authorized') but they disappear from ISE after some time. So I can't rely on this to tell me what's on the network.

Live Logs - way too much raw data to try and dump this out in report format and stitch back together, when I just need to know the most recent result per endpoint

Endpoint Profiler export - this is what I've been using, the Connected/Disconnected state seems to suffer similar to the Live Sessions issue but overall this is pretty good. The report is handy because you get the Authorization rule that was applied, switchport, IPs, hostnames, etc all in one spot. I have noticed some oddities with exporting this though, multiple rows with the same MAC address and similar.

So...

I was wondering if I have an issue with my switch config that could be resolved to make the switch check in more often for MAB devices? In theory I would think RADIUS accounting would do that, but maybe I'm missing something. I never seem to notice this issue for 802.1x devices. Everything works perfectly, it just makes me a bit nervous giving the data to a project team and saying "this is what's in monitor mode that needs fixing" when I don't have full confidence in that data.

ISE 2.3 w/ Patch 2 - distributed environment w/ 8 PSNs

     (note, we were previously on 2.1 and I saw the same behavior, doesn't seem version dependent)

I've attached a sanitized switch config. All of the access switches are 3850s, all should be running IOS XE 3.6.5 (there may be a tiny bit of variation here but not much)

Any thoughts?

1 Accepted Solution

Accepted Solutions

There are two tools to achieve this:

  1. Endpoint Analysis Tool (EAT) available from iseeat.cisco.com
  2. "Get All Endpoints" option from PAN CLI:  # application configure ise

EAT was specifically developed to address the requirements for endpoint profile extraction for offline analysis and review.  Authorization report was specifically added to handle the use case you request >> Show me the policies that my endpoints are hitting by Location, Switch, Port, etc.   Show me which endpoints and users continue to hit default or incorrect policy!

The CLI option was added later and backported to earlier ISE versions as a way to extract same data without external app, but I still like the app for quickly filtering based on specific use case.  I think the CLI option is generally quicker.

Craig

View solution in original post

5 Replies 5

jjahn
Level 1
Level 1

Example of a switch port access-session for a device that is working fine, but doesn't show up as a live session in ISE:

----------------------------------------

            Interface:  GigabitEthernet1/0/46

               IIF-ID:  0x105468[snip]

          MAC Address:  [snip]

         IPv6 Address:  Unknown

         IPv4 Address:  [snip]

            User-Name:  [snip]

               Status:  Authorized

               Domain:  DATA

       Oper host mode:  multi-auth

     Oper control dir:  both

      Session timeout:  N/A

      Restart timeout:  N/A

       Session Uptime:  491277s

    Common Session ID:  0A5544120000164F5BFEF538

      Acct Session ID:  0x0000194C

               Handle:  0xA300033B

       Current Policy:  DOT1X-DEFAULT

Server Policies:

              ACS ACL:  xACSACLx-IP-ACL-PERMIT-ALL-56609d01

Method status list:

       Method           State

       dot1x            Stopped

       mab              Authc Success

There are two tools to achieve this:

  1. Endpoint Analysis Tool (EAT) available from iseeat.cisco.com
  2. "Get All Endpoints" option from PAN CLI:  # application configure ise

EAT was specifically developed to address the requirements for endpoint profile extraction for offline analysis and review.  Authorization report was specifically added to handle the use case you request >> Show me the policies that my endpoints are hitting by Location, Switch, Port, etc.   Show me which endpoints and users continue to hit default or incorrect policy!

The CLI option was added later and backported to earlier ISE versions as a way to extract same data without external app, but I still like the app for quickly filtering based on specific use case.  I think the CLI option is generally quicker.

Craig

Great options and I wasn't aware of either one previously! I will investigate both. Thanks much.

paul
Level 10
Level 10

You don't appear to have reauthentication enable on your switch ports:

authentication periodic

authentication timer reauthenticate server

This allows ISE to set the reauth timer.  All my wired authorization profiles have a reauth timer of 65,000 seconds.  I am guaranteed to get an accurate picture of what is connected to the network each day.

ISE has several bugs on the Context Visibility screen that make it a bit hard to answer the question "What is hitting the Catch All rule as their last authentication?".  One of the pitfalls of CPL is that every Dot1x MAC address will do a Catch All MAB because CPL does MAB and Dot1x at same time. 

I have a macro that I have been using since ISE 1.0 to process the radius authentication report to point out devices sitting in the Monitor Catch All state.

If the Context Visibility screen reliably updated the Authorization Profile column for each authentication you could use Context Visibility but it is not reliable at this point.

Thanks Paul - I figured it was something silly I missed. That's got to be the issue with the reauth.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: