ISE Live Authentications

Similar Messages

• IP address in ISE live authentication after vlan change

  Hi all,
  on ISE live authentication dashboard we can see IP address of the client (known from FRAMED-IP-ADDRESS).
  But what about vlan change and the situation when client gets new IP address after relocation to different vlan.
  Live logs shows only the first IP address - client mapping (from the guest vlan), after authorization new vlan and dACL is assigned but logs don't include new IP address.
  session ID is the same all the time.
  so maybe ip helper or other trick?
  regards

  thx for reply.
  I added "aaa accounting update newinfo" and I'll see tommorow how it works with anyconnect and 802.1x.
  Meanwhile I think I must clarify what I meant
  Not all logs have IP address present in live authentication (this is MAB for test only)
  the situation with 802.1x and anyconnect is a bit better cause there are IP addresses but only from the first dhcp address assignment (authentication open with default ACL). Then if the policy changes vlan and the client gets new IP address from different scope we have wrong information in this log.
  but getting back to our MAB...
  details of this entry looks like:
  so this is probably the reason that no IP address is visible it was too soon for MAB to get this info and send it as framed IP address (according to this config command "radius-server attribute 8 include-in-access-req")
  nevertheless clicking the accounting details (from the 2nd screenshot)
  we see that this information is present
  so my first question is on which stage this column is fulfilled? only when "FRAMED-IP-ADDRESS" is send in radius-request? or from accounting?
  maybe ISE should dynamically modify this record after each accounting newinfo message?
  regards

• ISE Live Authentications Not Visible

  Hi,
  I have a single node ISE deployed and have been adding and deleting policies for the past two weeks without issue.  It's using our production AD and CA server and connected to NCS.  My problem is that today when I was working on a new MAB policy, the policy would let the laptop on the network, but nothing appeared in live authentications screen or the reports.  I tried this with both a MAB and 802.1x policy set and both times I logged on with the correct policy, but nothing was showing in the logging.  These were both wireless and I had both the authentication and the accounting pointing at ISE.  As well as SNMP too.
  I forgot to see if the clock was off, but if the authentications are working, I'm not sure why the reporting is not.
  Any help would be appreciated.
  Thanks,
  Mike                  

  Is your log target set up?
  Admin/System/Logging/Remote Logging Targets/LogCollector
  Also if this is a guest wifi setup between a Cisco foreign & anchor WLC, make sure Auth & Accounting are set up on the foreign WLC.

• Export ISE Live Authentications and Sponsor activities

  Dear all,
  We need to know if it is possible to export to a syslog or any other service the live authentications logged on ISE.
  In addition, I need to know if is possible to export the sponsor activities.
  Thanks in advance!
  David

  make sure your NAD is configured correctly . and try
  ms-ise-mgm01/admin# app config ise
  Selection ISE configuration option
  [1]Reset Active Directory settings to defaults
  [2]Display Active Directory settings
  [3]Configure Active Directory settings
  [4]Restart/Apply Active Directory settings
  [5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings
  [6]Enable/Disable ERS API
  [7]Reset M&T Session Database
  [8]Rebuild M&T Unusable Indexes
  [9]Purge M&T Operational Data
  [10]Reset M&T Database
  [11]Refresh M&T Database Statistics
  [12]Display Profiler Statistics
  [13]Exit
  try
  7 to reset the session db
  10 to reset the M&T database
  Once you have run these commands the DashBoard should begin to display information.

• Dashbord and Live authentication ISE 1.1.3.124 p1

  Hello all,
  not long time ago, i lost all data in the HOME pannel, all sub windows says: no data avalable no nothing
  the only number i have there is the number of endpoints
  And now, in the live authentication, i dont any results, no pass, failed etc... running heath report gives me nothing.
  Am running ISE 1.1.3.124 patch 1 and the Admin and PSN are not separeted by any FW.
  i know i should go to 1.1.4 patch 2 but maintenance windows are hard to managed.
  Anyone seen that behavior?
  ps: replication are ok...
  Thx

  The issue could be due to incorrect or corrupted indexing and it need to rebuild via root patch. You may check the mnt-collector.out logs from the support bundle. I'd also suggest you to go directly to ISE 1.2 that is scheduled for July 3rd week. In order to resolve current issue, you may need to open a TAC case.
  Jatin Katyal
  - Do rate helpful posts -

• No records in Live Authentications

  We have not updated to 1.2.1 yet and are running 1.2.0.899. the only changes made to the system was alarm settings, which was just adding emails to alarm notification in settings.
  Four hours after the alarm notif. change we started gettings alerts that ISE had not had any authent requests, 2 days later it shows no records in LIve authent or live sessions 4 hours after the change. All subfeilds at the top(i.e., Misconfigured Network Devices, Repeat Counters) are all zero as well. Authentication still SEEMS to be working, i am still able to log into network devices and users are still getting domain access so we are really puzzled as to why nothing is being reported in the logs. On the home page of ISE, it also shows the system summary as "no data available" and we get "no heartbeat" alarms continuously and Critical : health status alerts.

  ISE 1.2 Dashboard Statics do not update
  CSCul94611
  Description
  Symptom:
  Issue with the Live dashboard in ISE 1.1.4 not displaying information and only showing "No Data Available".
  The Dash Board will run and work for awhile, but it will randomly stop updating any statistics on the dashboard.
  Data will show and is seen in the database, but never updates per incoming/outgoing endpoints.
  Live authentications will work fine as well as all users are able to be authenticated. Customer reports do not produce data.
  Seen on multiple customer's deployments with fresh installs, a fresh install with a backup from a previous 1.1.x version, as well as upgrading to 1.1.4 from any earlier 1.1.x version.
  Conditions:
  Cisco ISE 1.2 or 1.1.4
  Any browser
  Distributed or single node deployment.
  Workaround:
  The workaround that fixes this M&T corruption is to enter the following commands below:
  ms-ise-mgm01/admin# app config ise
  Selection ISE configuration option
  [1]Reset Active Directory settings to defaults
  [2]Display Active Directory settings
  [3]Configure Active Directory settings
  [4]Restart/Apply Active Directory settings
  [5]Clear Active Directory Trusts Cache and restart/apply Active Directory settings
  [6]Enable/Disable ERS API
  [7]Reset M&T Session Database
  [8]Rebuild M&T Unusable Indexes
  [9]Purge M&T Operational Data
  [10]Reset M&T Database
  [11]Refresh M&T Database Statistics
  [12]Display Profiler Statistics
  [13]Exit
  We need to select the following options:
  7 to reset the session db
  10 to reset the M&T database
  11 to refresh the statistics (Possibly do not need. Was only needed in 1 case.)
  Once you have run these commands the DashBoard should begin to display information.
  This process can take up to 12 hours to complete all three steps. Roughly 1 to 3 hours per option selected.
  Known Affected Releases:
  (1)
  1.2(0.899)

• WLC, ISE certificate authentication issue

  Hi Folks,
  This is the setup:
  Redundant pair of WLC 5508 (version 7.5.102.0)
  Redundant Pair of ISE (Version 1.2.0.899)
       The ISE servers are connected to the corporate Active Directory (the AD servers are configured as external identity sources)
       There is a rule based authentication profile which queries the AD identity source when it receives wireless 802.1x authentication requests.
  A corporate WLAN is configured on the WLC:
  L2 security WPA+WPA2 (AES Encryption), ISE server 1 and 2 configured as the AAA Authentication servers.
  This is all working correctly - I associate to the Corp WLAN (Authentication WPA2 enterprise, encryption AES CCMP, 802.1x auth MS-CHAPv2 using AD credentials) ... I can see the authentication request being processed correctly by the ISE, and I get access to the network.
  The client I am working for wants to restrict access to the WLAN to users who have been allocated a certificate from the corporate CA, and this is where I am having issues.
  I took a test laptop, and requested a new certificate (mmc, add snapin, certificates, current user, personal, request new cert).   
  The cert that was issued was signed only by a Corporate AD server with CA services (there is nothing in the certification path above the cert I was issued, apart from the issuing server itself).   I changed the security settings of my connection to the corp wlan (using TLS instead of mschapv2, and pointing to the certificate I requested)
  Initally authentication failed because the ISE did not trust the CA that provided my certificate (the ISE radius authentication troubleshooting tool had this entry: '12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain').
  I exported the issuing CA's root certificate (followed this process http://support.microsoft.com/kb/555252), and imported the cert into ISE (administration, system, certificates, certificate store, import) - status of the cert is enabled, and it is trusted for client auth.
  After I did this, I could no longer associate to the Corp WLAN.  
  My laptop's wireless management software logs were filled with messages saying that the authentication server did not respond.   
  The ISE troubleshooting tool reported no new failed or successful authentication attempts.   
  Strangely though, the WLC log had a lot of entries like this: 'AAA Authentication Failure for UserName:host/laptop_asset_tag.corp.com User Type: WLAN USER'.
  It looks like the WLC is trying to locally authenticate my session when I use TLS, rather than hand off the authentication request to the ISE.    Other users who authenticate using their AD credentials only (as I described above) can still authenticate ok.
  Anyone able to shed some light on where I have gone wrong or what additional troubleshooting I can do?
  Thanks in advance,
  Darragh

  Hi,
  I had the same issue with microsoft CA and running ISE 1.1.4. The CA file was "corrupted", but you didn't see it at first glance. You can verify if the client CA matches the root CA via openssl.
  Try to export the root CA and the issuing CA in a different format (Base64), import both root and issuing into ise and check if that works. Also check if "Trust for client authentication or Secure Syslog services" in the Certificate Store -> CA -> Edit, is set.
  If this does not work, try to import the CA into another system and export it, then import into ISE.
  Regards,

• ISE MAB authentication license usage

  Hello all. If I need ISE to authenticate wireless user MAC addresses (MAC Address bypass) in order to facilitate central web authentication - does every concurrent device MAC address that accesses my guest wireless SSID and gets forwarded to ISE for authentication use up a license?
  I have many users with smart phones and tablets that have the guest wireless SSID profile already saved and automatically connect to the guest SSID when in range. Most of these users do not go on to log in via central web authentication, but their MAC addresses get forwarded to ISE for authentication. Does ISE use up a license per MAC address?
  Thanks,

  Hello-
  Please take a look at the following link:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_d_man_license.html
  So, in your situation, a license will be consumed even though the user never authenticates. This is because a license is consumed as soon as a session hits a rule in your AAA ISE policies. However, you can from the document that as soon as the session times out the endpoint would free the license. If for some reason an "accounting-stop" message is not received then after 5 days of inactivity the system will automatically free the license. 
  Hope this helps!
  Thank you for rating helpful posts!

• Third party application retrieve live authentication info from ACS40

  We have ACS40 in place authenticating users and machines. There is another separate key application in our network, which will grant access to authenticated user only. How can ACS forward/share the live authentication information with other application? Please share your ideas.
  Thanks,
  Lahki

  Hi
  Live authentication data will appear in the passed and failed authentication logs. In ACS these can be logged locally and/or remotely.
  If you have an appliance you're probably stuck with syslog, however if you have s/w ACS ODBC logging could inject the data directly in your applications database.

• Customize live authentications dashboard

  Hello,
  is it possible to customize the live auth dashboard to see only the failed authentications? Also is it possible to extend the view and to see the last 100 failed authentications? The filters one can apply to the live authentications dashboard does not give me those options.

  Not as far as I can see but you can be a little clever.
  For example, you can definately choose to view the last 100 entries,  That is a standard option (click the screwdriver to select)
  But to see fialed auth (in your case) you could filter on Authentication does not contain MSCHAPv2
  Looking at your screenshoot that should give you a list of failures.
  The ACSview add on to 5.x is certainly a nice feature that just missed on a lot of customisation options.
  Paul

• ACS 5.4 Can´t see device name in "Live Authentication"

  Hello,
  under dashboard i activated "Live Authentication". Under register card "General" i can see the IP-Adress of the switch (authenticator) but not the name. The IP-Adress is not listed under IP-Adress but under NAD.
  Under AAA Protocol > RADIUS Authentication it is perfect. Network device and IP-Adress is listed correct.
  Is there a way to see NAD in Dashboard?
  Regards Horst

  Hi,
  in the attachment, you can see the IP Adresses of the switches (authenticator) in the column of NAD but not in the column of IP Address.
  If you open the Authentication-RADIUS-Today the name and the IP Adress of the authenticator can be seen.
  I like to see the IP Adress and the name of the network device.
  Regards Horst

• Cisc ISE 1.1.3: PS not shown in Admin Node and no live authentications

  Dear folks,
  I have a distributed deployment of ISE. 4 Applicances, two are Admin and Monitoring while remaining two are Policy Server.
  Policy Nodes are showing down... But, actualy they are running and working fine. Clients are being authenticated.
  I checked the services "show application status ise", all are fine.
  Any thoughts...
  Thanks,
  Regards,
  Mubasher Sultan

  I believe that the following link would help you with your query.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1035890
  Moreover, I feel that there could be various reasons for this kind of issue, as in:
  1. Incorrect System time and NTP server settings
  2. The server certificate operations have not been performed directly on each individual node
  3. The switch is not transmitting RADIUS accounting packets (attributes) to the RADIUS server.
  The above three maybe a reason, please check and revert if they actually are the reason for PSN to be down.

• ISE machine authentication timeout

  Hi all,
  We have a ISE infrastructure and we have enabled user and machine authentication through EAP-TLS.
  Everything is working fine except that every 1 hour user must log off and login again because machine authentication has, I think, expired!
  As you can imagine this is unacceptable. I saw that the machine restriction age is only 1 hour and changed it to 8 hours.
  My question is if machine restarts at 7 hours past first successful authentication will the timer reset or after an hour will be kicked and have to log off and in again?
  How have you bypassed the timeout of mar cache?
  My ISE version is 1.2 with 2 patches installed
  Thank you
  Sent from Cisco Technical Support iPad App

  Hi
  Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.
  Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the "Time to Live" parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.
  When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:
  • If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a successful authorization is assigned.
  • If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a successful user authentication without machine authentication is assigned.

• Windows live authentication required

  please please help when  got my nokia c3 i set it up on windows live to log on to my emails, this worked well, but i reset my password on laptop and put new password on phone now its asking for authentication reqired, how do i do this ive been on to my provider which is 02..but its still not doing it.???.. do i need to do somthing on my live account to activate..please help its doing my head in big time

  i phoned nokia for help, n after a lot of do thid do that we ended up doing full factory restore, (thought that had sorted it) but when i did restore on memory card it was back again arghhhhhh....i change password on windows live ..i can get in there fine but not on my c3

• ISE Not Authenticating Against RSA SecurID

  In the process of integrating ISE 1.2 into our environment with the eventual intent to replace ACS 5.x and having a challenge adding an RSA SecurID server as an external identity source.
  In ACS, we would create an internal user but configure the password to be handled externally and uses PAP or whatever to communicate with RSA.
  I don't see this option in ISE, only to use the RSA SecurID as a direct Identity Source, the problem is that if I try to authenticate to ISE using a device such as an iPhone, which is using MS-CHAPv2 by default, it produces an error in the authentication logs that the device is using a protocol not supported by the identity source.
  So what is the proper way to configure ISE to allow users to authenticate with a one-time-password against RSA SecurID?

  check the following link for Integrating Cisco ISE with RSA SecurID Server
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1080334