Cisco Identity Services Engine Administrator Guide, Release 2.2

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco Identity Services Engine Administrator Guide, Release 2.2

Chapter Title

Operations User Interface Reference

Results

Updated:
January 31, 2017

Chapter: Operations User Interface Reference

Operations User Interface Reference

RADIUS Live Logs

The following table describes the fields in the Live logs window that displays the recent RADIUS authentications. The navigation path for this page is: Operations > RADIUS > Live Logs. Note that you can view the RADIUS live logs only in the Primary PAN.

Table 1. RADIUS Live Logs

Field Name

Description

Time

Shows the time at which the log was received by the monitoring and troubleshooting collection agent. This column is required and cannot be deselected.

Status

Shows if the authentication succeeded or failed. This column is mandatory and cannot be deselected. Green is used to represent passed authentications. Red is used to represent failed authentications.

Details

Clicking the icon under the Details column opens the Authentication Detail Report in a new browser window. This report offers information about authentication and related attributes, and authentication flow. In the Authentication Details box, Response Time is the total time it takes Cisco ISE to process the authentication flow. For example, if authentication consists of three roundtrip messages that took 300 ms for the initial message, 150 ms for the next message, and 100 ms for the last, Response Time is 300 + 150 + 100 = 550 ms.

Note 

You cannot view the details for endpoints that are active for more than 48 hours. You will see a window with the following message when you click the Details icon for endpoints that are active for more than 48 hours: No Data available for this record. Either the data is purged or authentication for this session record happened a week ago. Or if this is an 'PassiveID' or 'PassiveID Visibility' session, it will not have authentication details on ISE but only the session.

Repeat Count

Shows the number of time the authentication requests were repeated in the last 24 hours, without any change in the context of identity, network devices, and authorization.

Identity

Shows the logged in username that is associated with the authentication.

Endpoint ID

Shows the unique identifier for an endpoint, usually a MAC or IP address.

Endpoint Profile

Shows the type of endpoint that is profiled, for example, profiled to be an iPhone, Android, MacBook, Xbox, and so on.

Authentication Policy

Shows the name of the policy selected for specific authentication.

Authorization Policy

Shows the name of the policy selected for specific authorization.

Authorization Profiles

Shows the authorization profile that was used for authentication.

IP Address

Shows the IP address of the endpoint device.

Network Device

Shows the IP address of the Network Access Device.

Device Port

Shows the port number at which the endpoint is connected.

Identity Group

Shows the identity group that is assigned to the user or endpoint, for which the log was generated.

Posture Status

Shows the status of posture validation and details on the authentication.

Server

Indicates the policy service from which the log was generated.

MDM Server Name

Shows the name of the MDM server.

Event

Shows the event status.

Failure Reason

Shows the detailed reason for failure, if the authentication failed.

Auth Method

Shows the authentication method that is used by the RADIUS protocol, such as Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAPv2), IEE 802.1x or dot1x, and so on.

Authentication Protocol

Shows the authentication protocol used, such as Protected Extensible Authentication Protocol (PEAP), Extensible Authentication Protocol (EAP), and so on.

Security Group

Shows the group that is identified by the authentication log.

Session ID

Shows the session ID.


Note

In the RADIUS Live Logs and TACACS+ Live Logs window, a Queried PIP entry appears for the first attribute of each policy authorization rule. If all the attributes within the authorization rule are related to a dictionary that was already queried for previous rules, no additional Queried PIP entry appears.

You can do the following in the RADIUS Live Logs window:

  • Export the data in CSV or PDF format.

  • Show or hide the columns based on your requirements.

  • Filter the data using the quick or custom filter. You can also save your filters for later use.

  • Rearrange the columns and adjust the width of the columns.

  • Sort the column values.


Note

All the user customizations are stored as user preferences.

RADIUS Live Sessions

The following table describes the fields in the RADIUS Live Sessions window, which displays live authentications. The navigation path for this page is: Operations > RADIUS > Live Sessions. You can view the RADIUS live sessions only in the Primary PAN.

Table 2. RADIUS Live Sessions

Field Name

Description

Initiated

Shows the timestamp when the session was initiated.

Updated

Shows the timestamp when the session was last updated because of a change.

Account Session Time

Shows the time span (in seconds) of a user's session.

Session Status

Shows the current status of an endpoint device.

Action

Click the Actions icon to reauthenticate an active RADIUS session or disconnect an active RADIUS session.

Repeat Count

Shows the number of times a user or endpoint is reauthenticated.

Endpoint ID

Shows the unique identifier for an endpoint, usually a MAC or IP address.

Identity

Shows the username of an endpoint device.

IP Address

Shows the IP address of an endpoint device.

Audit Session ID

Shows a unique session identifier.

Account Session ID

Shows a unique ID provided by a network device.

Endpoint Profile

Shows the endpoint profile for a device.

Posture Status

Shows the status of posture validation and details of the authentication.

Security Group

Shows the group that is identified by the authentication log.

Server

Indicates the Policy Service node from which the log was generated.

Auth Method

Shows the authentication method that is used by the RADIUS protocol, such as Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), IEE 802.1x or dot1x, and so on.

Authentication Protocol

Shows the authentication protocol used, such as Protected Extensible Authentication Protocol (PEAP), Extensible Authentication Protocol (EAP), and so on.

Authentication Policy

Shows the name of the policy selected for specific authentication.

Authorization Policy

Shows the name of the policy selected for specific authorization.

Authorization Profiles

Shows an authorization profile that was used for authentication.

NAS IP Address

Shows the IP address of a network device.

Device Port

Shows the connected port to a network device.

PRA Action

Shows the periodic reassessment action taken on a client after it is successfully postured for compliance on your network.

ANC Status

Adaptive Network Control status of a device as Quarantine, Unquarantine, or Shutdown.

WLC Roam

Shows the boolean (Y/N) used to track if an endpoint has been handed off during roaming, from one Wireless Lan Controller (WLC) to another. It has the value of cisco-av-pair=nas-update =Y or N.

Note 

Cisco ISE relies on the nas-update=true attribute from WLC to identify whether the session is in roaming state. When the original WLC sends an accounting stop attribute with nas-update=true, the session is not deleted in ISE to avoid reauthentication. If roaming fails, ISE clears the session after five days of inactivity.

Packets In

Shows the number of packets received.

Packets Out

Shows the number of packets sent.

Bytes In

Shows the number of bytes received.

Bytes Out

Shows the number of bytes sent.

Session Source

Indicates whether it is a RADIUS session or a Passive ID session.

User Domain Name

Shows the registered DNS name of a user.

Host Domain Name

Shows the registered DNS name of a host.

User NetBIOS Name

Shows the NetBIOS name of a user.

Host NetBIOS Name

Shows the NetBIOS name of a host.

License Type

Shows the type of license used, Base, Plus, Apex, or Plus and Apex.

License Details

Shows the license details.

Provider

Endpoint events are learned from different syslog sources. These syslog sources are referred to as providers.

  • Windows Management Instrumentation (WMI): WMI is a Windows service that provides a common interface and object model to access management information about operating system, devices, applications, and services.

  • Agent: A program that runs on a client on behalf of the client or another program.

  • Syslog: A logging server to which a client sends event messages.

  • REST: A client is authenticated through a terminal server. The TS Agent ID, Source Port Start, Source Port End, and Source First Port values are displayed for this syslog source.

  • Span: Network information is discovered using span probes.

  • DHCP: DHCP event.

  • Endpoint

Note 

When two events from different providers are learned or obtained from an endpoint session, the providers are displayed as comma-separated values in the Live Sessions window.

MAC Address

Shows the MAC address of a client.

Endpoint Check Time

Shows the time at which an endpoint was last checked by the endpoint probe.

Endpoint Check Result

Shows the result of an endpoint probe. The possible values are:

  • Unreachable

  • User Logout

  • Active User

Source Port Start

(Values are displayed only for the REST provider) Shows the first port number in a port range.

Source Port End

(Values are displayed only for the REST provider) Shows the last port number in a port range.

Source First Port

(Values are displayed only for the REST provider) Shows the first port allocated by the Terminal Server Agent.

A Terminal Server refers to a server or network device that allows multiple endpoints to connect to it without a modem or network interface and facilities the connection of the multiple endpoints to a LAN network. The multiple endpoints appear to have the same IP address, and therefore, it is difficult to identify the IP address of a specific user. Consequently, to identify a specific user, a Terminal Server Agent is installed in the server, which allocates a port range to each user. This helps create an IP address-port user mapping.

TS Agent ID

(Values are displayed only for the REST provider) Shows the unique identity of the Terminal Server Agent that is installed on an endpoint.

AD User Resolved Identities

(Values are displayed only for AD user) Shows the potential accounts that matched.

AD User Resolved DNs

(Values are displayed only for AD user) Shows the Distinguished Name of AD user, for example, CN=chris,CN=Users,DC=R1,DC=com

TACACS Live Logs

The following table describes the fields in the TACACS Live Logs window that displays the TACACS+ AAA details. The navigation path for this page is: Operations > TACACS > Live Logs. You can view the TACACS live logs only in the Primary PAN.

Table 3. TACACS Live Logs

Field Name

Usage Guidelines

Generated Time

Shows the syslog generation time based on when a particular event was triggered.

Logged Time

Shows the time when the syslog was processed and stored by the Monitoring node. This column is mandatory and cannot be deselected.

Status

Shows if the authentication succeeded or failed. This column is required and cannot be deselected. Green is used to represent passed authentications. Red is used to represent failed authentications.

Details

Brings up a report when you click the magnifying glass icon, allowing you to drill down and view more detailed information about the selected authentication scenario. This column is required and cannot be deselected.

Session Key

Shows the session keys (found in the EAP success or EAP failure messages) returned by ISE to the network device.

Username

Shows the user name of the device administrator. This column is required and cannot be deselected.

Type

Consists of two Types—Authentication and Authorization. Shows names of users who have passed or failed authentication, authorization, or both. This column is mandatory and cannot be deselected.

Authentication Policy

Shows the name of the policy selected for specific authentication.

Authorization Policy

Shows the name of the policy selected for specific authorization.

ISE Node

Shows the name of the ISE node through which the access request is processed.

Network Device Name

Shows the names of network devices.

Network Device IP

Shows the IP addresses of network devices whose access requests are processed.

Network Device Groups

Shows the name of corresponding network device groups to which a network device belongs.

Device Type

Shows the device type policy used to process access requests from different network devices.

Location

Shows the location-based policy used to process access requests from network devices.

Device Port

Shows the device port number through which the access request is made.

Failure Reason

Shows the reason for rejecting an access request made by a network device.

Remote Address

Shows the IP address, MAC address, or any other string that uniquely identifies the end station.

Matched Command Set

Shows the MatchedCommandSet attribute value if it is present, or an empty value if the MatchedCommandSet attribute value is empty or the attribute itself does not exist in the syslog.

Shell Profile

Shows the privileges that were granted to a device administrator for executing commands on the network device.

You can do the following in the TACACS Live Logswindow:

  • Export the data in CSV or PDF format.

  • Show or hide the columns based on your requirements.

  • Filter the data using quick or custom filter. You can also save your filters for later use.

  • Rearrange the columns and adjust the width of the columns.

  • Sort the column values.


Note
All the user customizations are stored as user preferences.

Diagnostic Tools

RADIUS Authentication Troubleshooting Settings

The following table describes the fields on the RADIUS authentication troubleshooting page which allow you to identify and resolve RADIUS authentication problems. The navigation path for this page is: Operations > Troubleshoot > Diagnostic Tools > General Tools > RADIUS Authentication Troubleshooting.

Table 4. RADIUS Authentication Troubleshooting Settings

Option

Usage Guidelines

Username

Enter the username of the user whose authentication you want to troubleshoot.

MAC Address

Enter the MAC address of the device that you want to troubleshoot.

Audit Session ID

Enter the audit session ID that you want to troubleshoot.

NAS IP

Enter the NAS IP address.

NAS Port

Enter the NAS port number.

Authentication Status

Choose the status of your RADIUS authentication.

Failure Reason

Enter the failure reason or click Select to choose a failure reason from a list. Click Clear to clear the failure reason.

Time Range

Select a time range. The RADIUS authentication records that are created during this time range are used.

Start Date-Time

If you choose Custom Time Range, enter the start date and time, or click the calendar icon to select the start date and time. The date should be in the mm/dd/yyyy format and time in the hh:mm format.

End Date-Time

If you choose Custom Time Range, enter the end date and time, or click the calendar icon to select the end date and time. The date should be in the mm/dd/yyyy format and time in the hh:mm format.

Fetch Number of Records

Choose the number of records that you want to fetch from the drop-down list: 10, 20, 50, 100, 200, or 500.

Execute Network Device Command Settings

The following table describes the fields on the Execute Network Device Command page, which you use to execute the show command on a network device. The navigation path for this page is: Operations > Troubleshoot > Diagnostic Tools > General Tools > Execute Network Device.

Table 5. Execute Network Device Command Settings

Option

Usage Guidelines

Enter Information

Network Device IP

Enter the IP address of the network device on which you want to run the command.

Command

Enter the show command.

Evaluate Configuration Validator Settings

The following table describes the fields on the Evaluate Configuration Validator page, which you use to evaluate the configuration of a network device and identify any configuration problems. The navigation path for this page is: Operations > Troubleshoot > Diagnostic Tools > General Tools > Evaluate Configuration Validator.

Table 6. Evaluate Configuration Validator Settings

Option

Usage Guidelines

Enter Information

Network Device IP

Enter the IP address of the network device whose configuration you want to evaluate.

Select the configuration items below that you want to compare against the recommended template.

AAA

This option is selected by default.

RADIUS

This option is selected by default.

Device Discovery

This option is selected by default.

Logging

This option is selected by default.

Web Authentication

Check this check box to compare the web authentication configuration.

Profiler Configuration

Check this check box to compare the Profiler configuration.

Trustsec

Check this check box if you want to compare Trustsec configuration.

802.1X

Check this check box if you want to compare the 802.1X configuration, and choose one of the available options.

Posture Troubleshooting Settings

The following table describes the fields on the Posture troubleshooting window, which you use to find and resolve posture problems on the network. The navigation path for this window is: Operations > Troubleshoot > Diagnostic Tools > General Tools > Posture Troubleshooting.

Table 7. Posture Troubleshooting Settings

Field Name

Usage Guidelines

Search and Select a Posture event for troubleshooting

Username

Enter the username to filter on.

MAC Address

Enter the MAC address to filter on, using format: xx-xx-xx-xx-xx-xx

Posture Status

Select the authentication status to filter on:

Failure Reason

Enter the failure reason or click Select to choose a failure reason from a list. Click Clear to clear the failure reason.

Time Range

Select a time range. The RADIUS authentication records that are created during this time range are used.

Start Date-Time:

(Available only when you choose Custom Time Range) Enter the start date and time, or click the calendar icon to select the start date and time. The date should be in the mm/dd/yyyy format and time in the hh:mm format.

End Date-Time:

(Available only when you choose Custom Time Range) Enter the end date and time, or click the calendar icon to select the start date and time. The date should be in the mm/dd/yyyy format and time in the hh:mm format.

Fetch Number of Records

Select the number of records to display: 10, 20, 50, 100, 200, 500

Search Result

Time

Time of the event

Status

Posture status

Username

User name associated with the event

MAC Address

MAC address of the system

Failure Reason

Failure reason for the event

TCP Dump Settings

The following table describes the fields on the tcpdump utility page, which you use to monitor the contents of packets on a network interface and troubleshoot problems on the network as they appear. The navigation path for this page is: Operations > Troubleshoot > Diagnostic Tools > General Tools > TCP Dump.

Table 8. TCP Dump Settings

Option

Usage Guidelines

Status

  • Stopped—the tcpdump utility is not running

  • Start—Click to start the tcpdump utility monitoring the network.

  • Stop—Click to stop the tcpdump utility

Host Name

Choose the name of the host to monitor from the drop-down list.

Network Interface

Choose the network interface to monitor from the drop-down list.

Note 

You must configure all network interface cards (NICs) with an IPv4 or IPv6 address so that they are displayed in the Cisco ISE Admin portal.

Promiscuous Mode

  • On—Click to turn on promiscuous mode (default).

  • Off—Click to turn off promiscuous mode.

Promiscuous mode is the default packet sniffing mode. It is recommended that you leave it set to On. In this mode the network interface is passing all traffic to the system’s CPU.

Filter

Enter a boolean expression on which to filter. Supported standard tcpdump filter expressions:

ip host 10.77.122.123

ip host 10.77.122.123 and not 10.177.122.119

ip host ISE123

Format

Select a format for the tcpdump file.

Dump File

Displays data on the last dump file, such as the following:

Last created on Wed Apr 27 20:42:38 UTC 2011 by admin 


File size: 3,744 bytes
Format: Raw Packet Data
Host Name: Positron
Network Interface: GigabitEthernet 0
Promiscuous Mode: On

  • Download—Click to download the most recent dump file.

  • Delete—Click to delete the most recent dump file.

SXP-IP Mappings

The following table describes the fields on the SXP-IP mappings page, which you use to compare mappings between a device and its peers. The navigation path for this page is: Operations > Troubleshoot > Diagnostic Tools > Trustsec Tools > SXP-IP Mappings.

Peer SXP Devices

Table 9. Peer SXP Devices for SXP-IP Mappings

Option

Usage Guidelines

Peer SXP Devices

Peer IP Address

IP address of the peer SXP device.

VRF

The VRF instance of the peer device.

Peer SXP Mode

The SXP mode of the peer device; for example, whether it is a speaker or a listener.

Self SXP Mode

The SXP mode of the network device; for example, whether it is a speaker or a listener.

Connection State

The status of the connection.

Common Connection Parameters

User Common Connection Parameters

Check this check box to enable common connection parameters for all the peer SXP devices.

Note 

If the common connection parameters are not specified or if they do not work for some reason, the Expert Troubleshooter again prompts you for connection parameters for that particular peer device.

Username

Enter the username of the peer SXP device.

Password

Enter the password to gain access to the peer device.

Protocol

  • Choose the protocol.

    Note 

    Telnet is the default option. If you choose SSHv2, you must ensure that SSH connections are enabled on the network device.

Port

  • Enter the port number. The default port number for Telnet is 23 and SSH is 22.

Enable Password

Enter the enable password if it is different from your login password.

Same as login password

Check this check box if your enable password is the same as your login password.

IP User SGT

The following table describes the fields on the IP User SGT page, which you use to compare IP-SGT values on a device with an ISE assigned SGT. The navigation path for this page is: Operations > Troubleshoot > Diagnostic Tools > TrustSec Tools > IP User SGT.

Table 10. IP User SGT

Option

Usage Guidelines

Enter Information

Network Device IP

Enter the IP address of the network device.

Filter Results

Username

Enter the username of the user whose records you want to troubleshoot.

User IP Address

Enter the IP address of the user whose records you want to troubleshoot.

SGT

Enter the user SGT value.

Device SGT Settings

The following table describes the fields on the Device SGT page, which you use to compare the device SGT with the most recently assigned value. The navigation path for this page is: Operations > Troubleshoot > Diagnostic Tools > Trustsec Tools > Device SGT.

Table 11. Device SGT Settings

Option

Usage Guidelines

Enter Information

Network Device IPs (comma-separated list)

Enter the network device IP addresses (whose device SGT you want to compare with an ISE-assigned device SGT) separated by commas.

Common Connection Parameters

Use Common Connection Parameters

Select this check box to use the following common connection parameters for comparison:

  • Username—Enter the username of the network device.

  • Password—Enter the password.

  • Protocol—Choose the protocol.

    Note 

    Telnet is the default option. If you choose SSHv2, SSH connections must be enabled on the network device.

  • Port—Enter the port number. The default port number for Telnet is 23 and SSH is 22.

Enable Password

Enter the enable password if it is different from your login password.

Same as login password

Select this check box if your enable password is the same as your login password.

Progress Details Settings

The following table describes the fields on the Progress Details page, which is displayed when you click the User Input Required button in any of the diagnostic tools. This page displays detailed troubleshooting information. The navigation path for this page is: Operations > Troubleshoot > Diagnostic Tools > Any Diagnostic Tool.

Table 12. Progress Details Settings

Option

Usage Guidelines

Specify Connection Parameters for Network Device a.b.c.d

Username

Enter the username for logging in to the network device.

Password

Enter the password.

Protocol

Choose the protocol.

Note 

Telnet is the default option. If you choose SSHv2, you must ensure that SSH connections are enabled on the network device.

Port

Enter the port number.

Enable Password

Enter the enable password.

Same As Login Password

Check this check box if the enable password is the same as the login password.

Use Console Server

Select this check box to use the console server.

Console IP Address

(If the Use Console Server check box is selected) Enter the console IP address.

Advanced (Use if there is an “Expect timeout error” or the device has non-standard prompt strings)

Note 

The Advanced options appear only for some of the troubleshooting tools.

Username Expect String

Enter the string that the network device uses to prompt for username; for example, Username:, Login:, and so on.

Password Expect String

Enter the string that the network device uses to prompt for password; for example, Password:.

Prompt Expect String

Enter the prompt that the network device uses. For example, #, >, and @.

Authentication Failure Expect String

Enter the string that the network device returns when there is an authentication failure; for example, Incorrect password, Login invalid, and so on.

Results Summary

The following table describes the fields on the results summary page, which is displayed as a result when you use any diagnostic tool.

Table 13. RADIUS Authentication Troubleshooting Results Summary

Option

Usage Guidelines

Diagnosis and Resolution

Diagnosis

The diagnosis for the problem is listed here.

Resolution

The steps for resolution of the problem are detailed here.

Troubleshooting Summary

Summary

A step-by-step summary of troubleshooting information is provided here. You can expand any step to view further details.

Any configuration errors are indicated by red text.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco