You have two main paths to get that data from the switch to your Profiler.
1. The RADIUS Way (Device Sensor) – Recommended
Instead of the switch acting as a mailman for DHCP packets, it acts as a “sensor.” It inspects the DHCP packet locally, pulls out those specific tags (Class ID, etc.), and stuffs them into a RADIUS Accounting packet.
- Pros: Much more efficient; doesn’t require extra helper addresses; works better in large environments.
- How it works: You enable
device-sensoron the switch. When the client sends a DHCP request, the switch notifies ISE via the existing RADIUS connection.
2. The IP Helper Way (DHCP Relay)
You can add the ISE PSN as a second ip helper-address.
- Pros: Simple to configure; doesn’t require “Device Sensor” knowledge.
- Cons: ISE will receive the full DHCP packet, but it won’t respond. This generates extra traffic, and some older DHCP clients might get confused if they see multiple “relays” involved in the transaction.
Which Should You Choose?
| If your switch is… | Use this method | Configuration Hint |
|---|---|---|
| A modern Catalyst (3650/3850/9000) | Device Sensor | Enable device-sensor and ensure mab is configured. |
| Very old or non-Cisco | IP Helper | Add ip helper-address <ISE_PSN_IP> to the SVI. |
The “Gotcha” with IP Helper
Important: If you decide to use the IP Helper method, remember that the switch will forward the DHCP packet to both destinations. Since ISE is not a DHCP server, it will just “sniff” the packet and drop it. This is perfectly fine for profiling, but it creates a “silent” destination that can make troubleshooting your network logs a bit more annoying.
Configuration Check
If you want to stick to the RADIUS method (Device Sensor), make sure your RADIUS configuration includes:
radius-server attribute-filtering limit-bin-length 1024(to ensure the packets aren’t truncated)- DHCP profiling is checked under Deployment > [PSN Name] > Profiling Configuration in the ISE GUI
Pro Tip: The Device Sensor method is the industry standard for modern Cisco deployments. It reduces network overhead and provides more reliable profiling data to ISE.