Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

3850-X cdp device-sensor and ISE issue

Hello.

I'm trying to get device-sensor working with a Cisco WS-C3850-24P (03.06.00E IOS 152-2.E) and Cisco ISE 1.2.1.198. I've setup the 3850 and ISE as per the documentation but it looked like ISE wasn't receiving any cdp information from the 3850. I ran a debug on the 3850 that showed the device-sensor working ok (the connected Cisco AP was in the cache) but when a radius accounting packet was sent to ISE, the cdp tlv attributes sent were 'blank'. I've tried applying a cdp filter to the device-sensor but the tlvs sent to ISE are always blank. Am I missing some commands or is this a bug? Config and debug are below.

Thanks
Andy


3850 Config excerpt

aaa accounting dot1x default start-stop group radius
!
device-sensor accounting
device-sensor notify all-changes
!
radius-server vsa send accounting
radius-server vsa send authentication

!

debug


Oct 13 10:22:20.824: DSENSOR: Providing CDP protocol TLV's
Oct 13 10:22:20.824: DSENSOR: Get protocol attr list for cdp
Oct 13 10:22:20.824: DSENSOR: Protocol returned list for cdp
<<  cdp-tlv              0   00 21 00 04 00 00 00 00 >>
<<  cdp-tlv              0   00 04 00 04 00 00 00 02 >>
<<  cdp-tlv              0   00 03 00 0D 46 61 73 74 45 74 68 65 72 6E 65 74 30 >>
<<  cdp-tlv              0   00 02 00 04 00 00 00 00 >>
<<  cdp-tlv              0   00 06 00 1A 63 69 73 63 6F 20 41 49 52 2D 4C 41 50 31 31 33 31 41 47 2D 45 2D 4B 39 20 20 >>
<<  cdp-tlv              0   00 05 00 F1 43 69 73 63 6F 20 49 4F 53 20 53 6F 66 74 77 61 72 65 2C 20 43 31 31 33 30 20 53 6F 66 74 77 61 72 65 20 28 43 31 31 33 30 2D 4B 39 57 38 2D 4D 29 2C 20 56 65 72 73 69 6F 6E 20 31 32 2E 34 28 32 35 65 29 4A 41 4D 32 2C 20 52 45 4C 45 41 53 45 20 53 4F 46 54 57 41 52 45 20 28 66 63 31 29 0A 54 65 63 68 6E 69 63 61 6C 20 53 75 70 70 6F 72 74 3A 20 68 74 74 70 3A 2F 2F 77 77 77 2E 63 69 73 63 6F 2E 63 6F 6D 2F 74 65 63 68 73 75 70 70 6F 72 74 0A 43 6F 70 79 72 69 67 68 74 20 28 63 29 20 31 39 38 36 2D 32 30 31 33 20 62 79 20 43 69 73 63 6F 20 53 79 73 74 65 6D 73 2C 20 49 6E 63 2E 0A 43 6F 6D 70 69 6C 65 64 20 4D**MSG 00008 TRUNCATED**
**MSG 00008 CONTINUATION #01** 6F 6E 20 32 39 2D 4A 75 6C 2D 31 33 20 31 31 3A 33 32 20 62 79 20 70 72 6F 64 5F 72 65 6C 5F 74 65 61 6D >>
<<  cdp-tlv              0   00 01 00 08 6E 61 76 2D 61 70 2D 33 >>
Oct 13 10:22:20.828: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Oct 13 10:22:20.828: RADIUS/ENCODE: Skip oversized (253 bytes) Cisco VSA cdp-tlv
Oct 13 10:22:20.828: RADIUS/ENCODE(00000000): Unsupported AAA attribute clid-mac-addr
Oct 13 10:22:20.828: RADIUS(00000000): Config NAS IP: 10.31.150.2
Oct 13 10:22:20.828: RADIUS(00000000): sending
Oct 13 10:22:20.829: RADIUS(00000000): Send Accounting-Request to <ISE_IP_ADDRESS>:1646 id 1646/65, len 412
Oct 13 10:22:20.829: RADIUS:  authenticator FC 3E 76 AA 4C C9 91 A5 - 34 19 E8 E4 4A E8 F7 20
Oct 13 10:22:20.829: RADIUS:  Vendor, Cisco       [26]  24 
Oct 13 10:22:20.829: RADIUS:   Cisco AVpair       [1]   18  "cdp-tlv=        "
Oct 13 10:22:20.829: RADIUS:  Vendor, Cisco       [26]  24 
Oct 13 10:22:20.829: RADIUS:   Cisco AVpair       [1]   18  "cdp-tlv=        "
Oct 13 10:22:20.829: RADIUS:  Vendor, Cisco       [26]  33 
Oct 13 10:22:20.829: RADIUS:   Cisco AVpair       [1]   27  "cdp-tlv=                 "
Oct 13 10:22:20.829: RADIUS:  Vendor, Cisco       [26]  24 
Oct 13 10:22:20.829: RADIUS:   Cisco AVpair       [1]   18  "cdp-tlv=        "
Oct 13 10:22:20.829: RADIUS:  Vendor, Cisco       [26]  46 
Oct 13 10:22:20.829: RADIUS:   Cisco AVpair       [1]   40  "cdp-tlv=                              "
Oct 13 10:22:20.829: RADIUS:  Vendor, Cisco       [26]  28 
Oct 13 10:22:20.830: RADIUS:   Cisco AVpair       [1]   22  "cdp-tlv=   
         "
Oct 13 10:22:20.830: RADIUS:  Framed-IP-Address   [8]   6   10.31.120.114            
Oct 13 10:22:20.830: RADIUS:  User-Name           [1]   19  "00-1D-45-A9-6B-76"
Oct 13 10:22:20.830: RADIUS:  Vendor, Cisco       [26]  49 
Oct 13 10:22:20.830: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0A1F960200000FC10E63C42E"
Oct 13 10:22:20.830: RADIUS:  Vendor, Cisco       [26]  18 
Oct 13 10:22:20.830: RADIUS:   Cisco AVpair       [1]   12  "method=mab"
Oct 13 10:22:20.830: RADIUS:  NAS-IP-Address      [4]   6   10.31.150.2              
Oct 13 10:22:20.830: RADIUS:  NAS-Port            [5]   6   60000                    
Oct 13 10:22:20.830: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/1"
Oct 13 10:22:20.830: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
Oct 13 10:22:20.830: RADIUS:  Acct-Session-Id     [44]  10  "00000FB7"
Oct 13 10:22:20.830: RADIUS:  Class               [25]  53 
Oct 13 10:22:20.830: RADIUS:   43 41 43 53 3A 30 41 31 46 39 36 30 32 30 30 30  [CACS:0A1F9602000]
Oct 13 10:22:20.831: RADIUS:   30 30 46 43 31 30 45 36 33 43 34 32 45 3A 64 65  [00FC10E63C42E:de]
Oct 13 10:22:20.831: RADIUS:   76 2D 69 73 65 2F 32 30 32 32 34 31 38 31 31 2F  [v-ise/202241811/]
Oct 13 10:22:20.831: RADIUS:   31 32 35               [ 125]
Oct 13 10:22:20.831: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
Oct 13 10:22:20.831: RADIUS:  Event-Timestamp     [55]  6   1413192140               
Oct 13 10:22:20.831: RADIUS:  Acct-Delay-Time     [41]  6   0                       

16 REPLIES

Repeated the above using lldp

Repeated the above using lldp and a cisco phone - device-sensor cache shows the phone's cdp and lldp details ok.

A debug radius accounting shows cdp and lldp tlvs being sent to ISE but all are blank!

Release notes for IOS XE Release 3.6E:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3e/release_notes/OL3262101.html

state that this IOS supports "Cisco IOS Device Sensor for ISE profiling" - the 3850 I'm using is licenced for ipservices.

Has anyone got device-sensor working (cdp or lldp) with the 3850 model and IOS XE Release 3.6E?

Thanks
Andy

Community Member

Same issue here with 03.07

Same issue here with 03.07.01E.

I have also used some older versions but I was not able to get CDP or LLDP attributes sent to ISE.

I do have the device-sensor notify all-changes command but the device-sensor accounting command is not available.

 

Community Member

I am running 03.07.04E and

I am running 03.07.04E and device sensor is not working.   Has anyone managed a work around for this?

Community Member

just tried with 03.06.06.E

just tried with 03.06.06.E.152-2.E6.bin and the same issue is still there ...

could Cisco have a look on this ? we cant buy 3750x anymore ... would be cool if 3850 could at least provide the features !

Community Member

I finally got it working

I finally got it working thanks to another post :

https://supportforums.cisco.com/discussion/12674881/3850-0307-device-sensor-accounting-support

I confirm it works as expected, ISE is now receiving radius accounting with CDP inputs.

regards

Cisco Employee

I haven't deployed ISE with

I haven't deployed ISE with 3850 in a while but I recall having to use these commands to get the Device Sensor going:

access-session template monitor

no macro auto monitor

I am 100% I had to use those commands on older switches (3750s, 3560s, etc) but just not 100% certain that the 3850s required them as well. I guess give it a try and see what happens :)

 

Thank you for rating helpful posts!

Thanks for the reply.I

Thanks for the reply.

I applied the "access-session template monitor" command ok but I don't have the "montior" option for “no macro auto monitor” - the options I have for “no macro auto" are:

device
execute
global
mac-address-group
sticky
trigger

I went through these disabling options for access points but the cdp tlvs sent in accounting packets to ISE are still blank. I eventually got ISE profiling working using snmp trap/query rather the RADIUS probe.

Thanks
Andy

Cisco Employee

Interesting. I am guessing

Interesting. I am guessing that you are hitting a bug then. If you can, open a case with TAC and let us know of the outcome :)

 

Thank you for rating helpful posts!

Cisco Employee

Andy, were you able to

Andy, were you able to resolve this issue?

Hello Neno. My apologies for

Hello Neno. My apologies for not updating the thread. I didn't get this resolved with the 3850 - this setup was to be deployed on a 6807 platform and as one wasn't available at the time, I used the 3850 for testing. When I got the 6807 switch I transferred my config onto it and device sensor worked fine.

Cheers

Andy

Cisco Employee

No worries! Thanks for the

No worries! Thanks for the update (+5 from me). Unfortunately, we just faced the same issue here and was wondering if anyone was able to sort this out with the 3850s.

Community Member

I have been told by a cisco

I have been told by a cisco guy this has been confirmed working on 3.6.X but I could not get it working here.

 

Cisco Employee

Yeah, we are running 3.6.x

Yeah, we are running 3.6.x and the issue is still there :)

Community Member

These TLV are not visiable

These TLV are not visiable via CLI. You probably can see these values if you do a tcp dump on the accouting port on the ISE server.

 

In regrarding of the device sensor issue, I recall there were some compatibility issue between the IOS and ISE, but you can adjust some radius attribute format on the IOS to make it works.

I am running testing on IOS-XE 3.7.2E so far everything is fine, 3850x should run IOS-XE as well but I have not tested.

-- Best Regards
1246
Views
5
Helpful
16
Replies
CreatePlease to create content