Cisco ISE log configuration commands enetered on routers

Similar Messages

• Cisco ISE managing configuration

  Is there a built-in mechansim for revision control in Cisco ISE? If not built-in, then what is the other way? I have been trying to look for documentation online but didn't find any.
  Just to explain what I am looking for:
  A way to properly manage all the configuration changes to ISE node.  Changes are  usually identified by a number or letter code, termed the "revision  number". For example, an initial  set of files is "revision 1". When the first change is made, the  resulting set is "revision 2", and so on. Each revision is associated  with a timestamp  and the person making the change. Revisions can be compared, restored, and with some types of files, merged.
  I ask this because "show run" output in ISE CLI does not give all the configuration details. How can we maintain the history of configurations?
  PS: I rate useful posts
  Thanks,
  Kashish

  There is not a way to track which version a specific ISE configuration is on. The ADE-OS configuration, or cli configuration typically is static once the repositories, dns info...etc is all set and done. For the application database you can setup a timer where an automatic backup is generated, from there you can manage what dates a backup is good for.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE inline posture node Posture assessment query

  Hi all,
  i read the user guide for the ISE 1.1 and in the Inline posture section, I picked up the following text which concerned me if I understand it right...
  "In a deployment, such as outlined in the example, when more endpoints connect to the wireless network
  they are likely to fall into one of the identity groups that already have authenticated and authorized users
  connected to the network.
  For instance, there may be an employee, executive, and guest that have been granted access through the
  outlined steps. This situation means that the respective restrictive or full-access profiles for those ID
  groups have already been installed on the Inline Posture node. The subsequent endpoint authentication
  and authorization uses the existing installed profiles on the Inline Posture node, unless the original
  profiles have been modified at the Cisco ISE policy configuration. In the latter case, the modified profile
  with ACL is downloaded and installed on the Inline Posture node, replacing the previous version."
  Does this mean that if a corporate user VPNs in and successfully passes posture and gets a dACL applied to the session allowing full access, will the next user completely skip posture assessment and granted full access to the network if they are a member of the same AD group?
  I am planning on using the iPEP for posturing VPN clients and using AD groups to determine the correct dACL to apply to a particular VPN session.
  Thanks!
  Mario

  I'm not too familiar with the actual operations of the Inline Posture node, but it seems to me that the only things that are more or less "cached" are the authentication and authorization profiles that have been previously matched. So, even if they're "cached" and a endpoint matches and authorizes based on those policies, it would match on the policy that provides a pre-posture state. So, a PRE-POSTURE ACL would be pushed and an URL redirect would also occur to the NAC agent download portal (if the endpoint doesn't have it already).
  After posture is assessed, a change of authorization would occur and reauthorize that endpoint's session.
  So, in short, even if the profiles are cached, they only deliver pre-posture profiles. After posture assessment, the endpoint is goes through reauth via CoA.
  If you have access to the partner education connection, I suggest checking out the VoE deep dive series for ISE. There's a posture presentation that would probably help you out.
  https://communities.cisco.com/docs/DOC-30977
  HTH,
  Ryan

• Integration Safeword with Cisco ISE

  Hi,
  we have a Domain Integrated Safeword application, which was installed on our Domain Controller. Safeword requests were send over the Radius Port to the NPS server, and from there over Port 5040 to the Safeword application. This works without any problems.
  Now we would like to integrate the Cisco ISE to the Safeword. Because there is a checkbox "Safeword Server" at the Radius Token Identity Source, I thought that it is possible to communicate direct with the Safeword application, but it is not working.
  Anyone who already implemented this??
  T&R
  Frank

  Symptoms or Issue
  •Unsuccessful RADIUS or AAA functions in Cisco ISE
  •The NAD is unable to ping the Policy Service ISE node
  Conditions
  This scenario is applicable in a system in which Cisco ISE is configured to perform user authentication via an external RADIUS server on the network.
  Possible Causes
  The following are possible causes for losing connectivity with the RADIUS server:
  •Network connectivity issue or issues
  •Bad server IP address
  •Bad server port
  Resolution
  If you are unable to ping the Policy Service ISE node from the NAD, try any or all of these possible solutions:
  •Verify the NAD IP address
  •Try using Traceroute and other appropriate "sniffer"-type tools to isolate the source of disconnection. (In a production environment, be cautious of overusing debug functions, because they commonly consume large amounts of available bandwidth and CPU, which can impact normal network operation.)
  Check the Cisco ISE "TCP Dump" report for the given Policy Service ISE node to see if there are any indications.

• Does Cisco ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 support command accouting like ACS

  Hi
  Can Anybody can update whether   ISE-3315-K9 with ise version: Service Engine: 1.0.4.573 , supports the command level accounting
  Bascially , we have integrated Cisco Switches with Cisco ISE for Device Authentication using Radius , we are able get the authentication logs on to the devices , but for any command changes or update done on Cisco devices we are not able to get the command accounting ..
  has succeed in  command level accounting on  Cisco ISE ..
  Please update
  Cisco ISE doesn't have TACACS feature ...

  Command Accounting is a TACACS+ feature so not for ISE....yet.
  However, you can do the following to send commands to syslog and not including passwords (hidekeys). I just picked 200 commands/lines to store in the local command buffer/log. increase or decrease as you have memory.  The notify syslog is what sends it via syslog.
  conf t
  archive
  log config
  logging enable
  logging size 200
  hidekeys
  notify syslog
  end
  wr mem
  Remember, syslog is clear text  :-)  log away from user traffic when possible.  Or use TLS based syslog when possible.
  I hope you find this answer useful, if it was satisfactory  for you, please mark the question as Answered.
  Please rate post you consider useful.
  -James

• Logging user commands in Cisco ACE appliance

  Good afternoon gentlemen
  I need to configure the same as shown below in Cisco ACE Appliance. The requirement is logging all user access login (whether failed or succeeded) and also logging all commands that users issue.
  #IOS commands
  no logging console
  logging buffered 307200 informational
  service timestamps log datetime localtime show-timezone
  logging trap debugging
  login on-failure log
  login on-success log
  archive
     log config
        logging enable
        logging size 500
        hidekeys
        notify syslog contenttype plaintext
  If you guys have an idea please answear
  Regards
  Christian

  Hello Arun,
  we saw before the message you report, it's probably a symptom of:
  CSCtx03563
  or
  CSCue38032
  I would suggest opening a TAC case to get this properly investigated.
  Kind Regards,
  Francesco

• Cisco ISE 1.2.x with Posture Configuration - Windows Patches

  Hi, Anybody has any experience in integrating Cisco ISE Posture with Microsoft SCCM?
  With WSUS this works fine, but with SCCM I don't have any idea how to proceed. Anybody knows what it's included in the predefined rules
  pr_WSUSRule and pr_WSUSCheck? I can't find any information in ISE Console or Cisco documentation.
  Thanks.

  Once agent performs the posture checks containing the windows hotfix checks, if the administrator configured the Launch Program Posture Remediation , agent will launch the script file which will initiate the windows hotfix updates via SCCM client configuration manager pre-installed/pre-configured on the box.

• What's "SAVE" configuration command for Cisco switch/ router?

  What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well,
  but so long, any other command that easy to remenber?

  What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well, but so long,
  any other command that easy to remenber?
  yes, here: Switch#write,and want to know more about the Cisco switch, please visit:http://www.3anetwork.com/cisco-switches-price_c1

• Need Cisco ISE Configuration Guide

  Dear Friends,
  Please send me cisco ISE configuration guide ASAP.
  Thanks & Regards,
  Rahul Wankhade

  Check the following link for Step by step configuration guide it cover all the deployment related to ISE
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  ************Do rate helpful posts**********************

• Cisco ISE monitoring Logs

  Hi All,
  I want to backup all the radius logs before upgrading of the ISE from 1.0.4 to 1.1.0. I have already took a back up of application data.
  From Gui under Monitoring Node-->full backup on demand
  1)Is that all for the radius logs?
  2)If I have upgraded to 1.1.0, will the radius logs be lost?
  3)If I want to restore the radius logs in version 1.1.0, can I use the data restore under monitoring node and restore the logs taken from version 1.0.4?
  Please advise
  Thanks

  Duplicate posts.   
  GO here:  http://supportforums.cisco.com/discussion/12144361/cisco-ise-monitoring-logs

• Logging of commands on syslog server (Cisco Nexus 7010)

  Please help.
  How to set up logging of commands on syslog server ? (cisco nexus 7010)

  Hi Igor
  Nexus has internal accounting log: sh accouting log
  But it can be sent only to the accounting server, not to a syslog server.
  If you want - you man manually export it to some log.
  HTH,
  Alex

• Getting past "Fetch VLAN configuration - Command failed" errors in Cisco Prime Infrastructure 2.0 - How?

  I've got a handful of devices in Cisco Prime Infrastructure 2.0 which show up in the "Archive Failed Devices" view.  The "Failure Reason" is some variation of "Fetch VLAN configuration - Command failed" sometimes including "TELNET: Failed to establish TELNET connection to x.x.x.x".  What does this mean?  How do I overcome this?  In all cases, the device is configured to use SSH and has valid SSH credentials.  In all cases, I can SSH from the command line of the NCS appliance to the devices listed in the "Archive Failed Devices" view.

  Hi
  I was able to fix the "Fetch VLAN configuration - Command failed" by allowing tftp from the device to PI server in firewall. See if this can help.

• Configuring Cisco ISE for Authorization with External Radius Server attribute

  Hi,
  I'm trying to integrate an external radius server with Cisco ISE.
  I created an External Identity Store>Radius Token Server.
  I created a Identity Store sequence with just one identity store just as creadted above.
  And I was able to authenticate successfully.
  But when it comes to authorization.
  I observed we just have one tab named Authorization while creating Radius Token server.
  And it always refers to ACS:attribute_name.
  If I want to define a IETF radius attribute, (lets say class with attribute id as 25), how could I do it.
  In Cisco ACS we have a direct entry option in authorization tab where we can define the radius (IETF) attribute within Radius token server creation (within radius token server>Directory attribute tab).
  How ever I try to define the IETF attribute here (class,IETF:Class) I am not able to authorize with this attribute value.
  I tried with just one single authorization rule where it could hit.But observed it to go the default(as none of the rules defined matches the condition).
  Can anyone guide me how can we define a IETF radius attribute for authorization within Cisco ISE and what policy could we set it to work as authorization.
  Thanks in advance
  Senthil K

  This is the step of Creating and Editing RADIUS Vendors
  To create and edit a RADIUS vendor, complete the following steps:
  Step 1 From the Administration mega menu, choose Resources > RADIUS  Vendors.
  The RADIUS Vendors page appears with a list of RADIUS vendors that ISE  supports.
  Step 2 Click Create to create a new RADIUS vendor or click the radio  button next to the RADIUS vendor that
  you want to edit and click Edit.
  Step 3 Enter the following information:
  • Name—(Required) Name of the RADIUS vendor.
  • Description—An optional description for the vendor.
  • Vendor ID—(Required) The Internet Assigned Numbers Authority  (IANA)-approved ID for the
  vendor.
  • Vendor Attribute Type Field Length—(Required) The number of bytes  taken from the attribute value
  to be used to specify the attribute type. Valid values are 1, 2, and 4.  The default value is 1.
  • Vendor Attribute Size Field Length—(Required) The number of bytes  taken from the attribute value
  to be used to specify the attribute length. Valid values are 0 and 1.  The default value is 1.
  Step 4 Click Submit to save the RADIUS vendor.

• Cisco ISE - Reauthentication of client if server becomes alive again

  Dears,
  I have this case where Cisco ISE server is used to authenticate & authorize clients on the network.
  I configured the switch port to authorize the client in case the ISE server is dead (or not reachable).
  The thing is that I want to reauthenticate the client once the ISE server becomes alive again but I am not able to.. ("Additional Information is needed to connect to this network" bullet is not appearing and the client PC remains authenticated and assigned to the VLAN.
  Below is the switch port configuration:
  interface FastEthernet0/5
  switchport access vlan 240
  switchport mode access
  switchport voice vlan 156
  authentication event server dead action authorize vlan 240
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority mab
  authentication port-control auto
  mab
  dot1x pae authenticator
  spanning-tree portfast
  Anyone can help?
  Regards,

  Please check whether the switch is dropping the connection or the server.
  Symptoms or Issue
   802.1X and MAB authentication and authorization are successful, but the switch is dropping active sessions and the epm session summary command does not display any active sessions.
  Conditions
   This applies to user sessions that have logged in successfully and are then being terminated by the switch.
  Possible Causes
   •The preauthentication ACL (and the subsequent DACL enforcement from Cisco ISE) on the NAD may not be configured correctly for that session.  
  •The preauthentication ACL is configured and the DACL is downloaded from Cisco ISE, but the switch brings the session down.  
  •Cisco ISE may be enforcing a preposture VLAN assignment rather than the (correct) postposture VLAN, which can also bring down the session.
  Resolution
   •Ensure the Cisco IOS release on the switch is equal to or more recent than Cisco IOS Release 12.2.(53)SE.  
  •Check to see whether or not the DACL name in Cisco ISE contains a blank space (possibly around or near a hyphen "-"). There should be no space in the DACL name. Then ensure that the DACL syntax is correct and that it contains no extra spaces.  
  •Ensure that the following configuration exists on the switch to interpret the DACL properly (if not enabled, the switch may terminate the session):  
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server vsa send accounting
  radius-server vsa send authentication

• Cisco ISE 1.2 Patch 6 -- 8 Update failed

  Hi all,
  I wanted to know if any bugs was registered for the cumulative patch 8 for Cisco ISE 1.2 and how to mitigate any patch failures.
  Important notice : I though that this error could be an unlucky try but i've tested the update two time.
  Indeed, i have three deployment : A Pre-production one, a 4 nodes distributed and a 2 nodes distributed.
  The patch works fine on the pre-production one, on the 2 nodes too but fails on the 4 nodes one with a very anormal behaviour.
  On the "show nodes status" in Maintenance - Patch manage, i can see that my both PAN are successfully patched and the first PSN too but when the "Patch in progress" appears on the second PSN, the "installed" status is cancelled in the first PSN and become "Patch in progress" so i've two "Patch in progress" in parallel, that is an anormal procedure not discribed by Cisco on the document "Installing a software Patch". (wich discribe a sequential update of all nodes)
  The symptoms after this error are :
  - Unable to process EAP-TLS authentications ! (CA are stored on the First PAN and seems to be unavailable from PSN to exchange the handshake)
  - The Application server try to restart but fails indefinitly even if i try to restart the node (on both PSN)
  - GUI Unavailable
  - MAB Auth is working
  - Endpoint and Endpoint Groups menus are missing on the GUI (I push the MAC Address through the ERS API but it is very strange)
  - Logs indicates one first "Patch success" on PAN and a second "Patch failed" still on PAN :(
  The task that resolves this issue is to launch the command "patch remove ise 8" on all nodes and everything come back functional.
  My big interrogation is that on my two other deployment, the patch was successfull and quick to process.
  Thanks for your help.

  This is that i did abviously... but the two PSN stay in status "Node down", the application service won't start correctly with these ADE-OS logs entries :
  2014-05-28T10:26:30.023223+00:00 XXXXXXX  logger: info:[application:operation:appservercontrol.sh] Starting ISE Application Server...
  2014-05-28T10:26:30.311676+00:00 XXXXXXX  logger: Loading PKCS11 ...
  2014-05-28T10:26:30.978432+00:00 XXXXXXX  logger: SLF4J: Class path contains multiple SLF4J bindings.
  2014-05-28T10:26:30.978454+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/slf4j-log4j12-1.5.8.jar!/org/slf4j/im
  pl/StaticLoggerBinder.class]
  2014-05-28T10:26:30.978502+00:00 XXXXXXX  logger: SLF4J: Found binding in [jar:file:/opt/CSCOcpm/appsrv/apache-tomcat-6.0.36/lib/com.cisco.xmp.osgi.slf4j-log4j12-1.5.
  8.PATCHED.jar!/org/slf4j/impl/StaticLoggerBinder.class]
  2014-05-28T10:26:30.978509+00:00 XXXXXXX  logger: SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
  2014-05-28T10:26:31.638970+00:00 XXXXXXX  logger: log4j:WARN No appenders could be found for logger (com.cisco.epm.config.cache.impl.ConfigCacheImpl).
  2014-05-28T10:26:31.638992+00:00 XXXXXXX logger: log4j:WARN Please initialize the log4j system properly.