Transcription
Cisco ISE Endpoint Profiling Policies Cisco ISE Profiling Service, page 1 Configure Profiling Service in Cisco ISE Nodes, page 3 Network Probes Used by Profiling Service, page 3 Configure Probes per Cisco ISE Node, page 12 Setup CoA, SNMP RO Community, and Endpoint Attribute Filter, page 12 Attribute Filters for ISE Database Persistence and Performance, page 16 Attributes Collection from IOS Sensor Embedded Switches, page 18 Endpoint Profiling Policy Rules, page 20 Create Endpoint Profiling Policies, page 21 Predefined Endpoint Profiling Policies, page 24 Endpoint Profiling Policies Grouped into Logical Profiles, page 27 Profiling Exception Actions, page 27 Profiling Network Scan Actions, page 28 Cisco ISE Integration with Cisco NAC Appliance, page 35 Create Endpoints with Static Assignments of Policies and Identity Groups, page 37 Identified Endpoints, page 41 Create Endpoint Identity Groups, page 43 Profiler Feed Service, page 46 Profiler Reports, page 49Cisco ISE Profiling ServiceThe profiling service in Cisco Identity Services Engine (ISE) identifies the devices that connect to your networkand their location. The endpoints are profiled based on the endpoint profiling policies configured in CiscoCisco Identity Services Engine Administrator Guide, Release 1.4.11
Cisco ISE Endpoint Profiling PoliciesEndpoint Inventory Using Profiling ServiceISE. Cisco ISE then grants permission to the endpoints to access the resources in your network based on theresult of the policy evaluation.The profiling service: Facilitates an efficient and effective deployment and ongoing management of authentication by usingIEEE standard 802.1X port-based authentication access control, MAC Authentication Bypass (MAB)authentication, and Network Admission Control (NAC) for any enterprise network of varying scale andcomplexity. Identifies, locates, and determines the capabilities of all of the attached network endpoints regardless ofendpoint types. Protects against inadvertently denying access to some endpoints.Endpoint Inventory Using Profiling ServiceYou can use the profiling service to discover, locate, and determine the capabilities of all the endpointsconnected to your network. You can ensure and maintain appropriate access of endpoints to the enterprisenetwork, regardless of their device types.The profiling service collects attributes of endpoints from the network devices and the network, classifiesendpoints into a specific group according to their profiles, and stores endpoints with their matched profilesin the Cisco ISE database. All the attributes that are handled by the profiling service need to be defined in theprofiler dictionaries.The profiling service identifies each endpoint on your network, and groups those endpoints according to theirprofiles to an existing endpoint identity group in the system, or to a new group that you can create in thesystem. By grouping endpoints, and applying endpoint profiling policies to the endpoint identity group, youcan determine the mapping of endpoints to the corresponding endpoint profiling policies.Cisco ISE Profiler Queue Limit ConfigurationCisco ISE profiler collects a significant amount of endpoint data from the network in a short period of time.It causes Java Virtual Machine (JVM) memory utilization to go up due to accumulated backlog when someof the slower Cisco ISE components process the data generated by the profiler, which results in performancedegradation and stability issues.To ensure that the profiler does not increase the JVM memory utilization and prevent JVM to go out of memoryand restart, limits are applied to the following internal components of the profiler: Endpoint Cache—Internal cache is limited in size that has to be purged periodically (based on leastrecently used strategy) when the size exceeds the limit. Forwarder—The main ingress queue of endpoint information collected by the profiler. Event Handler—An internal queue that disconnects a fast component, which feeds data to a slowerprocessing component (typically related to a database query).Endpoint Cache maxEndPointsInLocalDb 100000 (endpoint objects in cache) endPointsPurgeIntervalSec 300 (endpoint cache purge thread interval in seconds)Cisco Identity Services Engine Administrator Guide, Release 1.4.12
Cisco ISE Endpoint Profiling PoliciesConfigure Profiling Service in Cisco ISE Nodes numberOfProfilingThreads 8 (number of threads)The limit is applicable to all profiler internal event handlers. A monitoring alarm is triggered when queue sizelimit is reached.Cisco ISE Profiler Queue Size Limits forwarderQueueSize 5000 (endpoint collection events) eventHandlerQueueSize 10000 (events)Event Handlers NetworkDeviceEventHandler—For network device events, in addition to filtering duplicate NetworkAccess Device (NAD) IP addresses, which are already cached. ARPCacheEventHandler—For ARP Cache events.Configure Profiling Service in Cisco ISE NodesYou can configure the profiling service that provides you a contextual inventory of all the endpoints that areusing your network resources in any Cisco ISE-enabled network.You can configure the profiling service to run on a single Cisco ISE node that assumes all Administration,Monitoring, and Policy Service personas by default.In a distributed deployment, the profiling service runs only on Cisco ISE nodes that assume the Policy Servicepersona and does not run on other Cisco ISE nodes that assume the Administration and Monitoring personas.Step 1Step 2Step 3Step 4Step 5Step 6Choose Administration System Deployment.Choose a Cisco ISE node that assumes the Policy Service persona.Click Edit in the Deployment Nodes page.On the General Settings tab, check the Policy Service check box. If the Policy Service check box is unchecked, boththe session services and the profiling service check boxes are disabled.Perform the following tasks:a) Check the Enable Session Services check box to run the Network Access, Posture, Guest, and Client Provisioningsession services.b) Check the Enable Profiling Services check box to run the profiling service.Click Save to save the node configuration.Network Probes Used by Profiling ServiceNetwork probe is a method used to collect an attribute or a set of attributes from an endpoint on your network.The probe allows you to create or update endpoints with their matched profile in the Cisco ISE database.Cisco Identity Services Engine Administrator Guide, Release 1.4.13
Cisco ISE Endpoint Profiling PoliciesIP Address and MAC Address BindingCisco ISE can profile devices using a number of network probes that analyze the behavior of devices on thenetwork and determine the type of the device. Network probes help you to gain more network visibility.IP Address and MAC Address BindingYou can create or update endpoints only by using their MAC addresses in an enterprise network. If you donot find an entry in the ARP cache, then you can create or update endpoints by using the L2 MAC address ofan HTTP packet and the IN SRC MAC of a NetFlow packet in Cisco ISE. The profiling service is dependenton L2 adjacency when endpoints are only a hop away. When endpoints are L2 adjacent, the IP addresses andMAC addresses of endpoints are already mapped, and there is no need for IP-MAC cache mapping. If endpointsare not L2 adjacent and are multiple hops away, mapping may not be reliable. Some of the known attributesof NetFlow packets that you collect include PROTOCOL, L4 SRC PORT, IPV4 SRC ADDR,L4 DST PORT, IPV4 DST ADDR, IN SRC MAC, OUT DST MAC, IN SRC MAC, andOUT SRC MAC. When endpoints are not L2 adjacent and are multiple L3 hops away, the IN SRC MACattributes carry only the MAC addresses of L3 network devices. When the HTTP probe is enabled in CiscoISE, you can create endpoints only by using the MAC addresses of HTTP packets, because the HTTP requestmessages do not carry IP addresses and MAC addresses of endpoints in the payload data. Cisco ISE implementsan ARP cache in the profiling service, so that you can reliably map the IP addresses and the MAC addressesof endpoints. For the ARP cache to function, you must enable either the DHCP probe or the RADIUS probe.The DHCP and RADIUS probes carry the IP addresses and the MAC addresses of endpoints in the payloaddata. The dhcp-requested address attribute in the DHCP probe and the Framed-IP-address attribute in theRADIUS probe carry the IP addresses of endpoints, along with their MAC addresses, which can be mappedand stored in the ARP cache.NetFlow ProbeCisco ISE profiler implements Cisco IOS NetFlow Version 9. We recommend using NetFlow Version 9,which has additional functionality needed to enhance the profiler to support the Cisco ISE profiling service.You can collect NetFlow Version 9 attributes from the NetFlow-enabled network access devices to create anendpoint, or update an existing endpoint in the Cisco ISE database. You can configure NetFlow Version 9 toattach the source and destination MAC addresses of endpoints and update them. You can also create a dictionaryof NetFlow attributes to support NetFlow-based profiling.For more information on the NetFlow Version 9 Record Format, see Table 6, “NetFlow Version 9 Field TypeDefinitions” of the NetFlow Version 9 Flow-Record Format document.In addition, Cisco ISE supports NetFlow versions earlier than Version 5. If you use NetFlow Version 5 inyour network, then you can use Version 5 only on the primary network access device (NAD) at the accesslayer because it will not work anywhere else.Cisco IOS NetFlow Version 5 packets do not contain MAC addresses of endpoints. The attributes that arecollected from NetFlow Version 5 cannot be directly added to the Cisco ISE database. You can discoverendpoints by using their IP addresses, and append the NetFlow Version 5 attributes to endpoints, which canbe done by combining IP addresses of the network access devices and IP addresses obtained from the NetFlowVersion 5 attributes. However, these endpoints must have been previously discovered with the RADIUS orSNMP probe.The MAC address is not a part of IP flows in earlier versions of NetFlow Version 5, which requires you toprofile endpoints with their IP addresses by correlating the attributes information collected from the networkaccess devices in the endpoints cache.Cisco Identity Services Engine Administrator Guide, Release 1.4.14
Cisco ISE Endpoint Profiling PoliciesDHCP ProbeFor more information on the NetFlow Version 5 Record Format, see Table 2, “Cisco IOS NetFlow FlowRecord and Export Format Content Information” of the NetFlow Services Solutions Guide.DHCP ProbeThe Dynamic Host Configuration Protocol probe in your Cisco ISE deployment, when enabled, allows theCisco ISE profiling service to reprofile endpoints based only on new requests of INIT-REBOOT, andSELECTING message types. Though other DHCP message types such as RENEWING and REBINDINGare processed, they are not used for profiling endpoints. Any attribute parsed out of DHCP packets is mappedto endpoint attributes.DHCPREQUEST Message Generated During INIT-REBOOT StateIf the DHCP client checks to verify a previously allocated and cached configuration, then the client must notfill in the Server identifier (server-ip) option. Instead it should fill in the Requested IP address (requested-ip)option with the previously assigned IP address, and fill in the Client IP Address (ciaddr) field with zero in itsDHCPREQUEST message. The DHCP server will then send a DHCPNAK message to the client if theRequested IP address is incorrect or the client is located in the wrong network.DHCPREQUEST Message Generated During SELECTING StateThe DHCP client inserts the IP address of the selected DHCP server in the Server identifier (server-ip) option,fills in the Requested IP address (requested-ip) option with the value of the Your IP Address (yiaddr) fieldfrom the chosen DHCPOFFER by the client, and fills in the “ciaddr” field with zero.Table 1: DHCP Client Messages from Different ver-ipMUST NOTMUSTMUST NOTMUST NOTrequested-ipMUSTMUSTMUST NOTMUST NOTciaddrzerozeroIP addressIP addressWireless LAN Controller Configuration in DHCP Bridging ModeWe recommend that you configure wireless LAN controllers (WLCs) in Dynamic Host Configuration Protocol(DHCP) bridging mode, where you can forward all the DHCP packets from the wireless clients to Cisco ISE.You must uncheck the Enable DHCP Proxy check box available in the WLC web interface: Controller Advanced DHCP Master Controller Mode DHCP Parameters. You must also ensure that the DHCPIP helper command points to the Cisco ISE Policy Service node.Cisco Identity Services Engine Administrator Guide, Release 1.4.15
Cisco ISE Endpoint Profiling PoliciesDHCP SPAN ProbeDHCP SPAN ProbeThe DHCP Switched Port Analyzer (SPAN) probe, when initialized in a Cisco ISE node, listens to networktraffic, which are coming from network access devices on a specific interface. You need to configure networkaccess devices to forward DHCP SPAN packets to the Cisco ISE profiler from the DHCP servers. The profilerreceives these DHCP SPAN packets and parses them to capture the attributes of an endpoint, which can beused for profiling endpoints.For example,switch(config)# monitor session 1 source interface Gi1/0/4switch(config)# monitor session 1 destination interface Gi1/0/2HTTP ProbeIn HTTP probe, the identification string is transmitted in an HTTP request-header field User-Agent, whichis an attribute that can be used to create a profiling condition of IP type, and to check the web browserinformation. The profiler captures the web browser information from the User-Agent attribute along withother HTTP attributes from the request messages, and adds them to the list of endpoint attributes.Cisco ISE listens to communication from the web browsers on both port 80 and port 8080. Cisco ISE providesmany default profiles, which are built in to the system to identify endpoints based on the User-Agent attribute.HTTP SPAN ProbeThe HTTP probe in your Cisco ISE deployment, when enabled with the Switched Port Analyzer (SPAN)probe, allows the profiler to capture HTTP packets from the specified interfaces. You can use the SPANcapability on port 80, where the Cisco ISE server listens to communication from the web browsers.HTTP SPAN collects HTTP attributes of an HTTP request-header message along with the IP addresses in theIP header (L3 header), which can be associated to an endpoint based on the MAC address of an endpoint inthe L2 header. This information is useful for identifying different mobile and portable IP-enabled devicessuch as Apple devices, and computers with different operating systems. Identifying different mobile andportable IP-enabled devices is made more reliable because the Cisco ISE server redirects captures during aguest login or client provisioning download. This allows the profiler to collect the User-Agent attribute andother HTTP attributes, from the request messages and then identify devices such as Apple devices.Unable to Collect HTTP Attributes in Cisco ISE Running on VMwareIf you deploy Cisco ISE on an ESX server (VMware), the Cisco ISE profiler collects the Dynamic HostConfiguration Protocol traffic but does not collect the HTTP traffic due to configuration issues on the vSphereclient. To collect HTTP traffic on a VMware setup, configure the security settings by changing the PromiscuousMode to Accept from Reject (by default) of the virtual switch that you create for the Cisco ISE profiler. Whenthe Switched Port Analyzer (SPAN) probe for DHCP and HTTP is enabled, Cisco ISE profiler collects boththe DHCP and HTTP traffic.Cisco Identity Services Engine Administrator Guide, Release 1.4.16
Cisco ISE Endpoint Profiling PoliciesRADIUS ProbeRADIUS ProbeYou can configure Cisco ISE for authentication with RADIUS, where you can define a shared secret that youcan use in client-server transactions. With the RADIUS request and response messages that are received fromthe RADIUS servers, the profiler can collect RADIUS attributes, which can be used for profiling endpoints.Cisco ISE can function as a RADIUS server, and a RADIUS proxy client to other RADIUS servers. When itacts as a proxy client, it uses external RADIUS servers to process RADIUS requests and response messages.Network Scan (NMAP) ProbeAbout the NMAP ProbeCisco ISE enables you to detect devices in a subnet by using the NMAP security scanner. You enable theNMAP probe on the Policy Service node that is enabled to run the profiling service. You use the results fromthat probe in an endpoint profiling policy.You can also run a manual subnet scan from the same location that you enable NMAP in the Admin console.Each NMAP manual subnet scan has a unique numeric ID that is used to update an endpoint source informationwith that scan ID. Upon detection of endpoints, the endpoint source information can also be updated to indicatethat it is discovered by the Network Scan probe.The NMAP manual subnet scan is useful for detecting devices such as printers with a static IP address assignedto them that are connected constantly to the Cisco ISE network, and therefore these devices cannot be discoveredby other probes.NMAP Scan LimitationsScanning a subnet is highly resource intensive. Scanning a subnet is lengthy process that depends on the sizeand density of the subnet. Number of active scans is always restricted to one scan, which means that you canscan only a single subnet at a time. You can cancel a subnet scan at any time while the subnet scan is inprogress. You can use the Click to see latest scan results link to view the most recent network scan resultsthat are stored in Administration Identities Latest Network Scan Results.Manual NMAP ScanThe following NMAP command scans a subnet and sends the output to nmapSubnet.log:nmap -O -sU -p U:161,162 -oN /opt/CSCOcpm/logs/nmapSubnet.log--append-output -oX - subnet Table 2: NMAP Commands for a Manual Subnet Scan-OEnables OS detection-sUUDP scan-p port ranges Scans only specified ports. For example, U:161, 162oNNormal outputoXXML outputCisco Identity Services Engine Administrator Guide, Release 1.4.17
Cisco ISE Endpoint Profiling PoliciesDNS ProbeSNMP Read Only Community Strings for NMAP Manual Subnet ScanThe NMAP manual subnet scan is augmented with an SNMP Query whenever the scan discovers that UDPport 161 is open on an endpoint that results in more attributes being collected. During the NMAP manualsubnet scan, the Network Scan probe detects whether SNMP port 161 is open on the device. If the port isopen, an SNMP Query is triggered with a default community string (public) with SNMP version 2c. If thedevice supports SNMP and the default Read Only community string is set to public, you can obtain the MACaddress of the device from the MIB value “ifPhysAddress”. In addition, you can configure additional SNMPRead Only community strings separated by a comma for the NMAP manual network scan in the ProfilerConfiguration page. You can also specify new Read Only community strings for an SNMP MIB walk withSNMP versions 1 and 2c in the following location: Administration System Settings Profiling.Latest Network Scan ResultsThe most recent network scan results are stored in Administration Identity Management Identities LatestNetwork Scan Results.The Latest Network Scan Results Endpoints page displays only the most recent endpoints that are detected,along with their associated endpoint profiles, their MAC addresses, and their static assignment status as theresult of a manual network scan you perform on any subnet. This page allows you to edit points that aredetected from the endpoint subnet for better classification, if required.Cisco ISE allows you to perform the manual network scan from the Policy Service nodes that are enabled torun the profiling service. You must choose the Policy Service node from the primary Administration ISE nodeuser interface in your deployment to run the manual network scan from the Policy Service node. During themanual network scan on any subnet, the Network Scan probe detects endpoints on the specified subnet, theiroperating systems, and check UDP ports 161 and 162 for an SNMP service.DNS ProbeThe Domain Name Service (DNS) probe in your Cisco ISE deployment allows the profiler to lookup anendpoint and get the fully qualified domain name (FQDN). After an endpoint is detected in your CiscoISE-enabled network, a list of endpoint attributes is collected from the NetFlow, DHCP, DHCP SPAN, HTTP,RADIUS, or SNMP probes.When you deploy Cisco ISE in a standalone or in a distributed environment for the first time, you are promptedto run the setup utility to configure the Cisco ISE appliance. When you run the setup utility, you will configurethe Domain Name System (DNS) domain and the primary nameserver (primary DNS server), where you canconfigure one or more nameservers during setup. You can also change or add DNS nameservers later afterdeploying Cisco ISE using the CLI commands.DNS FQDN LookupBefore a DNS lookup can be performed, one of the following probes must be started along with the DNSprobe: DHCP, DHCP SPAN, HTTP, RADIUS, or SNMP. This allows the DNS probe in the profiler to do areverse DNS lookup (FQDN lookup) against specified name servers that you define in your Cisco ISEdeployment. A new attribute is added to the attribute list for an endpoint, which can be used for an endpointprofiling policy evaluation. The FQDN is the new attribute that exists in the system IP dictionary. You cancreate an endpoint profiling condition to validate the FQDN attribute and its value for profiling. The followingCisco Identity Services Engine Administrator Guide, Release 1.4.18
Cisco ISE Endpoint Profiling PoliciesDNS Probeare the specific endpoint attributes that are required for a DNS lookup and the probe that collects theseattributes: The dhcp-requested-address attribute—An attribute collected by the DHCP and DHCP SPAN probes. The SourceIP attribute—An attribute collected by the HTTP probe The Framed-IP-Address attribute—An attribute collected by the RADIUS probe The cdpCacheAddress attribute—An attribute collected by the SNMP probeDNS Lookup with an Inline Posture Node Deployment in Bridged ModeFor the Domain Name Service probe to work with Inline Posture deployment in the Bridged mode, you mustconfigure the callStationIdType information sent in RADIUS messages for the Wireless LAN Controllers(WLCs).The Framed-IP-Address attribute in RADIUS messages does not contain the Call Station ID type inthe MAC address format. Therefore RADIUS messages cannot be associated with the MAC address ofendpoints, and the DNS probe is unable to perform the reverse DNS lookup. In order to profile endpoints,you must enable the RADIUS, and DNS probes in Cisco ISE, and then configure the WLCs to send the callingstation ID in the MAC address format instead of the current IP address format in RADIUS messages. TheWLCs must be configured to send the calling station ID in the MAC address format instead of the current IPaddress format in RADIUS messages. Once the callStationIdType is configured in the WLCs, the configurationuses the selected calling station ID for communications with RADIUS servers and other applications. It resultsin endpoints authentication, and then the DNS probe does a reverse DNS lookup (FQDN lookup) against thespecified name servers and update the FQDN of endpoints.Configure Call Station ID Type in the WLC Web InterfaceYou can use the WLC web interface to configure Call Station ID Type information. You can go to the Securitytab of the WLC web interface to configure the calling station ID in the RADIUS Authentication Servers page.The MAC Delimiter field is set to Colon by default in the WLC user interface.For more information on how to configure in the WLC web interface, see Chapter 6, “Configuring SecuritySolutions” in the Cisco Wireless LAN Controller Configuration Guide, Release 7.2.For more information on how to configure in the WLC CLI using the config radius callStationIdType command,see Chapter 2, “Controller Commands” in the Cisco Wireless LAN Controller Command Reference Guide,Release 7.2.Step 1Step 2Step 3Step 4Step 5Step 6Log in to your Wireless LAN Controller user interface.Click Security.Expand AAA, and then choose RADIUS Authentication.Choose System MAC Address from the Call Station ID Type drop-down list.Check the AES Key Wrap check box when you run Cisco ISE in FIPS mode.Choose Colon from the MAC Delimeter drop-down list.Cisco Identity Services Engine Administrator Guide, Release 1.4.19
Cisco ISE Endpoint Profiling PoliciesSNMP Query ProbeSNMP Query ProbeIn addition to configuring the SNMP Query probe in the Edit Node page, you must configure other SimpleManagement Protocol settings in the following location: Administration Network Resources NetworkDevices.You can configure SNMP settings in the new network access devices (NADs) in the Network Devices listpage. The polling interval that you specify in the SNMP query probe or in the SNMP settings in the networkaccess devices query NADs at regular intervals.You can turn on and turn off SNMP querying for specific NADs based on the following configurations: SNMP query on Link up and New MAC notification turned on or turned off SNMP query on Link up and New MAC notification turned on or turned off for Cisco Discovery Protocolinformation SNMP query timer for once an hour for each switch by defaultFor an iDevice, and other mobile devices that do not support SNMP, the MAC address can be discovered bythe ARP table, which can be queried from the network access device by an SNMP Query probe.Cisco Discovery Protocol Support with SNMP QueryWhen you configure SNMP settings on the network devices, you must ensure that the Cisco Discovery Protocolis enabled (by default) on all the ports of the network devices. If you disable the Cisco Discovery Protocolon any of the ports on the network devices, then you may not be able to profile properly because you willmiss the Cisco Discovery Protocol information of all the connected endpoints. You can enable the CiscoDiscovery Protocol globally by using the cdp run command on a network device, and enable the CiscoDiscovery Protocol by using the cdp enable command on any interface of the network access device. Todisable the Cisco Discovery Protocol on the network device and on the interface, use the no keyword at thebeginning of the commands.Link Layer Discovery Protocol Support with SNMP QueryThe Cisco ISE profiler uses an SNMP Query to collect LLDP attributes. You can also collect LLDP attributesfrom a Cisco IOS sensor, which is embedded in the network device, by using the RADIUS probe. See thedefault LLDP configuration settings that you can use to configure LLDP global configuration and LLDPinterface configuration commands on the network access devices.Table 3: Default LLDP ConfigurationFeatureFeatureLLDP global stateDisabledLLDP holdtime (before discarding)120 secondsLLDP timer (packet update frequency)30 secondsLLDP reinitialization delay2 secondsLLDP tlv-selectEnabled to send and receive all TLVs.Cisco Identity Services Engine Administrator Guide, Release 1.4.110
Cisco ISE Endpoint Profiling PoliciesSNMP Trap ProbeFeatureFeatureLLDP interface stateEnabledLLDP receiveEnabledLLDP transmitEnabledLLDP med-tlv-selectEnabled to send all LLDP-MED TLVsCDP and LLDP Capability Codes Displayed in a Single CharacterThe Attribute List of an endpoint displays a single character value for the lldpCacheCapabilities andlldpCapabilitiesMapSupported attributes. The values are the Capability Codes that are displayed for thenetwork access device that runs CDP and LLDP.Example 1lldpCacheCapabilities SlldpCapabilitiesMapSupported SExample 2lldpCacheCapabilities B;TlldpCapabilitiesMapSupported B;TExample 3Switch#show cdp neighborsCapability Codes:R - Router, T - Trans Bridge, B - Source Route Bridge, S - Switch, H - Host, I - IGMP,r - Repeater, P - Phone, D - Remote, C - CVTA, M - Two-port Mac Relay.Switch#Switch#show lldp neighborsCapability codes:(R) Router, (B) Bridge, (T) Telephone, (C) DOCSIS Cable Device(W) WLAN Access Point, (P) Repeater, (S) Station, (O) Other.Switch#SNMP Trap ProbeThe SNMP Trap receives information from the specific network access devices that support MAC notification,linkup, linkdown, and informs. The SNMP Trap probe receives information from the specific network accessdevices when ports come up or go down and endpoints disconnect from or connect to your network, whichresults in the information received that is not sufficient to create endpoints in Cisco ISE.For SNMP Trap to be fully functional and create endpoints, you must enable SNMP Query so that the SNMPQuery probe triggers a poll event on the particular port of the network access device when a trap is received.To make this feature fully functional you should configure the network access device and SNMP Trap.Cisco Identity Services Engine Administrator Guide, Release 1.4.111
Cisco ISE Endpoint Profiling PoliciesConfigure Probes per Cisco ISE NodeNoteCisco ISE does not support SNMP Traps that are received from the Wireless LAN Controllers (WLCs)and Access Points (APs).Configure Probes per Cisco ISE NodeYou can configure one or more probes on the Profiling Configuration tab per Cisco ISE node in your deploymentthat assumes the Policy Service persona, which could be: A standalone node—If you have deployed Cisco ISE on a single node that assumes all Administration,Monitoring, and Policy Service personas by default. Multiple nodes—If you have registered more than one node in your deployment that assume PolicyService persona.Before You BeginYou can configure the probes per Cisco ISE node only from the Administration node, which is unavailableon the secondary Administration node in a distributed deployment.Step 1Step 2
Cisco ISE Endpoint Profiling Policies CiscoISEProfilingService, page 1 ConfigureProfilingServiceinCiscoISENodes, page 3 .File Size: 1MBPage Count: 50Explore furtherISE Authentication and Authorization Policy Reference .community.cisco.comISE Profiling Design Guide - Cisco Communitycommunity.cisco.comCisco Identity Services Engine Administrator Guide .www.cisco.comCisco Identity Services Engine Administrator Guide .www.cisco.comCisco ISE Tutorial » Identity Services Engine Overview .www.rogerperkin.co.ukRecommended to you b
