ISE Profiling Deep-Dive

In this post, I’m going to be posting my deep-dive notes on ISE device profiling as well as what each probe does and what type of information to expect from the attributes.

CDP

Example of a CDP entry seen from a switch

CDP TLV Descriptions:

  • Address - Contains a list of device network-layer addresses. If a device uses Simple Network Management Protocol (SNMP), the first address is an address at which the device receives SNMP messages. The device may advertise all its addresses and may optionally advertise one or more loopback IP addresses.

  • Capabilities - Identifies the device type. The device type indicates the functional capability of the device, for example, a switch.

  • Device-ID - Name of the device

  • Platform - Describes the hardware platform of the device.

  • Version - Contains information about the software image version the device is running.

Enable CDP on the Switch

cdp run
!
interface g1/0/1
cdp enable


IOS Device Sensor for CDP

device-sensor filter-list cdp list TLV-CDP
tlv name device-name
tlv name address-type
tlv name capabilities-type
tlv name version-type
tlv name platform-type
device-sensor filter-spec cdp include list TLV-CDP
device-sensor accounting
device-sensor notify all-changes


Examples from ISE:

cdpCacheAddress: 254.128.0.0.0.0.0.0.178.170.119.255.254.151.119.92

cdpCacheCapabilities: T;B;I

cdpCacheDeviceId AP1

cdpCachePlatform: cisco AIR-AP3702I-UXK9

cdpCacheVersion: Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JA12, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2017 by Cisco Systems, Inc. Compiled Fri 20-Oct-17 20:51 by prod_rel_team


cdpCacheAddress: 10.1.30.101

cdpCacheCapabilities: R;T;B;I

cdpCacheDeviceId: AP1

cdpCachePlatform: cisco AIR-CAP3602I-A-K9

cdpCacheVersion: Cisco IOS Software, C3600 Software (AP3G2-K9W8-M), Version 15.3(3)JD17, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2019 by Cisco Systems, Inc. Compiled Fri 12-Apr-19 03:21 by prod_rel_team


cdpCacheAddress: 10.1.100.109

cdpCacheCapabilities: H;P;M

cdpCacheDeviceId: SEP001A2F69DBEE

cdpCachePlatform: Cisco IP Phone 7961

cdpCacheVersion: SCCP41.9-4-2SR1-1S

cdpUndefined28: 00:02:00



LLDP

Example of an LLDP entry seen from a switch

ONE IMPORTANT NOTE: LLDP is turned off by default on most Cisco switches. Enable it globally using the lldp run command and then on the interfaces using lldp receive and lldp transmit commands. Unlike CDP, LLDP is an open standard and many IoT devices use it so I would recommend enabling this on your switches.

LLDP TLVs Descriptions:

  • Capabilities - Endpoints determine the types of capabilities that a connected device supports and which ones are enabled. 

  • Chassis ID - The Chassis ID is a mandatory TLV which identifies the chassis component

  • of the endpoint identifier associated with the transmitting LLDP agent. Usually I see this field being populated by either a MAC address or IP address

  • ManAddress - The Management Address is a mandatory TLV which identifies a network address associated with the local LLDP agent, which can be used to reach the agent on the port identified in the Port ID TLV.

  • Port Description - Provides a description of the port id in an alpha-numeric format. The value equals the ifDescr object

  • Port ID - The Port ID is a mandatory TLV which identifies the port component of the endpoint identifier associated with the transmitting LLDP agent.

  • System Capabilities - Indicates the primary function(s) of the device and whether or not these functions are enabled in the device. The capabilities are indicated by two octects. Bits 0 through 7 indicate Other, Repeater, Bridge, WLAN AP, Router, Telephone, DOCSIS cable device and Station respectively. Bits 8 through 15 are reserved.

  • System Description - Provides a description of the network entity in an alpha-numeric format. This includes system's name and versions of hardware, operating system and networking software supported in the device. The value equals the sysDescr object, if the LAN device supports RFC 3418.

  • System Name - Provides the system's assigned name in an alpha-numeric format. The value equals the sysName object

  • Time To Live - Indicates how long (in seconds) the LAN device's information received in the LLDPDU is to be treated as valid information.

Enable LLDP on Switch

lldp run
!
interface g1/1/1
lldp receive
lldp transmit


IOS Device Sensor for LLDP

device-sensor filter-list lldp list TLV-LLDP
 tlv name port-id
 tlv name time-to-live
 tlv name port-description
 tlv name system-name
 tlv name system-description
 tlv name system-capabilities
 tlv name management-address
tlv name chassis-id
tlv name time-to-live
device-sensor filter-spec lldp include list TLV-LLDP
device-sensor accounting
device-sensor notify all-changes


Examples from ISE:

lldpCacheCapabilities: B

lldpCapabilitiesMapSupported: B

lldpChassisId: 04:b0:aa:77:b9:34:90

lldpPortDescription: GigabitEthernet0

lldpPortId: 05:47:69:30

lldpSystemName: AP1


lldpCacheCapabilities: B

lldpCapabilitiesMapSupported: B

lldpChassisId: 04:54:78:1a:65:ca:60

lldpManAddress: 05:01:0a:01:1e:65:03:00:00:00:00:00

lldpPortDescription: GigabitEthernet0

lldpPortId: 05:47:69:30

lldpSystemName: AP1.securitydemo.net


lldpCacheCapabilities: B;T

lldpCapabilitiesMapSupported: B;T

lldpChassisId: 05:01:00:00:00:00

lldpPortDescription: SW PORT

lldpPortId: 07:30:30:31:41:32:46:36:39:44:42:45:45:3a:50:31

lldpSystemDescription: Cisco IP Phone 7961G,V1, SCCP41.9-4-2SR1-1S

lldpSystemName: SEP001A2F69DBEE


DHCP

DHCP Option Descriptions:

  • boot-file – Option 67 - Bootfile name - This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options.

  • class-identifier – Option 60 - This option is used by DHCP clients to optionally identify the type and configuration of a DHCP client.  The information is a string of n octets, interpreted by servers.  Vendors and sites may choose to define specific class identifiers to convey particular configuration or other identification information about a client.  For example, the identifier may encode the client's hardware configuration.  Servers not equipped to interpret the class-specific information sent by a client MUST ignore it (although it may be reported).

  • client-fqdn – Option 81 - To update the IP-address-to-FQDN mapping, a DHCP server needs to know the FQDN of the client to which the server leases the address.  To allow the client to convey its FQDN to the server, this document defines a new DHCP option, called "Client FQDN".  The Client FQDN option also contains Flags, which DHCP servers can use to convey information about DNS updates to clients, and two deprecated RCODEs. Clients MAY send the Client FQDN option, setting appropriate Flags values, in both their DHCPDISCOVER and DHCPREQUEST messages.  If a client sends the Client FQDN option in its DHCPDISCOVER message, it MUST send the option in subsequent DHCPREQUEST messages though the contents of the option MAY change.

  • client-identifier – Option 61 - This option is used by DHCP clients to specify their unique identifier.  DHCP servers use this value to index their database of address bindings.  This value is expected to be unique for all clients in an administrative domain. It is expected that this field will typically contain a hardware type and hardware address, but this is not required.  Current legal values for hardware types are defined in https://tools.ietf.org/html/rfc1340

  • domain-name – Option 15 - This option specifies the domain name that client should use when resolving hostnames via the Domain Name System.

  • host-name – Option 12 - Hostname for the client – using RFC 1035 character set

  • parameter-request-list – Option 55 - This option is used by a DHCP client to request values for specified configuration parameters.  The list of requested parameters is specified as n octets, where each octet is a valid DHCP option code as defined in this document. The client MAY list the options in order of preference.  The DHCP server is not required to return the options in the requested order, but MUST try to insert the requested options in the order requested by the client.

  • pxe-client-arch – Option 93 - Octet "n" gives the number of octets containing "architecture types" (not including the code and len fields).  It MUST be an even number greater than zero.  Clients that support more than one architecture type MAY include a list of these types in their initial DHCP and PXE boot server packets.  The list of supported architecture types MAY be reduced in any packet exchange between the client and server(s). Octets "n1" and "n2" encode a 16-bit architecture type identifier that describes the pre-boot runtime environment(s) of the client machine.

  • pxe-client-machine-id – Option 97 - Octet "t" describes the type of the machine identifier in the remaining octets in this option. 0 (zero) is the only value defined  for this octet at the present time, and it describes the remaining octets as a 16-octet Globally Unique Identifier (GUID).  Octet "n" is 17 for type 0. 

  • pxe-client-network-id – Option 94 - Octet "t" encodes a network interface type.  For now the only supported value is 1 for Universal Network Device Interface (UNDI). Octets "M" and "m" describe the interface revision.  To encode the UNDI revision of 2.11, "M" would be set to 2, and "m" would be set to 11 (0x0B).

  • requested-address – Option 50 - This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned

  • server-identifier – Option 54 - This option is used in DHCPOFFER and DHCPREQUEST messages, and may optionally be included in the DHCPACK and DHCPNAK messages.  DHCP servers include this option in the DHCPOFFER in order to allow the client to distinguish between lease offers.  DHCP clients indicate which of several lease offers is being accepted by including this option in a DHCPREQUEST message. The identifier is the IP address of the selected server.

  • user-class-id – Option 77 - DHCP administrators may define specific user class identifiers to convey information about a client's software configuration or about its user's preferences.  For example, the User Class option can be used to configure all clients of people in the accounting department with a different printer than clients of people in the marketing department.

  • vendor-class – Option 60 - A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs.  The information contained in the per-vendor data area of this option is contained in one or more opaque fields that may identify details of the hardware configuration.

IOS Device Sensor for DHCP

device-sensor filter-list dhcp list dhcp-list
option name boot-file        
option name class-identifier                                          
option name client-fqdn                              
option name client-identifier                        
option name domain-name                              
option name host-name                                
option name parameter-request-list                   
option name pxe-client-arch                          
option name pxe-client-machine-id                    
option name pxe-client-network-id                    
option name requested-address                        
option name server-identifier                        
option name user-class-id                            
option name v-i-vendor-class        
device-sensor filter-spec dhcp  include list dhcp-list
device-sensor accounting
device-sensor notify all-changes


DHCP Helper Instead of IOS Device Sensor

interface vlan 100
ip helper-address 10.1.100.21


Examples from ISE:

dhcp-class-identifier: Cisco AP c3600

dhcp-client-identifier: 01:6c:20:56:52:7e:b6

dhcp-parameter-request-list: 1, 6, 15, 44, 3, 7, 33, 150, 43

 

dhcp-class-identifier: Cisco AP c3600

dhcp-client-identifier: 01:6c:20:56:52:7e:b6

dhcp-parameter-request-list: 1, 6, 15, 44, 3, 7, 33, 150, 43

 

dhcp-class-identifier: Cisco Systems, Inc. IP Phone CP-7961G

dhcp-client-identifier: 01:00:1a:2f:69:db:ee

dhcp-message-type: DHCPREQUEST

dhcp-parameter-request-list: 1, 66, 6, 3, 15, 150, 35

dhcp-requested-address: 10.1.100.109


SNMP

The SNMP Trap notifies ISE of a linkup/linkdown which let’s ISE know that it should run an SNMP Query. However, the SNMP Trap may not be needed if RADIUS is configured since the RADIUS session will also trigger the SNMP Query.

Options available for SNMP in ISE’s profiler:

  • cafSessionAuthorizedBy - Part of the CISCO-AUTH-FRAMEWORK-MIB Module - Indicates the name of the feature which authorizes the authentication session.

  • cafSessionAuthUserName - Part of the CISCO-AUTH-FRAMEWORK-MIB Module - Indicates the name of the authenticated user for the authentication session.

  • cafSessionAuthVlan - Part of the CISCO-AUTH-FRAMEWORK-MIB Module - Indicates the authorized VLAN applied to the authentication session. Value zero indicates that no authorized VLAN has been applied, or it is not applicable.

  • cafSessionClientMacAddress - Part of the CISCO-AUTH-FRAMEWORK-MIB Module - Indicates the MAC address of the device associates with the authentication session.

  • cafSessionDomain - Part of the CISCO-AUTH-FRAMEWORK-MIB Module - Indicates the type of domain that the authentication session belongs to. othe: none of the below. data: indicates the data domain. voice: indicates the voice domain. 1-other, 2-data, 3-voice

  • cafSessionStatus - Part of the CISCO-AUTH-FRAMEWORK-MIB Module - Indicates the current status of the authentication session. 1-idle, 2-running, 3-noMethod, 4-authenticationSuccess, 5-authenticationFailed, 6-authorizationSuccess, 7-authorizationFailed

  • cLApIfMacAddress - Part of the CISCO-LWAPP-AP-MIB Module - This object represents the Ethernet MAC address of the AP.

  • cLApName - Part of the CISCO-LWAPP-AP-MIB Module - This object represents the administrative name assigned to the AP by the user. If an AP is not configured, its factory default name will be ap: eg. ap:af:12:be.

  • cLApNameServerAddress - Part of the CISCO-LWAPP-AP-MIB Module - This represents the IP Address of the name server. This attribute can be configured only if the static IP option is turned on in the AP.

  • cLApNameServerAddressType - Part of the CISCO-LWAPP-AP-MIB Module - This represents the type of the IP address of the name server, made available through cLApNameServerAddress.

  • cLApSshEnable - Part of the CISCO-LWAPP-AP-MIB Module - This object specifies whether SSH session can be established to the AP.

  • cLApSysMacAddress - Part of the CISCO-LWAPP-AP-MIB Module - This object represents the radio MAC address common to the dot11 interfaces of the AP and uniquely identifies an entry in this table.

  • cLApTelnetEnable - Part of the CISCO-LWAPP-AP-MIB Module - This object specifies whether Telnet session can be established to the AP.

  • cLApTertiaryControllerAddress - Part of the CISCO-LWAPP-AP-MIB Module - This object represents the address of the tertiary controller that the APs will join.

  • cLApTertiaryControllerAddressType - Part of the CISCO-LWAPP-AP-MIB Module - This object represents the type of the tertiary controller's address made available through cLApTertiaryControllerAddress.

  • cLApUpTime - Part of the CISCO-LWAPP-AP-MIB Module - This object represents the time in hundredths of a second since the last time the AP rebooted.

  • cLApWipsEnable - Part of the CISCO-LWAPP-AP-MIB Module - This object represents if this AP is used as WIPS AP. A value of 'true' indicates that this AP is a WIPS AP. A value of 'false' indicates that this AP is not a WIPS AP. This applies only when the  AP is either in local or monitor mode.

  • cldcAssociationMode - Part of the CISCO-LWAPP-DOT11-CLIENT-MIB Module - The association mode for which the key decrypt error occurred.

  • cldcClientAccessVLAN - Part of the CISCO-AUTH-FRAMEWORK-MIB Module - This object specifies access VLAN for client.

  • cldcClientIPAddress - Part of the CISCO-LWAPP-DOT11-CLIENT-MIB Module - This object specified client\s IP address.

  • cldcClientStatus - Part of the CISCO-LWAPP-DOT11-CLIENT-MIB Module - The object that represents the current status of the client.

  • dot1xAuthAuthControlledPortControl - Part of the IEEE8021-PAE-MIB Module - The current value of the controlled Port control parameter for the Port.

  • dot1xAuthAuthControlledPortStatus - Part of the IEEE8021-PAE-MIB Module -  The current value of the controlled Port status parameter for the Port.

  • dot1xAuthSessionUserName - Part of the IEEE8021-PAE-MIB Module - Part of the IEEE8021-PAE-MIB Module - The User-Name representing the identity of the Supplicant PAE.

  • hrDeviceDescr - Part of the HOST-RESOURCES-MIB Module - A textual description of this device, including the device's manufacturer and revision, and optionally, its serial number.

  • hrDeviceStatus - Part of the HOST-RESOURCES-MIB Module - The current operational state of the device described by this row of the table. A value unknown(1) indicates that the current state of the device is unknown. running(2) indicates that the device is up and running and that no unusual error conditions are known. The warning(3) state indicates that agent has been informed of an unusual error condition by the operational software (e.g., a disk device driver) but that the device is still 'operational'. An example would be a high number of soft errors on a disk. A value of testing(4), indicates that the device is not available for use because it is in the testing state. The state of down(5) is used only when the agent has been informed that the device is not available for any use.

  • ifDescr - Part of the IF-MIB Module - A textual string containing information about the interface. This string should include the name of the manufacturer, the product name and the version of the interface hardware/software

  • ifIndex  - Part of the IF-MIB Module - A unique value, greater than zero, for each interface. It is recommended that values are assigned contiguously starting from 1. The value for each interface sub-layer must remain constant at least from one re-initialization of the entity's network management system to the next re- initialization.

  • ifOperStatus - Part of the IF-MIB Module - The current operational state of the interface. The testing(3) state indicates that no operational packets can be passed. If ifAdminStatus is down(2) then ifOperStatus should be down(2). If ifAdminStatus is changed to up(1) then ifOperStatus should change to up(1) if the interface is ready to transmit and receive network traffic; it should change to dormant(5) if the interface is waiting for external actions (such as a serial line waiting for an incoming connection); it should remain in the down(2) state if and only if there is a fault that prevents it from going to the up(1) state; it should remain in the notPresent(6) state if the interface has missing (typically, hardware) components.

  • Port – The number of the port

  • portIfIndex - Part of the CISCO-STACK-MIB Module - The value of the instance of the ifIndex object, defined in MIB-II, for the interface corresponding to this port.

  • sysContact - Part of the SNMPv2-MIB Module - Part of the SNMPv2-MIB Module - The textual identification of the contact person for this managed node, together with information on how to contact this person. If no contact information is known, the value is the zero-length string.

  • sysDescr - Part of the SNMPv2-MIB Module - A textual description of the entity. This value should include the full name and version identification of the system's hardware type, software operating-system, and networking software

  • sysLocation - Part of the SNMPv2-MIB Module - The physical location of this node (e.g., 'telephone closet, 3rd floor'). If the location is unknown, the value is the zero-length string.

  • sysName - Part of the SNMPv2-MIB Module - An administratively-assigned name for this managed node. By convention, this is the node's fully-qualified domain name. If the name is unknown, the value is the zero-length string.

  • sysObjectID - Part of the SNMPv2-MIB Module - The vendor's authoritative identification of the network management subsystem contained in the entity. This value is allocated within the SMI enterprises subtree (1.3.6.1.4.1) and provides an easy and unambiguous means for determining `what kind of box' is being managed. For example, if vendor `Flintstones, Inc.' was assigned the subtree 1.3.6.1.4.1.424242, it could assign the identifier 1.3.6.1.4.1.424242.1.1 to its `Fred Router'.

  • Vlan - Part of the CISCO-STACK-MIB Module - This object specifies access VLAN for client.

  • VlanName - Part of the CISCO-STACK-MIB Module - This object specifies the access VLAN name for client.

  • vlanPortVlan - Part of the CISCO-STACK-MIB Module - The Virtual LAN to which this port belongs.

  • vtpVlanIfIndex - Part of the CISCO-VTP-MIB Module - The value of the ifIndex corresponding to this VLAN ID. If the VLAN ID does not have its corresponding interface, this object has the value of zero

  • vtpVlanName - Part of the CISCO-VTP-MIB Module - The name of this VLAN. This name is used as the ELAN-name for an ATM LAN-Emulation segment of this VLAN.

    vtpVlanState - Part of the CISCO-VTP-MIB Module - The state of this VLAN. The state 'mtuTooBigForDevice' indicates that this device cannot participate in this VLAN because the VLAN's MTU is larger than the device can support. The state 'mtuTooBigForTrunk' indicates that while this VLAN's MTU is supported by this device, it is too large for one or more of the device's trunk ports.


SNMP Trap Configuration

interface <Endpoint_Interface>
snmp trap mac-notification added
snmp trap mac-notification removed
!
mac address-table notification change
mac address-table notification mac-move
!
snmp-server trap-source <Interface>
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host <ISE_PSN_IP_address> version 2c ciscoro


SNMP Query Configuration

snmp-server community ciscoro RO


ACIDEX Information

Information provided by AnyConnect and sent via RADIUS from the ASA. Provides information such as local MAC address for a host that is VPNing in, newer versions of AnyConnect provide things like the Phone UID and IMEI, etc. This information is sent from the network access device to ISE using the RADIUS probe.

  • device-platform – Example would be “Win”

  • device-platform-version – Version for the platform or operating system. Such as “6.1.7601 Service Pack 1”

  • device-type – Hardware platform or model number

  • device-uid – Phone UID


RADIUS

RADIUS1.png

RADIUS attributes that may be used in the ISE Profiler:

  • Called-Station-ID - For IEEE 802.1X Authenticators, this attribute is used to store the bridge or Access Point MAC address in ASCII format (upper case only), with octet values separated by a "-".  Example: "00-10-A4-23-19-C0". In IEEE 802.11, where the SSID is known, it SHOULD be appended to the Access Point MAC address, separated from the MAC address with a ":". Example "00-10-A4-23-19-C0:AP1".

  • Calling-Station-ID - For IEEE 802.1X Authenticators, this attribute is used to store the Supplicant MAC address in ASCII format (upper case only), with octet values separated by a "-".  Example: "00-10-A4-23-19-C0".

  • Connect-Info - The Connect-Info RADIUS Attribute 77 feature enables the Network Access Server (NAS) to report Connect-Info (attribute 77) in RADIUS accounting “start” and “stop” records that are sent to the RADIUS client (dial-in modem). These records allow the transmit and receive connection speeds, modulation, and compression to be compared in order to analyze a user session over a dial-in modem where speeds are often different at the end of the connection (after negotiation).

  • DNS-Server-IPv6-Address - The DNS-Server-IPv6-Address Attribute contains the IPv6 address of a DNS server.  This Attribute MAY be included multiple times in Access- Accept packets when the intention is for a NAS to announce more than one DNS server address to an RG/host.  The Attribute MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server regarding the DNS IPv6 address, but the RADIUS server is not required to honor the hint.

  • Delegated-IPv6-Prefix - The Delegated-IPv6-Prefix attribute can be used in DHCP Prefix Delegation between the delegating router and a RADIUS server

  • Delegated-IPv6-Prefix-Pool - The Delegated-IPv6-Prefix-Pool Attribute contains the name of an assigned pool that SHOULD be used to select an IPv6 delegated prefix for the user on the NAS.  If a NAS does not support prefix pools, the NAS MUST ignore this Attribute.  It MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server regarding the pool, but the RADIUS server is not required to honor the hint.

  • Egress-VLAN-Name - This attribute represents an allowed VLAN for this port.

  • Egress-VLANID - This attribute represents an allowed IEEE 802 Egress VLANID for this port, indicating if the VLANID is allowed for tagged or untagged frames as well as the VLANID.

  • Framed-IP-Address - Indicates the IP address to be configured for the user, by sending the IP address of a user to the RADIUS server in the access-request.

  • Framed-IP-Netmask - Indicates the IP netmask to be configured for the user when the user is a router to a network. This attribute value results in a static route being added for Framed-IP-Address with the mask specified.

  • Framed-IPv6-Address - The Framed-IPv6-Address Attribute indicates an IPv6 address that is assigned to the NAS-facing interface of the RG/host.  It MAY be used in Access-Accept packets and MAY appear multiple times.

  • Framed-IPv6-Pool - This Attribute contains the name of an assigned pool that SHOULD be used to assign an IPv6 prefix for the user.  If a NAS does not support multiple prefix pools, the NAS MUST ignore this Attribute.

  • Framed-IPv6-Prefix - This Attribute indicates an IPv6 prefix (and corresponding route) to be configured for the user.  It MAY be used in Access-Accept packets, and can appear multiple times.  It MAY be used in an Access-Request packet as a hint by the NAS to the server that it would prefer these prefix(es), but the server is not required to honor the hint.

  • Framed-IPv6-Route - This Attribute provides routing information to be configured for the user on the NAS.  It is used in the Access-Accept packet and can appear multiple times.

  • Framed-Interface-Id - This Attribute indicates the IPv6 interface identifier to be configured for the user.  It MAY be used in Access-Accept packets.

  • Framed-Pool - Contains the name of an assigned address pool that should be used to assign an address for the user. If a NAS does not support multiple address pools, the NAS should ignore  this attribute.

  • Location - The Location-Data Attribute MAY be sent in Access-Request and Accounting-Request messages.  For the Accounting-Request message, the Acc-Status-Type may be set to Start, Interim, or Stop.

  • Login-IPv6-Host - This Attribute indicates the system with which to connect the user, when the Login-Service Attribute is included.  It MAY be used in Access-Accept packets.  It MAY be used in an Access-Request packet as a hint to the server that the NAS would prefer to use that host, but the server is not required to honor the hint.

  • NAS-Filter-Rule - This attribute indicates filter rules to be applied for this user. Zero or more NAS-Filter-Rule attributes MAY be sent in Access-Accept, CoA-Request, or Accounting-Request packets.

  • NAS-IP-Address - This Attribute indicates the physical port number of the NAS which is authenticating the user.  It is only used in Access-Request packets.  Note that this is using "port" in its sense of a physical connection on the NAS, not in the sense of a TCP or UDP port number.

  • NAS-IPv6-Address - This Attribute indicates the identifying IPv6 Address of the NAS which is requesting authentication of the user, and SHOULD be unique to the NAS within the scope of the RADIUS server.  NAS-IPv6-Address is only used in Access-Request packets.  NAS-IPv6-Address and/or NAS-IP-Address MAY be present in an Access-Request packet; however, if neither attribute is present then NAS-Identifier MUST be present.

  • NAS-Identifier - This Attribute contains a string identifying the NAS originating the Access-Request.  It is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier MUST be present in an Access-Request packet.

  • NAS-Port - Indicates the physical port number of the network access server that is authenticating the user.

  • NAS-Port-Id - Contains a text string which identifies the port of the NAS that is authenticating the user

  • NAS-Port-Type - Indicates the type of physical port the network access server is using to authenticate the user

  • Route-IPv6-Information - The Route-IPv6-Information Attribute specifies a prefix (and corresponding route) for the user on the NAS. It is used in the Access-Accept packet and can appear multiple times. It MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server, but the RADIUS server is not required to honor the hint. 

  • Service-Type - Indicates the type of service requested or the type of service to be provided.

  • Stateful-IPv6-Address-Pool - The Stateful-IPv6-Address-Pool Attribute contains the name of an assigned pool that SHOULD be used to select an IPv6 address for the user on the NAS.  If a NAS does not support address pools, the NAS MUST ignore this Attribute.  A summary of the Stateful-IPv6-Address-Pool Attribute format is shown below.  It MAY be used in an Access-Request packet as a hint by the NAS to the RADIUS server regarding the pool, but the RADIUS server is not required to honor the hint.

  • User-Name - Indicates the name of the user being authenticated by the RADIUS server.

  • Vendor-Specific - Allows vendors to support their own extended attributes not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. Cisco's vendor-ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair."

  • Location-Capable - The Location-Capable Attribute allows an NAS (or client function of a proxy server) to indicate support for the functionality specified in this document.  The Location-Capable Attribute with the value for 'Location Capable' MUST be sent with the Access-Request messages, if the NAS supports the functionality described in this document and is capable of sending location information.  A RADIUS server MUST NOT challenge for location information unless the Location-Capable Attribute has been sent to it.

  • Acct-Input-Gigawords - Indicates how many times the Acct-Input-Octets counter has wrapped around 2^32 over the course of the provided service.

  • Acct-Output-Gigawords - Indicates how many times the Acct-Output-Octets counter has wrapped around 2^32 while delivering service.

  • Chargeable-User-Identity - The CUI attribute serves as an alias to the user's real identity, representing a chargeable identity as defined and provided by the home network as a supplemental or alternative information to User-Name(1).  Typically, the CUI represents the identity of the actual user, but it may also indicate other chargeable identities such as a group of users.  RADIUS clients (proxy or NAS) outside the home network MUST NOT modify the CUI attribute.

RADIUS Configuration

aaa authentication dot1x default group ise-group
aaa authorization network default group ise-group
aaa accounting dot1x default start-stop group ise-group
 
aaa accounting update newinfo periodic 2880
 
radius server ise
address ipv4 x.x.x.x auth-port 1812 acct-port 1813
key xxxx
 
aaa group server radius ise-group
server name ise
 
ip radius source-interface <Interface>
 
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
 
radius-server vsa send accounting
radius-server vsa send authentication

 

DNS

This probe has ISE does a reverse lookup of the host to verify its fully qualified domain name. For this probe to work, ISE needs to have an IP-to-MAC address binding of the endpoint from another probe – whether it be the RADIUS probe, SNMP probe, or DHCP Probe.


Active Directory

Helps distinguish between corporate and non-corporate machines and can improve the fidelity of the operating system information for computer that are domain-joined.

This probe requires that the hostname of the endpoint is learned first so another probed such as RADIUS (computer authentication), DHCP probe, or DNS probe must have received that information first.

  • AD-Host-DNS-Domain – The Active Directory DNS domain

  • AD-Host-Exists  - Whether the host exists. True or False

  • AD-Join-Point – The Active Directory domain join point – i.e. Securitydemo.net

  • AD-Operating-System – Operating System of the endpoint

  • AD-OS-Version – OS version of the endpoint

  • AD-Service-Pack – Service pack, if applicable, of the endpoint


NMAP

The NMAP probe can be performed to scan operations to discover more about the endpoints.  ISE can do an OS scan, SNMP port scan, common port scan, SMB discovery, custom ports, and include service version information for every scan.

Note: If doing an SNMP port scan, the default SNMP community string that is used it public. To change the default string, navigate to Administration>System>Settings>Profiling

  • Specific UDP or TCP ports – Can be any TCP/UDP port you choose

  • Service Version Information – Additional level of scanning that provides Service and Application Version detection for all selected ports.

  • OS Scan – Operating System TCP/IP Fingerprinting

  • SMB.cpe – Common Platform Enumeration (CPE) that is provided over SMB

  • SMB.domain – SMB domain

  • SMB.fqdn – Fully Qualified Domain Name gleamed from SMB

  • SMB.lanmanager – Can provide operation system information

  • SMB.operating-system - Can provide operation system information

  • SMB.server – Can glean hostname from this as well


NMAP Scan in ISE can be triggered as part of a profile policy automatically or it can be done manually.