簡介
本文檔介紹如何配置裝置感測器,以便其在ISE上用於分析目的。
必要條件
需求
思科建議您瞭解以下主題:
- Radius通訊協定
- 思科探索通訊協定(CDP)、連結層探索通訊協定(LLDP)和動態主機設定通訊協定(DHCP)
- 思科身分識別服務引擎(ISE)
- Cisco Catalyst交換器2960
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- Cisco ISE版本1.3補丁3
- Cisco Catalyst交換器2960s版本15.2(2a)E1
- Cisco IP電話8941版本SCCP 9-3-4-17
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
背景資訊
裝置感測器是接入裝置的功能。它允許收集有關已連線終端的資訊。大多數情況下,裝置感測器收集的資訊可以來自以下協定:
註:在某些平台上,還可以使用H323、會話發起協定(SIP)、組播域解析(MDNS)或HTTP協定。裝置感測器功能的配置可能因協定而異。在搭載軟體03.07.02.E的Cisco Catalyst 3850上提供範例。
收集資訊後,可以將其封裝在radius記帳中,並傳送到分析伺服器。在本文中,ISE用作分析伺服器。
設定
步驟 1.標準AAA配置
若要設定驗證、授權及記帳(AAA),請參閱以下步驟:
1.使用啟用AAA aaa new-model
命令並在交換機上全域性啟用802.1X。
2.設定Radius伺服器並啟用動態授權(授權變更 — CoA)。
3.啟用CDP和LLDP協定。
4.新增switchport身份驗證配置
!
aaa new-model
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting update newinfo
aaa accounting dot1x default start-stop group radius
!
aaa server radius dynamic-author
client 1.1.1.1 server-key xyz
!
dot1x system-auth-control
!
lldp run
cdp run
!
interface GigabitEthernet1/0/13
description IP_Phone_8941_connected
switchport mode access
switchport voice vlan 101
authentication event fail action next-method
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 2
spanning-tree portfast
end
!
radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key xyz
!
註:在較新的軟體版本中,命令 radius-server vsa send accounting
預設啟用。如果看不到以記帳方式傳送的屬性,請確認命令是否已啟用。
步驟 2.配置裝置感測器
1.確定需要來自CDP/LLDP的哪些屬性才能分析裝置。對於Cisco IP電話8941,您可以使用以下內容:
- LLDP SystemDescription屬性
- CDP CachePlatform屬性
就我們的目的而言,僅獲得其中一項就足夠了,因為這兩個工廠都提供70的確定性工廠增加值,而要求描述為Cisco-IP-Phone-8941的最低確定性工廠為70:
註:要分析為特定的Cisco IP電話,您必須滿足所有父配置檔案的最低條件。這意味著分析器必須匹配思科裝置(最小確定係數10)和思科IP電話(最小確定係數20)。雖然探查器匹配這兩個配置檔案,但是由於每個IP電話型號的最小確定係數為70,因此仍然必須將其描述為特定的Cisco IP電話。裝置被分配給具有最高確定因數的配置檔案。
2.配置兩個過濾器清單,一個用於CDP,另一個用於LLDP。這些指示必須在Radius記帳消息中包含哪些屬性。此步驟是可選的。
3.為CDP和LLDP建立兩個過濾器規格。在filter-spec中,您可以指明必須包括在記帳消息中或排除的屬性清單。在示例中,包括以下屬性:
- 來自CDP的device-name
- 來自LLDP的系統說明
如果需要,可以配置通過Radius傳輸到ISE的其他屬性。此步驟也是可選的。
4.新增命令 device-sensor notify all-changes
.每當為當前會話新增、修改或刪除TLV時,它都會觸發更新。
5.為了實際傳送通過裝置感測器功能收集的資訊,您必須使用命令明確通知交換機完成此操作 device-sensor accounting
.
!
device-sensor filter-list cdp list cdp-list
tlv name device-name
tlv name platform-type
!
device-sensor filter-list lldp list lldp-list
tlv name system-description
!
device-sensor filter-spec lldp include list lldp-list
device-sensor filter-spec cdp include list cdp-list
!
device-sensor accounting
device-sensor notify all-changes
!
步驟 3.在ISE上配置分析
1.將交換機作為網路裝置新增到 Administration > Network Resources > Network Devices
.在身份驗證設定中,使用交換機的radius伺服器金鑰作為共用金鑰:
2.在中的分析節點上啟用Radius探測 Administration > System > Deployment > ISE node > Profiling Configuration
.如果必須使用所有PSN節點進行分析,請在以下所有節點上啟用探測:
3.配置ISE身份驗證規則。在示例中,使用在ISE上預配置的預設身份驗證規則:
4.配置ISE授權規則。使用「分析的Cisco IP電話」規則,該規則在ISE上預配置:
驗證
要驗證分析是否工作正常,請參閱 Operations > Authentications
在ISE上:
首先,使用MAB(18:49:00)對裝置進行身份驗證。10秒(18:49:10)後,它被重新歸檔為Cisco-Device,在第一次身份驗證(18:49:42)後的42秒後,它收到Cisco-IP-Phone-8941配置檔案。因此,ISE會返回特定於IP電話(Cisco_IP_Phones)的授權配置檔案和可下載ACL,允許所有流量(permit ip any)。請注意,在此場景中,未知裝置具有基本的網路訪問許可權。這可以通過向ISE內部終端資料庫新增Mac地址或允許對以前未知的裝置進行非常基本的網路訪問來實現。
注意:在本例中,初始分析大約需要40秒。在下一次身份驗證中,ISE已經知道配置檔案,並且立即應用正確的屬性(加入語音域和DACL的許可權),除非ISE收到新的/更新的屬性,並且必須重新配置裝置。
在 Administration > Identity Management > Identities > Endpoints > tested endpoint
您可以看到Radius探測器收集了哪種屬性及其值:
您可以看到,在此場景中計算的總確定性因子為210。這是因為終端還匹配思科裝置配置檔案(總確定係數為30)和思科IP電話配置檔案(總確定係數為40)。由於探查器匹配配置檔案Cisco-IP-Phone-8941中的兩個條件,因此此配置檔案的確定係數為140(根據分析策略,每個屬性為70)。總而言之:30+40+70+70=210。
疑難排解
步驟 1.驗證CDP/LLDP收集的資訊
switch#sh cdp neighbors g1/0/13 detail
-------------------------
Device ID: SEP20BBC0DE06AE
Entry address(es):
Platform: Cisco IP Phone 8941 , Capabilities: Host Phone Two-port Mac Relay
Interface: GigabitEthernet1/0/13, Port ID (outgoing port): Port 1
Holdtime : 178 sec
Second Port Status: Down
Version :
SCCP 9-3-4-17
advertisement version: 2
Duplex: full
Power drawn: 3.840 Watts
Power request id: 57010, Power management id: 3
Power request levels are:3840 0 0 0 0
Total cdp entries displayed : 1
switch#
switch#sh lldp neighbors g1/0/13 detail
------------------------------------------------
Chassis id: 0.0.0.0
Port id: 20BBC0DE06AE:P1
Port Description: SW Port
System Name: SEP20BBC0DE06AE.
System Description:
Cisco IP Phone 8941, V3, SCCP 9-3-4-17
Time remaining: 164 seconds
System Capabilities: B,T
Enabled Capabilities: B,T
Management Addresses - not advertised
Auto Negotiation - supported, enabled
Physical media capabilities:
1000baseT(FD)
100base-TX(FD)
100base-TX(HD)
10base-T(FD)
10base-T(HD)
Media Attachment Unit type: 16
Vlan ID: - not advertised
MED Information:
MED Codes:
(NP) Network Policy, (LI) Location Identification
(PS) Power Source Entity, (PD) Power Device
(IN) Inventory
H/W revision: 3
F/W revision: 0.0.1.0
S/W revision: SCCP 9-3-4-17
Serial number: PUC17140FBO
Manufacturer: Cisco Systems , Inc.
Model: CP-8941
Capabilities: NP, PD, IN
Device type: Endpoint Class III
Network Policy(Voice): VLAN 101, tagged, Layer-2 priority: 0, DSCP: 0
Network Policy(Voice Signal): VLAN 101, tagged, Layer-2 priority: 3, DSCP: 24
PD device, Power source: Unknown, Power Priority: Unknown, Wattage: 3.8
Location - not advertised
Total entries displayed: 1
如果您看不到收集的任何資料,請驗證以下情況:
piborowi#show authentication sessions int g1/0/13 details
Interface: GigabitEthernet1/0/13
MAC Address: 20bb.c0de.06ae
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: 20-BB-C0-DE-06-AE
Status: Authorized
Domain: VOICE
Oper host mode: multi-domain
Oper control dir: both
Session timeout: N/A
Common Session ID: 0AE51820000002040099C216
Acct Session ID: 0x00000016
Handle: 0xAC0001F6
Current Policy: POLICY_Gi1/0/13
Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Server Policies:
Method status list:
Method State
dot1x Stopped
mab Authc Success
步驟 2.檢查裝置感測器快取
switch#show device-sensor cache interface g1/0/13
Device: 20bb.c0de.06ae on port GigabitEthernet1/0/13
--------------------------------------------------
Proto Type:Name Len Value
LLDP 6:system-description 40 0C 26 43 69 73 63 6F 20 49 50 20 50 68 6F 6E 65
20 38 39 34 31 2C 20 56 33 2C 20 53 43 43 50 20
39 2D 33 2D 34 2D 31 37
CDP 6:platform-type 24 00 06 00 18 43 69 73 63 6F 20 49 50 20 50 68 6F
6E 65 20 38 39 34 31 20
CDP 28:secondport-status-type 7 00 1C 00 07 00 02 00
如果您在此欄位中未看到任何資料或資訊不完整,請驗證「device-sensor」命令,特別是filter-lists和filter-specs。
步驟 3.檢查Radius計費中是否存在屬性
您可以使用 debug radius
命令或在交換機和ISE之間執行資料包捕獲。
Radius偵錯:
Mar 30 05:34:58.716: RADIUS(00000000): Send Accounting-Request to 1.1.1.1:1813 id 1646/85, len 378
Mar 30 05:34:58.716: RADIUS: authenticator 17 DA 12 8B 17 96 E2 0F - 5D 3D EC 79 3C ED 69 20
Mar 30 05:34:58.716: RADIUS: Vendor, Cisco [26] 40
Mar 30 05:34:58.716: RADIUS: Cisco AVpair [1] 34 "cdp-tlv= "
Mar 30 05:34:58.716: RADIUS: Vendor, Cisco [26] 23
Mar 30 05:34:58.716: RADIUS: Cisco AVpair [1] 17 "cdp-tlv= "
Mar 30 05:34:58.721: RADIUS: Vendor, Cisco [26] 59
Mar 30 05:34:58.721: RADIUS: Cisco AVpair [1] 53 "lldp-tlv= "
Mar 30 05:34:58.721: RADIUS: User-Name [1] 19 "20-BB-C0-DE-06-AE"
Mar 30 05:34:58.721: RADIUS: Vendor, Cisco [26] 49
Mar 30 05:34:58.721: RADIUS: Cisco AVpair [1] 43 "audit-session-id=0AE518200000022800E2481C"
Mar 30 05:34:58.721: RADIUS: Vendor, Cisco [26] 19
Mar 30 05:34:58.721: RADIUS: Cisco AVpair [1] 13 "vlan-id=101"
Mar 30 05:34:58.721: RADIUS: Vendor, Cisco [26] 18
Mar 30 05:34:58.721: RADIUS: Cisco AVpair [1] 12 "method=mab"
Mar 30 05:34:58.721: RADIUS: Called-Station-Id [30] 19 "F0-29-29-49-67-0D"
Mar 30 05:34:58.721: RADIUS: Calling-Station-Id [31] 19 "20-BB-C0-DE-06-AE"
Mar 30 05:34:58.721: RADIUS: NAS-IP-Address [4] 6 10.229.20.43
Mar 30 05:34:58.721: RADIUS: NAS-Port [5] 6 60000
Mar 30 05:34:58.721: RADIUS: NAS-Port-Id [87] 23 "GigabitEthernet1/0/13"
Mar 30 05:34:58.721: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
Mar 30 05:34:58.721: RADIUS: Acct-Session-Id [44] 10 "00000018"
Mar 30 05:34:58.721: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
Mar 30 05:34:58.721: RADIUS: Event-Timestamp [55] 6 1301463298
Mar 30 05:34:58.721: RADIUS: Acct-Input-Octets [42] 6 538044
Mar 30 05:34:58.721: RADIUS: Acct-Output-Octets [43] 6 3201914
Mar 30 05:34:58.721: RADIUS: Acct-Input-Packets [47] 6 1686
Mar 30 05:34:58.721: RADIUS: Acct-Output-Packets [48] 6 35354
Mar 30 05:34:58.721: RADIUS: Acct-Delay-Time [41] 6 0
Mar 30 05:34:58.721: RADIUS(00000000): Sending a IPv4 Radius Packet
Mar 30 05:34:58.721: RADIUS(00000000): Started 5 sec timeout
Mar 30 05:34:58.737: RADIUS: Received from id 1646/85 10.62.145.51:1813, Accounting-response, len 20
封包擷取:
步驟 4.驗證ISE上的分析器調試
如果屬性是從交換機傳送的,則可以檢查屬性是否在ISE上接收。要檢查此情況,請為正確的PSN節點啟用分析器調試(Administration > System > Logging > Debug Log Configuration > PSN > profiler > debug
),並再次執行端點身份驗證。
尋找以下資訊:
2015-11-25 19:29:53,641 DEBUG [RADIUSParser-1-thread-1][]
cisco.profiler.probes.radius.RadiusParser -:::-
MSG_CODE=[3002], VALID=[true], PRRT_TIMESTAMP=[2015-11-25 19:29:53.637 +00:00],
ATTRS=[Device IP Address=10.229.20.43, RequestLatency=7,
NetworkDeviceName=deskswitch, User-Name=20-BB-C0-DE-06-AE,
NAS-IP-Address=10.229.20.43, NAS-Port=60000, Called-Station-ID=F0-29-29-49-67-0D,
Calling-Station-ID=20-BB-C0-DE-06-AE, Acct-Status-Type=Interim-Update,
Acct-Delay-Time=0, Acct-Input-Octets=362529, Acct-Output-Octets=2871426,
Acct-Session-Id=00000016, Acct-Input-Packets=1138, Acct-Output-Packets=32272,
Event-Timestamp=1301458555, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/13,
cisco-av-pair=cdp-tlv=cdpCachePlatform=Cisco IP Phone 8941 ,
cisco-av-pair=cdp-tlv=cdpUndefined28=00:02:00,
cisco-av-pair=lldp-tlv=lldpSystemDescription=Cisco IP Phone 8941\, V3\, SCCP 9-3-4-17,
cisco-av-pair=audit-session-id=0AE51820000002040099C216, cisco-av-pair=vlan-id=101,
cisco-av-pair=method=mab, AcsSessionID=ise13/235487054/2511, SelectedAccessService=Default Network Access,
Step=11004, Step=11017, Step=15049, Step=15008, Step=15004, Step=11005, NetworkDeviceGroups=Location#All Locations,
NetworkDeviceGroups=Device Type#All Device Types, Service-Type=Call Check, CPMSessionID=0AE51820000002040099C216,
AllowedProtocolMatchedRule=MAB, Location=Location#All Locations, Device Type=Device Type#All Device Types, ]
2015-11-25 19:29:53,642 DEBUG [RADIUSParser-1-thread-1][] cisco.profiler.probes.radius.RadiusParser -:::- Parsed IOS Sensor 1: cdpCachePlatform=[Cisco IP Phone 8941]
2015-11-25 19:29:53,642 DEBUG [RADIUSParser-1-thread-1][] cisco.profiler.probes.radius.RadiusParser -:::- Parsed IOS Sensor 2: cdpUndefined28=[00:02:00]
2015-11-25 19:29:53,642 DEBUG [RADIUSParser-1-thread-1][] cisco.profiler.probes.radius.RadiusParser -:::- Parsed IOS Sensor 3: lldpSystemDescription=[Cisco IP Phone 8941, V3, SCCP
2015-11-25 19:29:53,643 DEBUG [forwarder-6][] cisco.profiler.infrastructure.probemgr.Forwarder -:20:BB:C0:DE:06:AE:ProfilerCollection:- Endpoint Attributes:
ID:null
Name:null
MAC: 20:BB:C0:DE:06:AE
Attribute:AAA-Server value:ise13
(... more attributes ...)
Attribute:User-Name value:20-BB-C0-DE-06-AE
Attribute:cdpCachePlatform value:Cisco IP Phone 8941
Attribute:cdpUndefined28 value:00:02:00
Attribute:lldpSystemDescription value:Cisco IP Phone 8941, V3, SCCP 9-3-4-17
Attribute:SkipProfiling value:false
注意:轉發器將終端連同其屬性資料一起儲存在思科ISE資料庫中,然後通知分析器您的網路中檢測到的新終端。分析器將端點分類到端點身份組,並將具有匹配配置檔案的端點儲存在資料庫中。
步驟 5. 分析新屬性和裝置分配
通常在將新屬性新增到特定裝置的現有集合後,此裝置/終端會新增到分析隊列,以檢查是否需要基於新屬性為其分配不同的配置檔案:
2015-11-25 19:29:53,646 DEBUG [EndpointHandlerWorker-6-31-thread-1][]
cisco.profiler.infrastructure.profiling.ProfilerManager -:20:BB:C0:DE:06:AE:Profiling:-
Classify hierarchy 20:BB:C0:DE:06:AE
2015-11-25 19:29:53,656 DEBUG [EndpointHandlerWorker-6-31-thread-1][]
cisco.profiler.infrastructure.profiling.ProfilerManager -:20:BB:C0:DE:06:AE:Profiling:-
Policy Cisco-Device matched 20:BB:C0:DE:06:AE (certainty 30)
2015-11-25 19:29:53,659 DEBUG [EndpointHandlerWorker-6-31-thread-1][]
cisco.profiler.infrastructure.profiling.ProfilerManager -:20:BB:C0:DE:06:AE:Profiling:-
Policy Cisco-IP-Phone matched 20:BB:C0:DE:06:AE (certainty 40)
2015-11-25 19:29:53,663 DEBUG [EndpointHandlerWorker-6-31-thread-1][]
cisco.profiler.infrastructure.profiling.ProfilerManager -:20:BB:C0:DE:06:AE:Profiling:-
Policy Cisco-IP-Phone-8941 matched 20:BB:C0:DE:06:AE (certainty 140)
2015-11-25 19:29:53,663 DEBUG [EndpointHandlerWorker-6-31-thread-1][]
cisco.profiler.infrastructure.profiling.ProfilerManager -:20:BB:C0:DE:06:AE:Profiling:-
After analyzing policy hierarchy: Endpoint: 20:BB:C0:DE:06:AE EndpointPolicy:Cisco-IP-Phone-8941 for:210 ExceptionRuleMatched:false
相關資訊