Dashbord and Live authentication ISE 1.1.3.124 p1

Hello all,
not long time ago, i lost all data in the HOME pannel, all sub windows says: no data avalable no nothing
the only number i have there is the number of endpoints
And now, in the live authentication, i dont any results, no pass, failed etc... running heath report gives me nothing.
Am running ISE 1.1.3.124 patch 1 and the Admin and PSN are not separeted by any FW.
i know i should go to 1.1.4 patch 2 but maintenance windows are hard to managed.
Anyone seen that behavior?
ps: replication are ok...
Thx

The issue could be due to incorrect or corrupted indexing and it need to rebuild via root patch. You may check the mnt-collector.out logs from the support bundle. I'd also suggest you to go directly to ISE 1.2 that is scheduled for July 3rd week. In order to resolve current issue, you may need to open a TAC case.
Jatin Katyal
- Do rate helpful posts -

Similar Messages

  • Export ISE Live Authentications and Sponsor activities

    Dear all,
    We need to know if it is possible to export to a syslog or any other service the live authentications logged on ISE.
    In addition, I need to know if is possible to export the sponsor activities.
    Thanks in advance!
    David

    make sure your NAD is configured correctly . and try
    ms-ise-mgm01/admin# app config ise
    Selection ISE configuration option
    [1]Reset Active Directory settings to defaults
    [2]Display Active Directory settings
    [3]Configure Active Directory settings
    [4]Restart/Apply Active Directory settings
    [5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings
    [6]Enable/Disable ERS API
    [7]Reset M&T Session Database
    [8]Rebuild M&T Unusable Indexes
    [9]Purge M&T Operational Data
    [10]Reset M&T Database
    [11]Refresh M&T Database Statistics
    [12]Display Profiler Statistics
    [13]Exit
    try
    7 to reset the session db
    10 to reset the M&T database
    Once you have run these commands the DashBoard should begin to display information.

  • IP address in ISE live authentication after vlan change

    Hi all,
    on ISE live authentication dashboard we can see IP address of the client (known from FRAMED-IP-ADDRESS).
    But what about vlan change and the situation when client gets new IP address after relocation to different vlan.
    Live logs shows only the first IP address - client mapping (from the guest vlan), after authorization new vlan and dACL is assigned but logs don't include new IP address.
    session ID is the same all the time.
    so maybe ip helper or other trick?
    regards

    thx for reply.
    I added "aaa accounting update newinfo" and I'll see tommorow how it works with anyconnect and 802.1x.
    Meanwhile I think I must clarify what I meant
    Not all logs have IP address present in live authentication (this is MAB for test only)
    the situation with 802.1x and anyconnect is a bit better cause there are IP addresses but only from the first dhcp address assignment (authentication open with default ACL). Then if the policy changes vlan and the client gets new IP address from different scope we have wrong information in this log.
    but getting back to our MAB...
    details of this entry looks like:
    so this is probably the reason that no IP address is visible it was too soon for MAB to get this info and send it as framed IP address (according to this config command "radius-server attribute 8 include-in-access-req")
    nevertheless clicking the accounting details (from the 2nd screenshot)
    we see that this information is present
    so my first question is on which stage this column is fulfilled? only when "FRAMED-IP-ADDRESS" is send in radius-request? or from accounting?
    maybe ISE should dynamically modify this record after each accounting newinfo message?
    regards

  • ISE Live Authentications Not Visible

    Hi,
    I have a single node ISE deployed and have been adding and deleting policies for the past two weeks without issue.  It's using our production AD and CA server and connected to NCS.  My problem is that today when I was working on a new MAB policy, the policy would let the laptop on the network, but nothing appeared in live authentications screen or the reports.  I tried this with both a MAB and 802.1x policy set and both times I logged on with the correct policy, but nothing was showing in the logging.  These were both wireless and I had both the authentication and the accounting pointing at ISE.  As well as SNMP too.
    I forgot to see if the clock was off, but if the authentications are working, I'm not sure why the reporting is not.
    Any help would be appreciated.
    Thanks,
    Mike                  

    Is your log target set up?
    Admin/System/Logging/Remote Logging Targets/LogCollector
    Also if this is a guest wifi setup between a Cisco foreign & anchor WLC, make sure Auth & Accounting are set up on the foreign WLC.

  • ISE Live Authentications

    I have ISE with latest version 1.2.1.198
    I never see any entries in the live authentications page even though I have clients successfully authenticating and being authorised.
    Different browsers seem to make no difference.
    Has anyone also seen this and has anyone found a bug relating to this?
    Regards
    Roger

    make sure your NAD is configured correctly . and try
    ms-ise-mgm01/admin# app config ise
    Selection ISE configuration option
    [1]Reset Active Directory settings to defaults
    [2]Display Active Directory settings
    [3]Configure Active Directory settings
    [4]Restart/Apply Active Directory settings
    [5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings
    [6]Enable/Disable ERS API
    [7]Reset M&T Session Database
    [8]Rebuild M&T Unusable Indexes
    [9]Purge M&T Operational Data
    [10]Reset M&T Database
    [11]Refresh M&T Database Statistics
    [12]Display Profiler Statistics
    [13]Exit
    try
    7 to reset the session db
    10 to reset the M&T database
    Once you have run these commands the DashBoard should begin to display information.

  • Cisco ISE (1.3) Posture and re-authentication

    Hello,
    With posture and re-authentication, during the re-authentication the posture status swithes to pending. This results in a redirect to client provisioning and a temperorly but unwanted state with no access to network resources.
    Is there a way to work around this?
    Regards,
    Dennis

     24423  ISE has not been able to confirm previous successful machine authentication  
    Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
    first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
    log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

  • No records in Live Authentications

    We have not updated to 1.2.1 yet and are running 1.2.0.899. the only changes made to the system was alarm settings, which was just adding emails to alarm notification in settings.
    Four hours after the alarm notif. change we started gettings alerts that ISE had not had any authent requests, 2 days later it shows no records in LIve authent or live sessions 4 hours after the change. All subfeilds at the top(i.e., Misconfigured Network Devices, Repeat Counters) are all zero as well. Authentication still SEEMS to be working, i am still able to log into network devices and users are still getting domain access so we are really puzzled as to why nothing is being reported in the logs. On the home page of ISE, it also shows the system summary as "no data available" and we get "no heartbeat" alarms continuously and Critical : health status alerts.

    ISE 1.2 Dashboard Statics do not update
    CSCul94611
    Description
    Symptom:
    Issue with the Live dashboard in ISE 1.1.4 not displaying information and only showing "No Data Available".
    The Dash Board will run and work for awhile, but it will randomly stop updating any statistics on the dashboard.
    Data will show and is seen in the database, but never updates per incoming/outgoing endpoints.
    Live authentications will work fine as well as all users are able to be authenticated. Customer reports do not produce data.
    Seen on multiple customer's deployments with fresh installs, a fresh install with a backup from a previous 1.1.x version, as well as upgrading to 1.1.4 from any earlier 1.1.x version.
    Conditions:
    Cisco ISE 1.2 or 1.1.4
    Any browser
    Distributed or single node deployment.
    Workaround:
    The workaround that fixes this M&T corruption is to enter the following commands below:
    ms-ise-mgm01/admin# app config ise
    Selection ISE configuration option
    [1]Reset Active Directory settings to defaults
    [2]Display Active Directory settings
    [3]Configure Active Directory settings
    [4]Restart/Apply Active Directory settings
    [5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings
    [6]Enable/Disable ERS API
    [7]Reset M&T Session Database
    [8]Rebuild M&T Unusable Indexes
    [9]Purge M&T Operational Data
    [10]Reset M&T Database
    [11]Refresh M&T Database Statistics
    [12]Display Profiler Statistics
    [13]Exit
    We need to select the following options:
    7 to reset the session db
    10 to reset the M&T database
    11 to refresh the statistics (Possibly do not need. Was only needed in 1 case.)
    Once you have run these commands the DashBoard should begin to display information.
    This process can take up to 12 hours to complete all three steps. Roughly 1 to 3 hours per option selected.
    Known Affected Releases:
    (1)
    1.2(0.899)

  • 802.1x Wireless - Enforce user AND machine authentication

    I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.
    The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.
    I'd rather not have to deploy user and machine certificates.
    All I want to do is allow access to the wireless network only if the device and the user are in AD.
    It's such a simple scenario that I must be missing something.
    Any suggestions are welcome. Thanks in advance for your comments.
    Lucas

    In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.
    Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.

  • Third party application retrieve live authentication info from ACS40

    We have ACS40 in place authenticating users and machines. There is another separate key application in our network, which will grant access to authenticated user only. How can ACS forward/share the live authentication information with other application? Please share your ideas.
    Thanks,
    Lahki

    Hi
    Live authentication data will appear in the passed and failed authentication logs. In ACS these can be logged locally and/or remotely.
    If you have an appliance you're probably stuck with syslog, however if you have s/w ACS ODBC logging could inject the data directly in your applications database.

  • Customize live authentications dashboard

    Hello,
    is it possible to customize the live auth dashboard to see only the failed authentications? Also is it possible to extend the view and to see the last 100 failed authentications? The filters one can apply to the live authentications dashboard does not give me those options.

    Not as far as I can see but you can be a little clever.
    For example, you can definately choose to view the last 100 entries,  That is a standard option (click the screwdriver to select)
    But to see fialed auth (in your case) you could filter on Authentication does not contain MSCHAPv2
    Looking at your screenshoot that should give you a list of failures.
    The ACSview add on to 5.x is certainly a nice feature that just missed on a lot of customisation options.
    Paul

  • ACS 5.4 Can´t see device name in "Live Authentication"

    Hello,
    under dashboard i activated "Live Authentication". Under register card "General" i can see the IP-Adress of the switch (authenticator) but not the name. The IP-Adress is not listed under IP-Adress but under NAD.
    Under AAA Protocol > RADIUS Authentication it is perfect. Network device and IP-Adress is listed correct.
    Is there a way to see NAD in Dashboard?
    Regards Horst

    Hi,
    in the attachment, you can see the IP Adresses of the switches (authenticator) in the column of NAD but not in the column of IP Address.
    If you open the Authentication-RADIUS-Today the name and the IP Adress of the authenticator can be seen.
    I like to see the IP Adress and the name of the network device.
    Regards Horst

  • Portal Drive Single Sign On and Kerberos Authentication

    Hi,
    We are using NW2004s SP10 Portal and we have successfully configured Kerberos authentication with Windows Active Directory 2003. To access the KM Content in windows explorer format, we are using Portal Drive but Portal Drive still asks for authentication i.e. SSO is not working for Portal Drive. I have understood from the forums and sap help site that SSO from portal drive will work only for NTLM authentication and client certificates. Can you please help regarding below questions.
    1. Can Kerberos and NTLM authentication be configured together.
    2. If yes, what are the steps to configure NTLM authentication for NW2004s SAP Portal and Active Directory 2003.
    3. Any other approach to make Portal Drive SSO work.
    Helpful answers will be rewarded.
    Regards,
    Chandra

    Hi Gregor,
    I did two things:
    first i made a change in the portalapp.xml in the PAR file "com.sap.km.cm.par". In the section authentication scheme for "docs" I changed the authentication scheme to "default" to make sure that documents are opened using the default authentication scheme (SPNego) instead of basic authentication
    second, I used the SPNego wizard to configure SPNego. So I didn't adjust anything in the Visual Admin or the authentication template apart from adding the Template to the Ticket policy configuration.
    Again, this only worked after installing the latest vesion.
    Hope this helps
    Marcel

  • Graphics builder and os authentication

    I'm running on NT 4 sp6. I'm trying to get OS authentication working with graphics. It works great for forms and reports, but I cannot get graphics builder or the graphics runtime to work with os authentication. I've tried it with developer 2000 r2 and 6i release 2. Thanks is advance.
    null

    Is the state of OCCI and OS Authentication still the same? Or has it changed in the 2.5 years since this question was first asked and answered?
    I've yet to find any indication that it is now supported, but could I confirmation of that fact?
    If it is not, what is the Oracle recommended method for accomplishing this?

  • Remote users sending email - RBL and SMTP authentication

    I've read about the problem of using RBL's with remote Outlook IMAP/SMTP users who may be using dynamically assigned IP addresses. There is a good chance that they will be appear on the RBL and so not be able to send email via the GWIA.
    One work around is to have them send their email via their ISP's SMTP server, but this is a pain, because when they are back in the office, then need to switch their SMTP server back to the inhouse one.
    So on the GW 7.0.3 server running on SLES 10, I wondered if the one host could handle multiple GWIA's??
    1st existing GWIA:
    To handle the regular in/out email with RBL's protection on it.
    2nd new GWIA on a separate port but same IP address to handle just inbound email. This would be used by remote users and require authentication so no need for an RBL on it.
    Is this a sound approach?
    Any gotchas for setting up two gwia's on the one server and IP address besides separate ports?
    I am aware there is the option of using the Groupiwse client or webmail, but firstly these users don't want to change from 'LookOut" due to their address book synch with their mobile phones and secondly sometimes they like to use their smart phones for remote email synchronisation.

    Maybe I should simplify this a little...
    Can the one host handle multiple GWIA's??
    1st existing GWIA:
    To handle the regular in/out email with RBL's protection on it.
    2nd new GWIA on the same host and IP address, but on a separate port to handle just inbound email. This would be used by remote users and require authentication.

  • HT201318 I registered my apple ID and Icloud with a US address, and live in Switzerland. I do not own a US credit card. Now that I need to buy more storage with my swiss credit card, I can't change the country's billing address from the US to my swiss one

    I registered my apple ID and Icloud with a US address, and live in Switzerland. I do not own a US credit card. Now that I need to buy more storage with my swiss credit card, I can't change the country's billing address from the US to my swiss one. HELP PLS?

    Did you actually watch the movie? You get 30 days in which to view it and if you didn't watch it, that could be why you are getting that message. If you have watched the movie and you're sure that is has expired by now, contact iTunes Store Support and seek their help.
    Change the country in the upper left. - and click on Purchases, billing and redemption to proceed.
    https://getsupport.apple.com/Issues.action

Maybe you are looking for

  • Receiving an error message when connecting to internet saying: windows cannot find "address" but it connects anyway???

    The error message that appears when trying to access internet says that windows cannot find "address" and asks to make sure it was typed in correctly. It continues to connect but is a hassle to deal with the error message each time. Any suggestions?

  • Creating alert at run time

    Our current forms use the MESSAGE built-in to display error messages. When people are doing data entry and a message comes up, they might hit the enter key as part of their processing and never see the message. What we want is an alert-type screen th

  • Disconnect all active Essbase connections using VBA code in Excel

    Hi All, I am currently using the below code to disconnect the active essbase connection. It works fine but it shows me a windows with the list of active essbase connections and I have to select each essbase connection and click disconnect. I want a v

  • No entries in table SWN_DELSCHED

    Hi Experts, I'm doing business scenario configuration(SWNCONFIG), under Subscription Basic Data > Delivery Schedule parameter is required and the error message states that it is maintained in table SWN_DELSCHED. My problem is there is no entries in t

  • Change the process name in Windows

    Hello, I wondered if there are any JVM commands which changes the process name of a java-application running in Windows? I am running several java processes and I would like to identify them in the taskmanager list or tasklist.exe