-
- Administration User Interface Reference
- Guest Access User Interface Reference
- Web Portals Customization Reference
- Policy User Interface Reference
- Operations User Interface Reference
- Network Access Flows
- Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions
- Supported Management Information Bases in Cisco ISE
Reports
Cisco ISE Reports
Cisco Identity Services Engine (ISE) reports are used with monitoring and troubleshooting features to analyze trends, and, monitor system performance and network activities from a central location.
Cisco ISE collects log and configuration data from across the network. It then aggregates the data into reports for you to view and analyze. Cisco ISE provides a standard set of predefined reports that you can use and customize to fit your needs.
Cisco ISE reports are preconfigured and e grouped into logical categories with information related to authentication, session traffic, device administration, configuration and administration, and troubleshooting.
Run and View Reports
This section describes how to run, view, and navigate reports using Reports View. You can specify time increments over which to display data in a report.
Reports Navigation
You can get detailed information from the reports output. For example, if you have generated a report for a period of five months, the graph and table will list the aggregate data for the report in a scale of months.
You can click a particular value from the table to see another report related to this particular field. For example, an authentication summary report will display the failed count for the user or user group. When you click the failed count, an authentication summary report is opened for that particular failed count.
Export Reports
You can export report data to an Excel spreadsheet as a comma-separated values (.csv) file. After you export the data, you will receive an email detailing the location of the report.
You cannot export the following reports:
 Note | You can export report data to a .csv format only from the Primary Administration Node (PAN). |
Schedule and Save Cisco ISE Reports
You can customize a report and save the changes as a new report, or restore the default report settings.
You can also customize and schedule Cisco ISE reports to run and re-run at specific time or time intervals. You can also send and receive email notifications once the reports are generated.
You cannot schedule the following reports:
Note | You can save or schedule (customize) Cisco ISE reports only from the PAN. |
After saving a report, when you go back to the saved report all the filter options are checked by default. You need to uncheck the filters that you do not wish to use.
Add Favorite Reports
You can add preconfigured system reports to your favorites list, as well as reports that you have customized.
You can add reports that you use frequently to a list of favorites to make them easier to find, similar to how you bookmark favorite websites in a browser. You can view and edit the parameters of your favorite reports, and then save the customized reports for reuse.
Cisco ISE Active RADIUS Sessions
Cisco ISE provides a dynamic Change of Authorization (CoA) feature for the Live Sessions that allows you to dynamically control active RADIUS sessions. You can send reauthenticate or disconnect requests to a Network Access Device (NAD) to perform the following tasks:
-
Troubleshoot issues related to authentication—You can use the Session reauthentication option to follow up with an attempt to reauthenticate again. However, you must not use this option to restrict access. To restrict access, use the shutdown option.
-
Block a problematic host—You can use the Session termination with port shutdown option to block an infected host that sends a lot of traffic over the network. However, the RADIUS protocol does not currently support a method for re-enabling a port that has been shut down.
-
Force endpoints to reacquire IP addresses—You can use the Session termination with port bounce option for endpoints that do not have a supplicant or client to generate a DHCP request after a VLAN change.
-
Push an updated authorization policy to an endpoint—You can use the Session reauthentication option to enforce an updated policy configuration, such as a change in the authorization policy on existing sessions based on the discretion of the administrator. For example, if posture validation is enabled, when an endpoint gains access initially, it is usually quarantined. After the identity and posture of the endpoint are known, it is possible to send the Session reauthentication command to the endpoint for the endpoint to acquire the actual authorization policy based on its posture.
For CoA commands to be understood by the device, it is important that you configure the options appropriately.
For CoA to work properly, you must configure the shared secret of each device that requires a dynamic change of authorization. Cisco ISE uses the shared secret configuration to request access from the device and issue CoA commands to it.
Note | In this release of Cisco ISE, the maximum number of active authenticated endpoint sessions that can be displayed is limited to 100,000. |
Change Authorization for RADIUS Sessions
Some Network Access Devices on your network may not send an Accounting Stop or Accounting Off packet after a reload. As a result, you might find two sessions in the Session Directory reports, one which has expired.
To dynamically change the authorization of an active RADIUS session or disconnect an active RADIUS session, be sure to choose the most recent session.
Available Reports
The following table lists the preconfigured reports, grouped according to their category. Descriptions of the report functionality and logging category are also provided.
|
The AAA Diagnostics report provides details of all network sessions between Cisco ISE and users. If users cannot access the network, you can review this report to identify trends and identify whether the issue is isolated to a particular user or indicative of a more widespread problem. |
Choose and select these logging categories: Policy Diagnostics, Identity Stores Diagnostics, Authentication Flow Diagnostics, and RADIUS Diagnostics. |
|||
|
The RADIUS Authentications report enables you to review the history of authentication failures and successes. If users cannot access the network, you can review the details in this report to identify possible causes. |
Choose and select these logging categories: Passed Authentications and Failed Attempts. |
|||
|
The RADIUS Errors report enables you to check for RADIUS Requests Dropped (authentication/accounting requests discarded from unknown Network Access Device), EAP connection time outs and unknown NADs.
|
||||
|
The RADIUS Accounting report identifies how long users have been on the network. If users are losing network access, you can use this report to identify whether Cisco ISE is the cause of the network connectivity issues. |
||||
|
The Authentication Summary report is based on the RADIUS authentications. It enables you to identify the most common authentications and the reason for any authentication failures. For example, if one Cisco ISE server is handling significantly more authentications than others, you might want to reassign users to different Cisco ISE servers to better balance the load.
|
||||
|
The OCSP Monitoring Report specifies the status of the Online Certificate Status Protocol (OCSP) services. It identifies whether Cisco ISE can successfully contact a certificate server and provides certificate status auditing. Provides a summary of all the OCSP certificate validation operations performed by Cisco ISE. It retrieves information related to the good and revoked primary and secondary certificates from the OCSP server. Cisco ISE caches the responses and utilizes them for generating subsequent OCSP Monitoring Reports. In the event the cache is cleared, it retrieves information from the OCSP server. |
||||
|
AD Connector Operations |
The AD Connector Operations report provides log of operations performed by AD Connector such as Cisco ISE Server password refresh, Kerberos tickets management, DNS queries, DC discovery, LDAP, and RPC Connections management, etc.
If some AD failures are encountered, you can review the details in this report to identify the possible causes. |
Choose and select AD Connector. |
||
|
Identity Mapping |
The Identity Mapping report enables you to monitor the state of WMI connection to the domain controller and gather statistics related to it (such as amount of notifications received, amount of user login/logouts per second etc.) |
Choose and select Identity Mapping. |
||
|
The Administrator Logins report provides information about all GUI-based administrator login events as well as successful CLI login events. |
||||
|
The Internal Administrator Summary report enables you to verify the entitlement of administrator users. From this report, you can also access the Administrator Logins and Change Configuration Audit reports, which enables you to view these details for each administrator. |
||||
|
The Change Configuration Audit report provides details about configuration changes within a specified time period. If you need to troubleshoot a feature, this report can help you determine if a recent configuration change contributed to the problem. |
||||
|
The Secure Communications Audit report provides auditing details about security-related events in Cisco ISE Admin CLI, which includes authentication failures, possible break-in attempts, SSH logins, failed passwords, SSH logouts, invalid user accounts, and so on. |
||||
|
The Operations Audit report provides details about any operational changes, such as: running backups, registering a Cisco ISE node, or restarting an application. |
||||
|
The System Diagnostic report provides details about the status of the Cisco ISE nodes. If a Cisco ISE node is unable to register, you can review this report to troubleshoot the issue. This report requires that you first enable several diagnostic logging categories. Collecting these logs can negatively impact Cisco ISE performance. So, these categories are not enabled by default, and you should enable them just long enough to collect the data. Otherwise, they are automatically disabled after 30 minutes. |
Choose and select these logging categories: Internal Operations Diagnostics, Distributed Management, Administrator Authentication and Authorization. |
|||
|
The Health Summary report provides details similar to the Dashboard. However, the Dashboard only displays data for the past 24 hours, and you can review more historical data using this report. You can evaluate this data to see consistent patterns in data. For example, you would expect heavier CPU usage when most employees start their work days. If you see inconsistencies in these trends, you can identify potential problems. |
||||
|
The Network Device Session Status Summary report enables you to display the switch configuration without logging into the switch directly. Cisco ISE accesses these details using an SNMP query and requires that your network devices are configured with SNMP v1/v2c. If a user is experiencing network issues, this report can help you identify if the issue is related to the switch configuration rather than with Cisco ISE. |
||||
|
The Data Purging Audit report records when the logging data is purged. This report reflects two sources of data purging. At 4AM daily, Cisco ISE checks whether there are any logging files that meet the criteria you have set on the Administration > Maintenance > Data Purging page. If so, the files are deleted and recorded in this report. Additionally, Cisco ISE continually maintains a maximum of 80% used storage space for the log files. Every hour, Cisco ISE verifies this percentage and deletes the oldest data until it reaches the 80% threshold again. This information is also recorded in this report. |
||||
|
pxGrid Administrator Audit |
The pxGrid Administrator Audit report provides the details of the pxGrid administration actions such as client registration, client deregistration, client approval, topic creation, topic deletion, publisher-subscriber addition, and publisher-subscriber deletion on the PAN. Every record has the administrator name who has performed the action on the node. You can filter the pxGrid Administrator Audit report based on the administrator and message criteria. |
— |
||
|
The Misconfigured Supplicants report provides a list of mis-configured supplicants along with the statistics due to failed attempts that are performed by a specific supplicant. If you have taken corrective actions and fix the mis-configured supplicant, the report displays fixed acknowledgment in the report.
|
||||
|
The Misconfigured NAS report provides information about NADs with inaccurate accounting frequency typically when sending accounting information frequently. If you have taken corrective actions and fix the mis-configured NADs, the report displays fixed acknowledgment in the report.
|
||||
|
The Client Provisioning report indicates the client provisioning agents applied to particular endpoints. You can use this report to verify the policies applied to each endpoint to verify whether the endpoints have been correctly provisioned. |
Choose and select Posture and Client Provisioning Audit and Posture and Client Provisioning Diagnostics. |
|||
|
The Current Active Sessions report enables you to export a report with details about who was currently on the network within a specified time period. If a user isn't getting network access, you can see whether the session is authenticated or terminated or if there is another problem with the session. |
||||
|
The Endpoint Protection Service Adaptive Network Control Audit report is based on the RADIUS accounting. It displays historical reporting of all network sessions for each endpoint. |
Choose and select Passed Authentications and RADIUS Accounting. |
|||
|
The External Mobile Device Management report provides details about integration between Cisco ISE and the external Mobile Device Management (MDM) server. You can use this report to see which endpoints have been provisioned by the MDM server without logging into the MDM server directly. It also displays information such as registration and MDM-compliance status. |
Choose and select MDM. |
|||
|
The Posture Detail Assessment report provides details about posture compliancy for a particular endpoint. If an endpoint previously had network access and then suddenly was unable to access the network, you can use this report to determine if a posture violation occurred. |
Choose and select Posture and Client Provisioning Audit and Posture and Client Provisioning Diagnostics. |
|||
|
The Profiled Endpoint Summary report provides profiling details about endpoints that are accessing the network.
|
||||
|
— |
||||
|
The Top Authorization by Endpoint (MAC address) report displays how many times each endpoint MAC address was authorized by Cisco ISE to access the network. |
||||
|
The Top Authorization by User report displays how many times each user was authorized by Cisco ISE to access the network. |
||||
|
The User Change Password Audit report displays verification about employee's password changes. |
||||
|
The Supplicant Provisioning report provides details about the supplicants provisioned to employee's personal devices. |
||||
|
The Registered Endpoints report displays all personal devices registered by employees. |
||||
|
Endpoints Purge Activities |
The Endpoints Purge Activities report enables the user to review the history of endpoints purge activities. This report requires that the Profiler logging category is enabled. It is enabled by default. |
Choose and select Profiler. |
||
|
Guest Access Reports |
||||
|
AUP Acceptance Status |
The AUP Acceptance Status report provides details of AUP acceptances from all the Guest portals. |
Choose and select Guest. |
||
|
Sponsor Login and Audit |
The Sponsor Login and Audit report provides details of guest users' login, add, delete, enable, suspend and update operations and the login activities of the sponsors at the sponsors portal. If guest users are added in bulk, they are visible under the column 'Guest Users.' This column is hidden by default. On export, these bulk users are also present in the exported file. |
Choose and select Guest. |
||
|
My Devices Login and Audit |
The My Devices Login and Audit report provides details about the login activities and the operations performed by the users on the devices in My Devices Portal. |
Choose and select My Devices. |
||
|
Master Guest Report |
The Master Guest Report combines data from various Guest Access reports and enables you to export data from different reporting sources. The Master Guest report also provides details about the websites that guest users are visiting. You can use this report for security auditing purposes to demonstrate when guest users accessed the network and what they did on it. You must also enable HTTP inspection on the network access device (NAD) used for guest traffic. This information is sent back to Cisco ISE by the NAD. To check when the clients reach the maximum simultaneous sessions limit, from the Admin portal, choose Administration > System > Logging > Logging Categories and do the following: |
|||
|
Guest Accounting |
The Guest Accounting report is a subset of the RADIUS Accounting report. All users assigned to the Activated Guest or Guest identity groups appear in this report. |
— |
||
|
The RBACL Drop Summary report is specific to the TrustSec feature, which is available only with an Advanced Cisco ISE license. This report also requires that you configure the network devices to send NetFlow events for dropped events to Cisco ISE. If a user violates a particular policy or access, packets are dropped and indicated in this report. |
||||
|
The Top N RBACL Drops By User report is specific to the TrustSec feature, which is available only with an Advanced Cisco ISE license. This report also requires that you configure the network devices to send NetFlow events for dropped events to Cisco ISE. This report displays policy violations (based on packet drops) by specific users. |
||||
Feedback