ISE accounting summerization

Similar Messages

• Cisco 2960-X & ISE accounting- username Radius attribute missing

  Hi,
  I'm facing an issue with cisco 2960 switch radius accounting with Cisco ISE1.2.1 .here is my senario:
  - Username (vendor1) is configured in ISE local database, under  group (VENDOR)
  - Authentication protocol : wired  MAB 
  - Authentication method : webauth  using guest portal  , the user is a  vendor  , so no dot1x configured on his NIC .
  the problem is that , the switch is not sending the username as a part of radius attribute , in the authentication log , the username shown as the MAC address of the user machine , therefor , I can not configure my authorization condition using  internaluser:Name  Equal  vendor1
  while if  I configure the condition using the identity group condition  IdentityGroup:Name  Equal  VENDOR  , it works .
  The same configuration is working on 3750 switch  with no issue .
  Here is my Switch config:
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius 
  aaa authorization auth-proxy default group radius 
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting update periodic 5
  username admin password 
  username radius-test password 
  aaa server radius dynamic-author
   client 172.16.2.20 server-key 7 04490A0206345F450C00
   client 172.16.2.21 server-key 7 03165A0F0F1A32474B10
  radius server ISE-RADIUS-1
   address ipv4 172.16.2.20 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key 7 111B18011E0718070133
  radius server ISE-RADIUS-2
   address ipv4 172.16.2.21 auth-port 1812 acct-port 1813
   automate-tester username radius-test idle-time 15
   key 7 0214055F02131C2A4957
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server attribute 31 mac format ietf upper-case
  radius-server attribute 31 send nas-port-detail
  radius-server dead-criteria time 5 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  any help  !!!

  Thanks for your reply , I know what's MAB , if you read my explanation again , i mentioned that the user is authenticated in the guest portal which mean that I have web authentication , and it is working fine .. The only issue is that I can not use the vendor1 username as part of authorization condition and this is because the switch is not sending the radius attribute type 1 to the ISE , thus , on the ise authentication log the MAC address  of the client machine is shown as a username not the actual username ( vendor1) 
  as I mentioned also , I have exactly the same setup with ise 1.2 and 3750 switch and I do not have this issue .I experience this with 2960x only . 

• Access Point Radios trying to authenticate via PEAP against ISE

  I have a working installation including a 5508 controller with ISE. The ISE is configured for EAP Chaining and clients are authenticating fine.
  We are seeing some weird behavior from the Access Points. We see authentication failures from devices trying to authenticate via PEAP, the funny thing is that the username and endpoint ID are the MAC addresses of our APs. we see it once or twice a day from several of the APs.
  Any ideas on what would cause this and what function of the AP is causing this?

  Hi Rasika,
  kindly advice. running on 7.6.130 and Cisco ISE 1.2.1.198, but my case is rejected the authentication, why radio base mac address is try to authenticating to ISE?
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.6.130.0
  Bootloader Version............................... 1.0.20
  Field Recovery Image Version..................... 7.6.101.1
  Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
  Build Type....................................... DATA + WPS
  (Cisco Controller) >show radius summary
  Vendor Id Backward Compatibility................. Disabled
  Call Station Id Case............................. lower
  Acct Call Station Id Type........................ Mac Address
  Auth Call Station Id Type........................ Mac Address
  Aggressive Failover.............................. Enabled
  Keywrap.......................................... Disabled
  Fallback Test:
      Test Mode.................................... Off
      Probe User Name.............................. Radius_KeepAlive
      Interval (in seconds)........................ 300
  MAC Delimiter for Authentication Messages........ hyphen
  MAC Delimiter for Accounting Messages............ hyphen
  Authentication Servers
  Idx  Type      Server Address        Port    State     Tout  MgmtTout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
  1    NM    x.x.x.x              1645    Enabled   2     2         Disabled  Disabled - none/unknown/group-0/0 none/none
  2    NM  x.x.x.x               1812    Enabled   2     2         Enabled   Disabled - none/unknown/group-0/0 none/none <-- ISE
  3    NM    x.x.x.x             1645    Enabled   2     2         Disabled  Disabled - none/unknown/group-0/0 none/none
  4    NM    x.x.x.x               1812    Enabled   2     2         Enabled   Disabled - none/unknown/group-0/0 none/none <-- ISE
  Accounting Servers
  Idx  Type      Server Address        Port    State     Tout  MgmtTout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
  2      N    x.x.x.x               1813    Enabled   2     2         N/A       Disabled - none/unknown/group-0/0 none/none
  3      N     x.x.x.x               1813    Enabled   2     2         N/A       Disabled - none/unknown/group-0/0 none/none

• After ISE 1.2 upgrade I get "5413 RADIUS Accounting-Request dropped."

  Hello,
  I have a two admin node setup for ISE. I just upgraded one of my two ISE Admin nodes to Version 1.2. I still have one of my admin  nodes at 1.1.4. When I disable my Version 1.1.4 node and allow wireless authentications to be handled by the Version 1.2 node I get the message..."5413 RADIUS Accounting-Request dropped". None of my wireless edge devices will be allowed on the network during this time. When I re-enable my 1.1.4 node my wireless devices are then allowed on the network.
  I am currently using ISE to authenticate wireless connectivity.
  I also get the failure reason... "11038 RADIUS Accounting-Request header contains invalid Authentication field".
  Any ideas?
  Bob

  The 5413 RADIUS Accounting-Request dropped may be because the session was active on ISE1 and is now sending update messages to ISE2. Also, verify your shared secret radius key matches on both the wlc and ISE servers. I would try clearing the WLC connection for the test user when switching.  Just turning off wireless and back on doesn't do it.  Also, are you using PEAP-MSChapv2 or EAP-TLS for authenticating the clients.  What type of certificate is presented, public or private?

• ISE 1.2 - WLC 5508 - NAS sends RADIUS accounting update messages too frequently

  I'm getting this error in ISE referring to my Cisco 5508 WLC.  I'm not sure how to turn down the frequency.  Any ideas?
  NAS sends RADIUS accounting update messages too frequently
  Verify NAS configuration. Verify known NAS issues.

  I opened up a TAC case with Cisco yesterday and this is the response i got from them:
  There is bug on the WLC side to reduce the number acct updates:
  CSCug14713- WLC sends acct-update twice in the same millisecond
  This is fixed in 8.x on the WLC.
  So, it looks at though we just have to deal with it until they release an 8.x version for the WLC. In the meantime, you can disable the alerts in ISE.
  Administration>Settings>Alarm Settings>Misconfigured Network Device Detected
  Edit that alarm and set it to disabled

• ISE 1.2 - Error 12929 NAS sends RADIUS accounting update messages too frequently

  We are currently running Cisco ISE 1.2, and every day under the "Misconfigured Network Devices" section on the main ISE Page, I have a huge list of different devices that are all being flagged with the following error message:
  "12929 NAS sends RADIUS accounting update messages too frequently." " NAS sends RADIUS accounting update messages too frequently
  Verify NAS configuration. Verify known NAS issues."
  The list of devices seems to all be Cisco switches; albeit different models, IOS versions, ect.  
  i have searched on this issue, and the closest thing to a fix I can find is that it would be fixed in a WLC update, but that was 9 months ago.    I would like to know what causes this issue, and what needs to be altered in ISE, or on the switches to resolve this.
  Thank You.

   CSCuh20269    WLC sends acc updates too frequently, indicates user roams to itself  is the defect specifically on the WLC that is fixed in one of the 7.6 releases.
  Along with the config Jatin mentioned, you may want to try pulling an Accounting report from ISE periodically and analyze the traffic/isolate the endpoints/supplicants that may be causing  a lot of activity (For ex frequent IP changes ) which results in frequent accounting updates.
  Regards,
  Gurudatt
  Escalation engineer, SAMPG | CCIE#28227
  Cisco systems

• EAP MD5 with ISE 1.2 - How to Prevent Active Directory Account locks?

  Hi,
  Is there any how to prevent accounts to be locked in AD if someone do a password brute force attack in a account? ISE has some feature/Configuration to prevent this type of attack ?
  Thanks.

  So what you're saying is the retry values only come in to play if the RADIUS server is inaccessible, right?
  Windows laptops actually work just fine, because many of them are using machine authentication.  The main issue seems to be from iPhones, which are saving the username/password and then re-attempting too many times when the user changes password.
  One solution is to use LDAP instead of AD within ACS, but the downside is the password can be guessed thousands of time in a row and open to dictionary attacks.  We do enforce complex password policies so the liklihood of an account being compromised is slim, but, I'd rather eliminate the chance entirely.

• ISE 1.2 Sponsor Portal- Account Expiration Date Defaults to same time as Start Date

  We have a time profile setup for ISE Sponspr Portal with Start/End.  I understand this allows the sponsor to specifially set the start and end time for the guest account.  When creating an account, the Start/End time is the same time.  If a Sponsor forgets to set the end time, then the guest account will be created, but will expire not allowing the guest to login.  It would be nice to have the end time default to something other than the start time, like 8 hours default.  Is this possible?  Can the expiration time default to something like 8 hours, but still give the Sponsor the ability to adjust the start/end times if needed?  This is very simple, and I cannot believe this is not available.

  Beginning with Cisco ISE 1.2 time profiles are referred to as the account duration in the Sponsor portal.
  Cisco ISE 1.2 includes these default time profiles, which replace the profiles available previously:
  DefaultFirstLoginEight—the account is available for 8 hours starting when the guest user first successfully connects to the Guest portal. This replaces the DefaultFirstLogin time profile.
  DefaultEightHours—the account is available for 8 hours starting when sponsors first create the account. This replaces the DefaultOneHour time profile.
  DefaultStartEnd—sponsors can specify dates and times on which to start and stop network access.
  Upon expiration of their account per their assigned time profile, they will no longer be able to login or access the company network.
  If a guest were to return to the network, the sponsor can change the account duration via the sponsor portal to grant them access again and then require them to change their password if deemed necessary (depending on the settings). Changing account duration can be used for extending a guest users access longer than the original setup.
  If you upgrade to Cisco ISE 1.2, the older time profiles are still available, but you can delete them if you are not using them. If the older time profiles are assigned to a sponsor group, a message alerts you before deleting. If you perform a new installation of Cisco ISE 1.2, only the new time profiles display.

• ISE 1.2 - Guest Account converted to lower-case automatically

  Hello
  I have an ISE appliance version 1.2 and sponsor portal
  I create accounts with upper case username and upper case password, but Sponsor portal convert it to lower case.
  I try to login with lower case or upper case. I can't login with both.

  Check the Multiport configurations and HTML page settings for converting the Alphabetic-Cases.:
  You can check the below link for step by step configuration of HTML-Page’s setting:
  Link-1
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_custom_portals.html
  Link-2
  http://www.cisco.com/en/US/docs/security/ise/1.0/sponsor_guide/ise10_sponsor.html#wp1069407

• ISE doesnt send Guest accounts via Email

  HI
  I have come across an issue in ISE1.1.2.
  once i create a guest account, and click on email, i get the below error
  i have patched version 1.1.2 to the latest patch 3
  i have also configured teh sponsor portal customisation email address.
  ISE reports "Internal Error encountered. Please contact administrator or help desk"
  anyone have any suugestions?

  Hi Neno
  i have configured an SMTP server on ISE admin, i have created a default email address ( [email protected]). i have got an email address in the customization page of teh sponsor portal ( [email protected]).
  One thing i just tried was when i create a guest user with an email address of [email protected] , that worked fine. but if i configure a guest user with an email address of [email protected] , this is when i get the error message.

• Cisco ISE 1.2.1 - "12929 NAS sends RADIUS accounting update messages too frequently" error message

  Hello,
  Running ISE 1.2.1 Patch 1, we get following error message: "12929 NAS sends RADIUS accounting update messages too frequently" on all NAS Devices (i.e. C-4500s running SPA.03.04.00.SG.151-2.SG.bin).
  There was a previous post on this forum (RE: https://supportforums.cisco.com/discussion/11894006/ise-12-wlc-5508-nas-sends-radius-accounting-update-messages-too-frequently) that stated that the "aaa accounting update newinfo" command doesn't solve this problem even though bug CSCuh01760 "Misconfigured NAS criteria needs to be changed" is resolved in ISE 1.2.1 as per the release notes.
  Could you please advise us on that to do now? Thank you. 
  Regards.  

  For the WLC side:
  1. You are probably hitting this bug CSCug14713
  2. You can also change the "Interim Update" located under the SSID > Security AAA Servers
  For the Switch side:
  1. You might be hitting this bug:CSCuh01760
  2. Make sure that you have the following command in your config "aaa accounting update newinfo"
  Thank you for rating helpful posts!

• Cisco ISE (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out)

  Hi,
  I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
  Error is enclosed & here is the port configuration.
  Port Configuration.
  interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
  switchport access vlan 120
  switchport mode access
  switchport voice vlan 121
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 120
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 60
  spanning-tree portfast
  ip dhcp snooping limit rate 30
  Please help.

  The error message means that Active Directory server Reject the authentication attempt
  as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
  Event Logs why did the user account got locked.
  Under Even Viewers, You can find it out
  Regards
  Minakshi (Do rate the helpful posts)

• ISE password expiration for Admin account issue

  OK .. we have been working on getting ISE up and running for a little while now and I have come across an odd and reoccurring issue with my admin accounts. I cannot figure out if there is something that we have missed in the setup or if there is and actual issue with the password policies. It seems that there is a "user" type password policy and then there is an "admin" type policy and am trying ti figure out if they are stepping on each other or something. I am running version 1.2.0.899 with patch 5,1.
  Here is the issue. I have started receiving password expiration reminders for the two admin accounts I have setup on the cluster. I have my address setup for an admin user named "admin" and an admin user named "wberry" and I receive two different e-mails for both accounts. The issue that I have is the dates listed in the e-mails. This is one e-mail that I get:
  The password for your local admin "wberry" is expiring on Mon Jun 01 09:43:03 CDT 2015. Please update immediately, by going to https://mem7700.spd.mli.corp/admin, signing-in, and clicking on the user name at the upper right corner.
  This is the second email that I get for the same account:
  Your network access password will expire on Thu Dec 03 08:43:03 CST 2015. Please contact your system administrator for assistance .
  As you can see the dates in the two messages are completely different. My admin policy is set with expired 180 days after creation and last change and the reminder is set to 10 days prior to expiration. The user password policy lifetime is also 365 days if password not changed with the reminder after 355 days. 
  Thoughts / recommendations.
  Brent

  Here you go:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/4.1/user/guide/UG_over.html#wp1053919
  In fact, to reset the password, you must choose the change password option before you login the GUI.
  Cheers,
  Dom.

• Empty accounting log in ISE

  Hi,
  I am using ISE1.1.1 with 2960.
  Recently I found there is some empty log in accounting report.(see AAA accounting.png)
  So I do a sniffer and find out that source IP is the 2960.
  Then I got to check the log in "Network Device Log"(See Network device log.png)
  I can see the IP address of 2960.
  Can anybody know why the log in AAA accouting is empty and how to get rid of them.
  Some aaa and radius config in 2960.
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
  client X.X.X.X server-key 7 0XXXXXXX43
  aaa session-id common
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host X.X.X.X auth-port 1812 acct-port 1813
  radius-server key 7 XXXXXXXX500
  radius-server vsa send accounting
  radius-server vsa send authentication
  Thanks.

  Hi,
  In Cisco ISE to see live failed and passed authentication logs
  Operations>authentications>live authentications and then click on detail.
  For failed login attempts by administrator.
  Monitor > Reports > Catalog > Server Instance > Server Administrator Logins report
  For understanding and configuring loggs
  Administration > System > Logging

• Guest account creation in ISE

  Hello All,
  I am encountering an issue in which I find only when guest accounts are created by sponsor through the sponsor portal, guess access is granted. If I manually add guest account in the same guest role via the administrative UI, instead of guest access authz profile is hit, ISE goes through supplicant provisioning flow. I know that I do have enable self provisioning flow but why would it kick in for guest user created by admin? I see many bugs dealing with guest portal flows but failed in finding one exactly matching to my senario. Any insight is greatly appreciated. version 1.2.
  Fadi

  You can create and manage guest user accounts  to provide temporary network access for guests. If you have numerous  guest user accounts whose account information is stored in an external  database, you can import this information to expedite the account  creation process.
  Please Check the below guide for user’s creations:
  http://www.cisco.com/en/US/docs/security/ise/1.1/sponsor_guide/ise_sponsor_chp2.html