Cisco Cisco Identity Services Engine Express License Bundle Libro blanco
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
Page 9 of 27
By acquiring the IP-to-MAC-address bindings of endpoints, the RADIUS probe facilitates the functions of other
probes that rely on IP addresses, such as DNS, Nmap, HTTP, and NetFlow. It is also used to support the Device
Sensor, discussed later in this guide.
probes that rely on IP addresses, such as DNS, Nmap, HTTP, and NetFlow. It is also used to support the Device
Sensor, discussed later in this guide.
If RADIUS-based device authentication is used, then the RADIUS probe is a simple and efficient method to collect
endpoint data. If network devices are not configured for RADIUS authentication, then it is still possible to use
RADIUS accounting only or to use SNMP to detect new devices as they connect to the network.
endpoint data. If network devices are not configured for RADIUS authentication, then it is still possible to use
RADIUS accounting only or to use SNMP to detect new devices as they connect to the network.
The major attributes gathered from the RADIUS probe are:
●
MAC address (OUI)
●
IP address (used by other probes)
The RADIUS probe is enabled by default.
Note: It is not necessary to use profiling if a policy based on RADIUS attributes is needed. ISE can authorize
endpoints directly based on the RADIUS attributes communicated during the connection phase.
endpoints directly based on the RADIUS attributes communicated during the connection phase.
SNMP Probe
There are two Simple Network Management Protocol (SNMP) probes: SNMPTRAP and SNMPQUERY.
There are two Simple Network Management Protocol (SNMP) probes: SNMPTRAP and SNMPQUERY.
SNMPTRAP
The SNMPTRAP probe is primarily used to trigger the SNMPQUERY probe. As new endpoints connect to the
network, the switch can be configured to generate SNMP traps that are sent to the ISE appliance. ISE then queries
the switchport for more information about the endpoint.
network, the switch can be configured to generate SNMP traps that are sent to the ISE appliance. ISE then queries
the switchport for more information about the endpoint.
Since RADIUS accounting packets can also trigger the SNMPQUERY probe, the use of SNMPTRAP is typically
limited to deployments where RADIUS authentication has not yet been deployed or to cases where no RADIUS
authentication is planned or supported. The SNMPTRAP probe is useful in ISE deployments in a discovery-only
phase or where the primary goal is simply to establish visibility into what is connected to the network.
limited to deployments where RADIUS authentication has not yet been deployed or to cases where no RADIUS
authentication is planned or supported. The SNMPTRAP probe is useful in ISE deployments in a discovery-only
phase or where the primary goal is simply to establish visibility into what is connected to the network.
Cisco ISE can process SNMP linkup and MAC notification traps as well as SNMP informs. MAC notification traps
can populate the MAC address into the internal endpoint database without further interaction from SNMPQUERY
or other probes. The inform and linkup trap provide ISE only with the switchport of the endpoint. Collecting MAC
addresses and other endpoint data needs the SNMPQUERY probe to be enabled.
can populate the MAC address into the internal endpoint database without further interaction from SNMPQUERY
or other probes. The inform and linkup trap provide ISE only with the switchport of the endpoint. Collecting MAC
addresses and other endpoint data needs the SNMPQUERY probe to be enabled.
The SNMPTRAP Probe is disabled by default.
Best practice: Disable SNMPTRAP if RADIUS is already used to detect new endpoints.
Best practice: Configure access switches to send SNMP traps to only one or at most two ISE appliances to limit
traffic and ISE replication. Using load balancers or Anycast can reduce the SNMP target list to one while still
providing redundancy.
traffic and ISE replication. Using load balancers or Anycast can reduce the SNMP target list to one while still
providing redundancy.
SNMPQUERY
The SNMPQUERY probe is used to perform three functions:
●
To trigger an SNMP query against a switchport to acquire port details including interface number and
VLAN, MAC-to-IP-address binding, and CDP/LLDP MIB information.
VLAN, MAC-to-IP-address binding, and CDP/LLDP MIB information.