Understanding Cisco ISE Device Profiling

1. Cisco Discovery Protocol (CDP)

CDP is a Cisco-proprietary Layer 2 protocol that enables network devices to share information about themselves with directly connected neighbors. ISE leverages CDP to gather detailed device information for profiling purposes.

Understanding CDP Type-Length-Values (TLVs)

CDP communicates using Type-Length-Value (TLV) structures that carry specific information about network devices. The most important TLVs for ISE profiling include:

• Device ID: Identifies the hostname of the neighboring device
• Address: Provides network layer addresses, with the first address typically being the SNMP-accessible IP
• Capabilities: Describes device functionality (router, switch, phone, etc.)
• Platform: Reveals the hardware model and platform type
• Version: Contains detailed software version information including IOS release

Enabling CDP on Network Infrastructure

To allow ISE to collect CDP information, you must enable CDP globally and on relevant interfaces:

! Enable CDP globally
cdp run

! Enable on specific interface
interface GigabitEthernet1/0/1
  cdp enable

Configuring Device Sensor for CDP

The IOS Device Sensor feature must be configured to send CDP data to ISE via RADIUS accounting:

! Create CDP filter list
device-sensor filter-list cdp list CDP-TLVS
  tlv name device-name
  tlv name address-type
  tlv name capabilities-type
  tlv name platform-type
  tlv name version-type

! Apply the filter
device-sensor filter-spec cdp include list CDP-TLVS

! Enable accounting and notifications
device-sensor accounting
device-sensor notify all-changes

CDP Attributes in ISE

Once configured, ISE will receive CDP attributes such as:

• cdpCacheAddress – Device IP address
• cdpCacheCapabilities – Device capabilities (e.g., “R;T;B;I” for Router, Transparent Bridge, IGMP, etc.)
• cdpCacheDeviceId – Device hostname
• cdpCachePlatform – Hardware platform (e.g., “cisco AIR-CAP3602I-A-K9”)
• cdpCacheVersion – Full IOS version string

2. Link Layer Discovery Protocol (LLDP)

LLDP is an industry-standard protocol (IEEE 802.1AB) that provides similar functionality to CDP but works across multi-vendor environments. This makes it essential for profiling IoT devices and non-Cisco equipment.

Key LLDP TLVs for Profiling

LLDP uses a similar TLV structure to communicate device information:

• Chassis ID: Unique identifier for the device chassis (typically MAC or IP address)
• Port ID: Identifies the specific port on the transmitting device
• System Name: Device hostname or system name
• System Description: Detailed description including hardware and software versions
• System Capabilities: Device functions (bridge, router, WLAN AP, telephone)
• Management Address: IP address used to manage the device
• Port Description: Human-readable port description
• Time To Live: Duration (in seconds) that LLDP information remains valid

Enabling LLDP on Switches

! Enable LLDP globally
lldp run

! Configure on interface
interface GigabitEthernet1/0/1
  lldp transmit
  lldp receive

Device Sensor Configuration for LLDP

! Create LLDP filter list
device-sensor filter-list lldp list LLDP-TLVS
  tlv name chassis-id
  tlv name port-id
  tlv name port-description
  tlv name system-name
  tlv name system-description
  tlv name system-capabilities
  tlv name management-address
  tlv name time-to-live

! Apply the filter
device-sensor filter-spec lldp include list LLDP-TLVS

! Enable tracking
device-sensor accounting
device-sensor notify all-changes

LLDP Attributes in ISE

ISE receives LLDP data as attributes including:

• lldpChassisId – Device chassis MAC address
• lldpSystemName – Device hostname
• lldpSystemDescription – Full system description
• lldpCacheCapabilities – Device capabilities
• lldpManAddress – Management IP address

3. DHCP Probe

The DHCP probe is one of the most valuable profiling sources, as most endpoints request DHCP services. DHCP options reveal extensive information about device type, operating system, and vendor.

Critical DHCP Options for Profiling

• Option 12 (Hostname): Client-provided hostname
• Option 55 (Parameter Request List): Reveals which DHCP options the client wants – this creates a unique “fingerprint” for device types
• Option 60 (Vendor Class Identifier): Identifies vendor and potentially model
• Option 61 (Client Identifier): Unique client identifier, often based on hardware address
• Option 77 (User Class): Allows clients to identify user preferences or department
• Option 81 (Client FQDN): Fully qualified domain name
• PXE Options (93, 94, 97): Identify network boot clients and their architecture

Configuring DHCP for ISE

ISE can receive DHCP information through two methods:

• DHCP SPAN: Mirror DHCP traffic to ISE
• DHCP Relay: Configure the DHCP server or relay agent to send information to ISE

! Example: Configure DHCP relay forwarding
interface Vlan100
  ip helper-address 10.1.1.50  ! ISE PSN IP

Why DHCP Profiling is Powerful

The combination of DHCP options creates unique signatures. For example:

• iPhones request a specific set of DHCP options in a particular order
• Android devices have different patterns
• Windows versions can be distinguished by their parameter request lists
• Printers often include model information in Option 60

4. SNMP Probe

SNMP queries provide rich device information by polling network devices for endpoint data. This is particularly effective for gathering switch port information and device details.

Essential SNMP OIDs for Profiling

ISE queries various SNMP Management Information Bases (MIBs) to collect profiling data:

• sysDescr: System description including hardware and software details
• sysName: Device hostname
• sysObjectID: Vendor-specific object identifier that uniquely identifies device type
• ifDescr: Interface description
• ifOperStatus: Interface operational status
• cldcClientIPAddress: (Cisco WLC) Client IP addresses
• cldcClientStatus: (Cisco WLC) Client connection status
• dot1xAuthSessionUserName: 802.1X authenticated username

SNMP Trap Configuration

Configure switches to send SNMP traps when MAC addresses are learned or removed:

! Enable MAC notification on interface
interface GigabitEthernet1/0/1
  snmp trap mac-notification added
  snmp trap mac-notification removed

! Enable MAC address table notifications
mac address-table notification change
mac address-table notification mac-move

! Configure trap destination
snmp-server trap-source Loopback0
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 10.1.1.50 version 2c public  ! ISE PSN IP

SNMP Query Configuration

Allow ISE to query switches via SNMP:

snmp-server community public RO

5. RADIUS Probe

RADIUS accounting messages provide real-time authentication and authorization data, making this probe essential for tracking authenticated endpoints.

Key RADIUS Attributes

• Calling-Station-ID: Client MAC address in 802.1X scenarios
• Called-Station-ID: Authenticator MAC address and SSID (for wireless)
• Framed-IP-Address: IP address assigned to the client
• NAS-Port-Id: Physical port identifier on the switch/AP
• User-Name: Authenticated username
• Service-Type: Type of service provided

RADIUS Configuration for ISE

! Define RADIUS server
radius server ISE-PSN
  address ipv4 10.1.1.50 auth-port 1812 acct-port 1813
  key SecureKey123

! Create server group
aaa group server radius ISE-GROUP
  server name ISE-PSN

! Configure AAA
aaa authentication dot1x default group ISE-GROUP
aaa authorization network default group ISE-GROUP
aaa accounting dot1x default start-stop group ISE-GROUP

! Send interim updates every 2 days
aaa accounting update newinfo periodic 2880

! Configure source interface
ip radius source-interface Loopback0

! Enable important RADIUS attributes
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server vsa send accounting
radius-server vsa send authentication

6. Network Scan (NMAP) Probe

The NMAP probe performs active scanning to discover additional endpoint information when passive methods are insufficient.

NMAP Scan Types

• OS Detection: TCP/IP fingerprinting to identify operating system
• Port Scanning: Discover open ports and running services
• Service Version Detection: Identify application versions on open ports
• SMB Discovery: Query Windows systems via SMB for hostname, domain, OS details
• SNMP Port Scan: Check for SNMP service availability

SMB Attributes Collected

• SMB.operating-system – Windows OS version
• SMB.domain – Active Directory domain
• SMB.fqdn – Fully qualified domain name
• SMB.server – NetBIOS hostname
• SMB.lanmanager – LAN Manager version

7. DNS Probe

The DNS probe performs reverse DNS lookups to obtain fully qualified domain names for endpoints.

For the DNS probe to function, ISE requires an IP-to-MAC binding from another probe (RADIUS, DHCP, or SNMP). ISE then performs a reverse DNS query to resolve the hostname.

Attribute collected: Fully Qualified Domain Name (FQDN)

8. Active Directory Probe

The AD probe queries Active Directory to distinguish corporate domain-joined machines from guest devices and enriches OS information.

Active Directory Attributes

• AD-Host-Exists – Boolean indicating if host exists in AD
• AD-Host-DNS-Domain – AD DNS domain name
• AD-Join-Point – Domain join point
• AD-Operating-System – OS from AD computer object
• AD-OS-Version – Detailed OS version
• AD-Service-Pack – Service pack level if applicable

The AD probe requires that the hostname be learned first through RADIUS (computer authentication), DHCP hostname, or DNS resolution.

9. AnyConnect ACIDEX Probe

ACIDEX (AnyConnect Indications and Device Extensions) sends detailed device information from AnyConnect VPN clients to ISE via RADIUS attributes.

ACIDEX Attributes

• device-type – Hardware model (e.g., “iPhone13,2”)
• device-platform – OS platform (e.g., “Windows”, “MacOS”, “iOS”)
• device-platform-version – OS version string
• device-uid – Unique device identifier (Phone IMEI, device serial)

This information is automatically sent when users connect via AnyConnect VPN through compatible network access devices like Cisco ASA or Firepower.

Building Effective Profiling Policies

With data from these various probes, you can create sophisticated profiling policies in ISE:

• Combine multiple attributes: Use AND/OR logic to match specific device signatures
• Leverage certainty factors: Assign weights to different attributes based on reliability
• Create parent-child relationships: Build hierarchical profiles (e.g., Android-Phone inherits from Phone)
• Use regular expressions: Match patterns in string attributes for flexibility

Best Practices

• Enable multiple probes: Different probes complement each other – DHCP for initial detection, SNMP for port information, NMAP for stubborn devices
• Start with passive methods: Begin with DHCP, RADIUS, and SNMP before enabling active NMAP scanning
• Enable LLDP everywhere: With the rise of IoT, LLDP provides valuable multi-vendor profiling data
• Monitor profiling accuracy: Regularly review “unknown” endpoints and create new policies as needed
• Use exception policies: Create specific profiles for critical devices that may not match standard patterns