Maintain and Monitor

Adaptive Network Control

Adaptive Network Control (ANC) is a service that runs on the Administration node that can be used for monitoring and controlling network access of endpoints. ANC can be invoked by the ISE administrator on the admin GUI and also through pxGrid from third party systems. ANC supports wired and wireless deployments and requires a Plus License.

You can use ANC to change the authorization state without having to modify the overall authorization policy of the system. ANC allows you to set the authorization state when you quarantine an endpoint as a result of established authorization policies where authorization policies are defined to check for ANCPolicy to limit or deny network access. You can unquarantine an endpoint for full network access. You can also shut down the port on the network attached system (NAS) that disconnects the endpoint from the network.

There are no limits to the number of users that can be quarantined at one time, and there are no time constraints on the length of the quarantine period.

You can perform the following operations to monitor and control network access through ANC:

  • Quarantine—Allows you to use Exception policies (authorization policies) to limit or deny an endpoint access to the network. You must create Exception policies to assign different authorization profiles (permissions) depending on the ANCPolicy. Setting to the Quarantine state essentially moves an endpoint from its default VLAN to a specified Quarantine VLAN. You must define the Quarantine VLAN previously that is supported on the same NAS as the endpoint.

  • Unquarantine—Allows you to reverse the quarantine status that permits full access to the network for an endpoint returning the endpoint to its original VLAN.

  • Shutdown—Allows you to deactivate a port on the NAS and disconnect the endpoint from the network. Once the port is shutdown on the NAS to which an endpoint is connected, you must manually reset the port on the NAS again to allow an endpoint to connect to the network, which is not available for wireless deployments.

Quarantine and unquarantine operations can be triggered from the session directory reports for active endpoints.


Note

If a quarantined session is unquarantined, the initiation method for a newly unquarantined session depends on the authentication method that is specified by the switch configuration.


Enable Adaptive Network Control in Cisco ISE

ANC is disabled by default. It gets enabled only when pxGrid is enabled and it remains enabled until you manually disable the service in the Admin portal.

Configure Network Access Settings

ANC allows you to reset the network access status of an endpoint to quarantine, unquarantine, or shutdown a port, which defines authorization to the network depending on the network access status.

You can quarantine or unquarantine endpoints, or shut down the network access server (NAS) ports to which endpoints are connected, by using their endpoint IP addresses or MAC addresses. You can perform quarantine and unquarantine operations on the same endpoint multiple times, provided they are not performed simultaneously. If you discover a hostile endpoint on your network, you can shut down the endpoint’s access, using ANC to close the NAS port.

To assign an ANC policy to an endpoint:

Before you begin

  • You must enable ANC.

  • You must create authorization profiles and Exception type authorization policies for ANC.

Procedure


Step 1

Choose Operations > Adaptive Network Control > Policy List.

Step 2

Click Add.

Step 3

Enter a name for the ANC policy and specify the ANC action. The following options are available:

  • Quarantine
  • Shut_Down

  • Port_Bounce

You can select one or multiple actions, but you cannot combine Shut_Down and Port_Bounce with the other ANC actions .

Step 4

Choose Policy > Policy Sets, and expand the policy set.

Step 5

Associate the ANC policy with the corresponding authorization policy by using the ANCPolicy attribute.

Step 6

Choose Operations > Adaptive Network Control > Endpoint Assignment.

Step 7

Click Add.

Step 8

Enter the IP address or MAC address of the endpoint and select the policy from the Policy Assignment drop-down list.

Step 9

Click Submit.


Create Authorization Profiles for Network Access through ANC

You must create an authorization profile for use with ANC and the authorization profile appears in the list of Standard Authorization Profiles. An endpoint can be authenticated and authorized in the network, but restricted to access network.

Procedure


Step 1

Choose Policy > Policy Elements > Authorization > Authorization Profiles.

Step 2

Click Add.

Step 3

Enter a unique name and description for the authorization profile, and leave the Access Type as ACCESS_ACCEPT.

Step 4

Check the DACL Name check box, and choose DENY_ALL_TRAFFIC from the drop-down list.

Step 5

Click Submit.


Exception authorization polices are intended for authorizing limited access to meet special conditions or permissions or an immediate requirement. For ANC authorization, you must create a quarantine exception policy that is processed before all standard authorization policies. You must create an exception rule with the following condition: Session:ANCPolicy EQUALS Quarantine.

ANC Quarantine and Unquarantine Flow

You can quarantine selected endpoints with ANC, to limit their access to the network. You can quarantine endpoints and establish exception authorization policies that assign different authorization profiles, depending on the status. An authorization profile acts as a container for permissions that you define in the authorization policies that allow access to specified network services. When the authorization is complete, the permissions are granted for a network access request. If the endpoint is then validated, you can unquarantine the endpoint to allow it full access to the network.

This figure illustrates the quarantine flow, which assumes that authorization rules have been configured and the ANC session has been established.

Figure 1. ANC Quarantine Flow
  1. A client device logs onto the network through a wireless device (WLC), and a quarantine REST API call is issued from the Administration node (PAP) to the Monitoring node (MnT).

  2. The Monitoring node then calls PrRT through the Policy Services ISE node (PDP) to invoke a CoA.

  3. The client device is disconnected.

  4. The client device then reauthenticates and reconnects.

  5. A RADIUS request for the client device is sent back to the Monitoring node.

  6. The client device is quarantined while the check is made.

  7. The Q-Profile authorization policy is applied, and the client device is validated.

  8. The client device is unquarantined, and allowed full access to the network.

ANC NAS Port Shutdown Flow

You can shut down the NAS port to which an endpoint is connected by using the endpoint IP address or MAC address.

Shutdown allows you to close a NAS port based on a specified IP address for a MAC address, and you have to manually reinstate the port to bring the endpoint back into the network, which is effective only for endpoints that are connected through wired media.

Shutdown may not be supported on all devices. Most switches should support the shut down command, however. You can use the getResult() command to verify that the shutdown executed successfully.

This figure illustrates the ANC shutdown flow. For the client device in the illustration, the shutdown operation is performed on the NAS that the client device uses to access the network.

Figure 2. ANC Shutdown Flow

Endpoints Purge Settings

You can define the Endpoint Purge Policy by configuration rules based on identity groups and other conditions using Administration > Identity Management > Settings > Endpoint Purge. You can choose not to purge specified endpoints and to purge endpoints based on selected profiling conditions.

You can schedule an endpoint purge job. This endpoint purge schedule is enabled by default. Cisco ISE, by default, deletes endpoints and registered devices that are older than 30 days. The purge job runs at 1 AM every day based on the time zone configured in the Primary PAN.

Endpoint purge deletes 5000 endpoints every three minutes.

The following are some of the conditions with examples you can use for purging the endpoints:

  • InactivityDays— Number of days since last profiling activity or update on endpoint.

    • This condition purges stale devices that have accumulated over time, commonly transient guest or personal devices, or retired devices. These endpoints tend to represent noise in most deployments as they are no longer active on network or likely to be seen in near future. If they do happen to connect again, then they will be rediscovered, profiled, registered, etc as needed.

    • When there are updates from endpoint, InactivityDays will be reset to 0 only if profiling is enabled.

  • ElapsedDays—Numbers days since object is created.

    • This condition can be used for endpoints that have been granted unauthenticated or conditional access for a set time period, such as a guest or contractor endpoint, or employees leveraging webauth for network access. After the allowed connect grace period, they must be fully reauthenticated and registered.

  • PurgeDate—Date to purge the endpoint.

    • This option can be used for special events or groups where access is granted for a specific time, regardless of creation or start time. This allows all endpoints to be purged at same time. For example, a trade show, a conference, or a weekly training class with new members each week, where access is granted for specific week or month rather than absolute days/weeks/months.

Quarantined Endpoints Do Not Renew Authentication Following Policy Change

Problem

Authentication has failed following a change in policy or additional identity and no reauthentication is taking place. Authentication fails or the endpoint in question remains unable to connect to the network. This issue often occurs on client machines that are failing posture assessment per the posture policy that is assigned to the user role.

Possible Causes

The authentication timer setting is not correctly set on the client machine, or the authentication interval is not correctly set on the switch.

Solution

There are several possible resolutions for this issue:

  1. Check the Session Status Summary report in Cisco ISE for the specified NAD or switch, and ensure that the interface has the appropriate authentication interval configured.

  2. Enter “show running configuration” on the NAD/switch and ensure that the interface is configured with an appropriate “authentication timer restart” setting. (For example, “authentication timer restart 15,” and “authentication timer reauthenticate 15.”)

  3. Try entering “interface shutdown” and “no shutdown” to bounce the port on the NAD/switch and force reauthentication following a potential configuration change in Cisco ISE.


Note

Because CoA requires a MAC address or session ID, we recommend that you do not bounce the port that is shown in the Network Device SNMP report.


ANC Operations Fail when IP Address or MAC Address is not Found

An ANC operation that you perform on an endpoint fails when an active session for that endpoint does not contain information about the IP address. This also applies to the MAC address and session ID for that endpoint.


Note

When you want to change the authorization state of an endpoint through ANC, you must provide the IP address or the MAC address for the endpoint. If the IP address or the MAC address is not found in the active session for the endpoint, then you will see the following error message: No active session found for this MAC address, IP Address or Session ID.

Externally Authenticated Administrators Cannot Perform ANC Operations

If an externally authenticated administrator tries to issue CoA-Quarantine from a live session, Cisco ISE returns the following error message:

CoA Action of Quarantine for xx:xx:xx:xx:xx:xx can not be initiated. (Cause:User not found internally. Possible use of unsupported externally authenticated user

If an externally authenticated administrator performs an ANC operation from Operations > Adaptive Network Control in the Cisco ISE Admin portal using the IP address or MAC address of the endpoint, Cisco ISE returns the following error message:

Server failure: User not found internally. Possible use of unsupported externally authenticated user

Cisco ISE Software Patches

Cisco ISE software patches are usually cumulative. Cisco ISE allows you to perform patch installation and rollback from CLI or GUI.

You can install patches on Cisco ISE servers in your deployment from the Primary PAN. To install a patch from the Primary PAN, you must download the patch from Cisco.com to the system that runs your client browser.

If you are installing the patch from the GUI, the patch is automatically installed on the Primary PAN first. The system then installs the patch on the other nodes in the deployment in the order listed in the GUI. You cannot control the order in which the nodes are updated. You can also manually install, roll back, and view patch version from the Administrator > System > Maintenance > Patch managementwindow in the GUI.

If you are installing the patch from the CLI, you can control the order in which the nodes are updated. However, we recommend that you install the patch on the Primary PAN first.

If you want to validate the patch on some of the nodes before upgrading the entire deployment, you can use the CLI to install the patch on selected nodes. Use the following CLI command to install the patch:
patch install <patch_bundle> <repository_that_stores_patch_file>

For more information, see the "install Patch" section in the "Cisco ISE CLI Commands in EXEC Mode" chapter in Cisco Identity Services Engine CLI Reference Guide.

You can install the required patch version directly. For example, if you are currently using Cisco ISE 2.x and would like to install Cisco ISE 2.x patch 5, you can directly install Cisco ISE 2.x patch 5, without installing the previous patches (in this example, Cisco ISE 2.x patches 1 – 4). To view the patch version in the CLI, use the following CLI command:
show version

Software Patch Installation Guidelines

When you install a patch on an ISE node, the node is rebooted after the installation is complete. You might have to wait for a few minutes before you can log in again. You can schedule patch installations during a maintenance window to avoid temporary outage.

Ensure that you install patches that are applicable for the Cisco ISE version that is deployed in your network. Cisco ISE reports any mismatch in versions as well as any errors in the patch file.

You cannot install a patch with a version that is lower than the patch that is currently installed on Cisco ISE. Similarly, you cannot roll back changes of a lower-version patch if a higher version is currently installed on Cisco ISE. For example, if patch 3 is installed on your Cisco ISE servers, you cannot install or roll back patch 1 or 2.

When you install a patch from the Primary PAN that is part of a distributed deployment, Cisco ISE installs the patch on the primary node and then all the secondary nodes in the deployment. If the patch installation is successful on the Primary PAN, Cisco ISE then continues patch installation on the secondary nodes. If it fails on the Primary PAN, the installation does not proceed to the secondary nodes. However, if the installation fails on any of the secondary nodes for any reason, it still continues with the next secondary node in your deployment.

When you install a patch from the Primary PAN that is part of a two-node deployment, Cisco installs the patch on the primary node and then on the secondary node. If the patch installation is successful on the Primary PAN, Cisco then continues patch installation on the secondary node. If it fails on the Primary PAN, the installation does not proceed to the secondary node.

Install a Software Patch

Before you begin

  • You must have the Super Admin or System Admin administrator role assigned.

  • Go to Administration > System > Deployment > PAN Failover, and ensure that the Enable PAN Auto Failover check box is unchecked. The PAN auto-failover configuration must be disabled for the duration of this task.

Procedure


Step 1

Choose Administration > System > Maintenance > Patch Management > Install.

Step 2

Click Browse and choose the patch that you downloaded from Cisco.com.

Step 3

Click Install to install the patch.

After the patch is installed on the PAN, Cisco ISE logs you out and you have to wait for a few minutes before you can log in again.

Note 

When patch installation is in progress, Show Node Status is the only function that is accessible on the Patch Management page.

Step 4

Choose Administration > System > Maintenance > Patch Management to return to the Patch Installation page.

Step 5

Click the radio button next to the patch that you have installed on any secondary node and click Show Node Status to verify whether installation is complete.


What to do next

If you need to install the patch on one or more secondary nodes, ensure that the nodes are up and repeat the process to install the patch on the remaining nodes.

Roll Back Software Patches

When you roll back a patch from the PAN that is part of a deployment with multiple nodes, Cisco ISE rolls back the patch on the primary node and then all the secondary nodes in the deployment.

Before you begin

  • You must have either the Super Admin or System Admin administrator role assigned.

Procedure


Step 1

Choose Administration > System > Maintenance > Patch Management.

Step 2

Click the radio button for the patch version whose changes you want to roll back and click Rollback.

Note 

When a patch rollback is in progress, Show Node Status is the only function that is accessible on the Patch Management page.

After the patch is rolled back from the PAN, Cisco ISE logs you out and you have to wait a few minutes before you can log in again.

Step 3

After you log in, click the Alarms link at the bottom of the page to view the status of the rollback operation.

Step 4

Choose Administration > System > Maintenance > Patch Management.

Step 5

To view the progress of the patch rollback, choose the patch in the Patch Management page and click Show Node Status.

Step 6

Click the radio button for the patch and click Show Node Status on a secondary node to ensure that the patch is rolled back from all the nodes in your deployment.

If the patch is not rolled back from any of the secondary nodes, ensure that the node is up and repeat the process to roll back the changes from the remaining nodes. Cisco ISE only rolls back the patch from the nodes that still have this version of the patch installed.


Software Patch Rollback Guidelines

To roll back a patch from Cisco ISE nodes in a deployment, you must first roll back the change from the PAN. If this is successful, the patch is then rolled back from the secondary nodes. If the rollback process fails on the PAN, the patches are not rolled back from the secondary nodes. However, if the patch rollback fails on any secondary node, it still continues to roll back the patch from the next secondary node in your deployment.

While Cisco ISE rolls back the patch from the secondary nodes, you can continue to perform other tasks from the PAN GUI. The secondary nodes will be restarted after the rollback.

View Patch Install and Rollback Changes

To view reports related to installed patches, perform the following steps.

Before you begin

You must have either the Super Admin or System Admin administrator role assigned. You can install or rollback patches in the Administration > System > Maintenance > Patch Management page. You can also view the status (installed/in-progress/not installed) of a particular patch on each node in the deployment, by selecting a specific patch and clicking the Show Node Status button.

Procedure


Step 1

Choose Operations > Reports > Audit > Operations Audit. By default, records for the last seven days are displayed.

Step 2

Click the Filter drop-down, and choose Quick Filter or Advanced Filter and use the required keyword, for example, patch install iniated, to generate a report containing the installed patches.


Backup Data Type

Cisco ISE allows you to back up data from the Primary PAN and from the Monitoring node. Back up can be done from the CLI or user interface.

Cisco ISE allows you to back up the following type of data:

  • Configuration data—Contains both application-specific and Cisco ADE operating system configuration data. Back up can be done via the Primary PAN using the GUI or CLI.

  • Operational Data—Contains monitoring and troubleshooting data. Back up can be done via the Primary PAN GUI or using the CLI for the Monitoring node.

When Cisco ISE is run on VMware, VMware snapshots are not supported for backing up ISE data.


Note

Cisco ISE does not support VMware snapshots for backing up ISE data because a VMware snapshot saves the status of a VM at a given point in time. In a multi-node Cisco ISE deployment, data in all the nodes are continuously synchronized with current database information. Restoring a snapshot might cause database replication and synchronization issues. Cisco recommends that you use the backup functionality included in Cisco ISE for archival and restoration of data.

Using VMware snapshots or any third-party backup to back up ISE data results in stopping Cisco ISE services. When a backup is initiated by VMware or any third party like CommVault SAN level backup, it quiesces the file system to maintain crash consistency, which causes ISE to freeze. A reboot is required to resume the services on ISE.

Example: VM snapshots, CommVault SAN level backup, etc.


Restore operation, can be performed with the backup files of previous versions of Cisco ISE and restored on a later version. For example, if you have a backup from an ISE node from Cisco ISE, Release 1.3 or 1.4, you can restore it on Cisco ISE, Release 2.1.

Cisco ISE, Release 2.4 supports restore from backups obtained from Release 2.0 and later.

Backup and Restore Repositories

Cisco ISE allows you to create and delete repositories through the Admin portal. You can create the following types of repositories:

  • DISK

  • FTP

  • SFTP

  • NFS

  • CD-ROM

  • HTTP

  • HTTPS


Note

Repositories are local to each device.


We recommend that you have a repository size of minimum 100 GB for all types of deployment (small, medium, and large).

Create Repositories

You can use the CLI and GUI to create repositories. We recommend that you use the GUI due to the following reasons:

  • Repositories that are created through the CLI are saved locally and do not get replicated to the other deployment nodes. These repositories do not get listed in the GUI’s repository page.

  • Repositories that are created on the Primary PAN get replicated to the other deployment nodes.

The keys are generated only at the Primary PAN on GUI, and so during upgrade you need to generate the keys again at GUI of new primary admin and export it to the SFTP server. If you take the nodes out of the deployment, you need to generate the keys on GUI of non-admin nodes and export it to the SFTP server.

You can configure an SFTP repository in Cisco ISE with RSA public key authentication. Instead of using an administrator-created password to encrypt the database and logs, you can choose the RSA public key authentication that uses secure keys. In case of SFTP repository created with RSA public key, the repositories created through the GUI do not get replicated in the CLI and the repositories created through the CLI do not get replicated in the GUI. To configure same repository on the CLI and GUI, generate RSA public keys on both CLI and GUI and export both the keys to the SFTP server.

Before you begin

  • To perform the following task, you must be a Super Admin or System Admin.

  • If you want to create an SFTP repository with RSA public key authentication, ensure that you:

    • Enable RSA public key authentication in the SFTP repository.

    • Enter the host key of the SFTP server from the Cisco ISE CLI using the crypto host_key add command. The host key string should match the hostname that you enter in the Path field of the repository configuration page.

    • Generate the key pairs and export the public key to your local system from the GUI. From the Cisco ISE CLI, generate the key pairs using the crypto key generate rsa passphrase test123 command, where, passphrase must be greater than four letters, and export the keys to any repository (local disk or any other configured repository).

    • Copy the exported RSA public key to the PKI-enabled SFTP server and add it to the "authorized_keys" file.

Procedure


Step 1

Choose Administration > System > Maintenance > Repository.

Step 2

Click Add to add a new repository.

Step 3

Enter the values as required to set up new repository. See Repository Settings for a description of the fields.

Step 4

Click Submit to create the repository.

Step 5

Verify that the repository is created successfully by clicking Repository in the Operations navigation pane on the left or click the Repository List link at the top of this page to go to the repository listing page.


What to do next

  • Ensure that the repository that you have created is valid. You can do so from the Repository listing page. Select the repository and click Validate. Alternatively, you can execute the following command from the Cisco ISE command-line interface:

    show repository repository_name

    where repository_name is the name of the repository that you have created.


    Note

    If the path that you provided while creating the repository does not exist, then you will get the following error: %Invalid Directory.


  • Run an on-demand backup or schedule a backup.

Repository Settings

The following table describes the fields on the Repository List page, which you can use to create repositories to store your backup files. The navigation path for this page is: Administration > System > Maintenance > Repository.

Table 1. Repository Settings

Fields

Usage Guidelines

Repository

Enter the name of the repository. Alphanumeric characters are allowed and the maximum length is 80 characters.

Protocol

Choose one of the available protocols that you want to use.

Server Name

(Required for TFTP, HTTP, HTTPS, FTP, SFTP, and NFS) Enter the hostname or IPv4 address of the server where you want to create the repository.

Note 

Ensure that the ISE eth0 interface is configured with an IPv6 address if you are adding a repository with an IPv6 address.

Path

Enter the path to your repository. The path must be valid and must exist at the time you create the repository.

This value can start with two forward slashes (//) or a single forward slash (/) denoting the root directory of the server. However, for the FTP protocol, a single forward slash (/) denotes the FTP user's home directory and not the root directory.

Enable PKI authentication

(Optional; applicable only for SFTP repository) Check this check box if you want to enable RSA Public Key Authentication in SFTP repository.

User Name

(Required for FTP, SFTP, and NFS) Enter the username that has write permission to the specified server. Only alphanumeric characters are allowed.

Password

(Required for FTP, SFTP, and NFS) Enter the password that will be used to access the specified server. Passwords can consist of the following characters: 0 through 9, a through z, A through Z, -, ., |, @, #,$, %, ^, &, *, (, ), +, and =.

Enable RSA Public Key Authentication in SFTP Repository

In the SFTP server, each node must have two RSA public keys, one each for CLI and for GUI. To enable RSA public key authentication in SFTP repository:

Procedure


Step 1

Log in to SFTP server with an account that has permission to edit the /etc/ssh/sshd_config.file.

Note 
The location of the sshd_config file might vary based on the operating system installation.
Step 2

Enter the vi /etc/ssh/sshd_config command.

The contents of the sshd_config file is listed.

Step 3

Remove the "#" symbol from the following lines to enable RSA public key authentication:

  • RSAAuthentication yes

  • PubkeyAuthentication yes

    Note 
    If Public Auth Key is no, change it to yes.
  • AuthorizedKeysFile ~/.ssh/authorized_keys


On-Demand and Scheduled Backups

You can configure on-demand backups of the Primary PAN and the primary monitoring node. Perform an on-demand backup when you want to backup data immediately.

You can schedule system-level backups to run once, daily, weekly, or monthly. Because backup operations can be lengthy, you can schedule them so they are not a disruption. You can schedule a backup from the Admin portal.


Note

If you are using the internal CA, you must use the CLI to export certificates and keys. Backup in the Administration portal does not backup the CA chain.

For more information, see the "Export Cisco ISE CA Certificates and Keys" section in the "Basic Setup" chapter Cisco Identity Services Engine Administrator Guide .


Perform an On-Demand Backup

You can perform an On-demand backup to instantly backup the configuration or monitoring (operational) data. The restore operation restores Cisco ISE to the configuration state that existed at the time of obtaining the backup.


Important

When performing a backup and restore, the restore overwrites the list of trusted certificates on the target system with the list of certificates from the source system. It is critically important to note that backup and restore functions do not include private keys associated with the Internal Certificate Authority (CA) certificates.

If you are performing a backup and restore from one system to another, you will have to choose from one of these options to avoid errors:

  • Option 1:

    Export the CA certificates from the source ISE node through the CLI and import them in to the target system through the CLI.

    Pros:Any certificates issued to endpoints from the source system will continue to be trusted. Any new certificates issued by the target system will be signed by the same keys.

    Cons:Any certificates that have been issued by the target system prior to the restore function will not be trusted and will need to be re-issued.

  • Option 2:

    After the restore process, generate all new certificates for the internal CA.

    Pros:This option is the recommended and clean method, where neither the original source certificates or the original target certificates will be used. Certificates issued by the original source system will continue to be trusted.

    Cons:Any certificates that have been issued by the target system prior to the restore function will not be trusted and will need to be re-issued.


Before you begin

  • Before you perform this task, you should have a basic understanding of the backup data types in Cisco ISE.

  • Ensure that you have created repositories for storing the backup file.

  • Do not back up using a local repository. You cannot back up the monitoring data in the local repository of a remote Monitoring node.

  • Ensure that you perform all certificate-related changes before you obtain the backup.

  • To perform the following task, you must be a Super Admin or System Admin.


    Note

    For backup and restore operations, the following repository types are not supported: CD-ROM, HTTP, HTTPS, or TFTP. This is because, either these repository types are read-only or the protocol does not support file listing. To restore a backup, choose the repository and click Restore.


Procedure


Step 1

Choose Administration > System > Backup and Restore.

Step 2

Choose the type of backup: Configuration or Operational.

Step 3

Click Backup Now.

Step 4

Enter the values as required to perform a backup.

Step 5

Click Backup.

Step 6

Verify that the backup completed successfully.

Cisco ISE appends the backup filename with a timestamp and stores the file in the specified repository. In addition to the timestamp, Cisco ISE adds a CFG tag for configuration backups and OPS tag for operational backups. Ensure that the backup file exists in the specified repository.

In a distributed deployment, do not change the role of a node or promote a node when the backup is running. Changing node roles will shut down all the processes and might cause some inconsistency in data if a backup is running concurrently. Wait for the backup to complete before you make any node role changes.

Do not promote a node when the backup is running. This will shut down all the processes and might cause some inconsistency in data if a backup is running concurrently. Wait for the backup to complete before you make any node changes.

Note 

High CPU usage might be observed and High Load Average alarm might be seen when the backup is running. CPU usage will be back to normal when the backup is complete.


On-Demand Backup Settings

The following table describes the fields on the On-Demand Backup page, which you can use to obtain a backup at any point of time. The navigation path for this page is: Administration > System > Backup & Restore.
Table 2. On-Demand Backup Settings
Fields Usage Guidelines

Backup Name

Enter the name of your backup file.

Repository Name

Repository where your backup file should be saved. You cannot enter a repository name here. You can only choose an available repository from the drop-down list. Ensure that you create the repository before you run a backup.

Encryption Key

This key is used to encrypt and decrypt the backup file.

Schedule a Backup

You can perform an On-demand backup to instantly backup the configuration or monitoring (operational) data. The restore operation restores Cisco ISE to the configuration state that existed at the time of obtaining the backup.


Important

When performing a backup and restore, the restore overwrites the list of trusted certificates on the target system with the list of certificates from the source system. It is critically important to note that backup and restore functions do not include private keys associated with the Internal Certificate Authority (CA) certificates.

If you are performing a backup and restore from one system to another, you will have to choose from one of these options to avoid errors:

  • Option 1:

    Export the CA certificates from the source ISE node through the CLI and import them in to the target system through the CLI.

    Pros:Any certificates issued to endpoints from the source system will continue to be trusted. Any new certificates issued by the target system will be signed by the same keys.

    Cons:Any certificates that have been issued by the target system prior to the restore function will not be trusted and will need to be re-issued.

  • Option 2:

    After the restore process, generate all new certificates for the internal CA.

    Pros:This option is the recommended and clean method, where neither the original source certificates or the original target certificates will be used. Certificates issued by the original source system will continue to be trusted.

    Cons:Any certificates that have been issued by the target system prior to the restore function will not be trusted and will need to be re-issued.


Before you begin

  • Before you perform this task, you should have a basic understanding of the backup data types in Cisco ISE.

  • Ensure that you have configured repositories.

  • Do not back up using a local repository. You cannot back up the monitoring data in the local repository of a remote Monitoring node.

  • To perform the following task, you must be a Super Admin or System Admin.

  • If you have upgraded to Cisco ISE 1.2 from Cisco ISE 1.1 or earlier releases, you should reconfigure your scheduled backups. See the Known Upgrade Issues section in the Cisco Identity Services Engine Upgrade Guide, Release 1.2.


Note

For backup and restore operations, the following repository types are not supported: CD-ROM, HTTP, HTTPS, or TFTP. This is because, either these repository types are read-only or the protocol does not support file listing.


Procedure


Step 1

Choose Administration > System > Backup and Restore.

Step 2

Click Schedule to schedule a Configuration or an Operational backup.

Step 3

Enter the values as required to schedule a backup.

Step 4

Click Save to schedule the backup.

Step 5

Perform one of the following actions:

  • From the Select Repository drop-down list, choose the required repository.

  • Click the Add Repository link to add a new repository.

Step 6

Click the Refresh link to see the scheduled backup list.

You can create only one schedule at a time for a Configuration or Operational backup. You can enable or disable a scheduled backup, but you cannot delete it.


Scheduled Backup Settings

The following table describes the fields on the Scheduled Backup Page, which you can use to restore a full or incremental backup. The navigation path for this page is: Administration > System > Backup and Restore.
Table 3. Scheduled Backup Settings
Fields Usage Guidelines

Name

Enter a name for your backup file.You can enter a descriptive name of your choice. Cisco ISE appends the timestamp to the backup filename and stores it in the repository. You will have unique backup filenames even if you configure a series of backups.On the Scheduled Backup list page, the backup filename will be prepended with “backup_occur” to indicate that the file is a kron occurrence job

.

Description

Enter a description for the backup.

Repository Name

Select the repository where your backup file should be saved.You cannot enter a repository name here. You can only choose an available repository from the drop-down list. Ensure that you create the repository before you run a backup.

Encryption Key

Enter a key to encrypt and decrypt the backup file.

Schedule Options

Choose the frequency of your scheduled backup and fill in the other options accordingly.

Backup Using the CLI

Although you can schedule backups both from the CLI as well as the GUI, it is recommended to use GUI for better options. But, you can perform Operational backup on the secondary monitoring node only from the CLI.

Backup History

Backup history provides basic information about scheduled and on-demand backups. It lists the name of the backup, backup file size, repository where the backup is stored, and time stamp that indicates when the backup was obtained. This information is available in the Operations Audit report and on the Backup and Restore page in the History table.

For failed backups, Cisco ISE triggers an alarm. The backup history page provides the failure reason. The failure reason is also cited in the Operations Audit report. If the failure reason is missing or is not clear, you can run the backup-logs command from the Cisco ISE CLI and look at the ADE.log for more information.

While the backup operation is in progress, you can use the show backup status CLI command to check the progress of the backup operation.

Backup history is stored along with the Cisco ADE operating system configuration data. It remains there even after an application upgrade and are only removed when you reimage the PAN.

Backup Failures

If backup fails, check the following:

  • Make sure that no other backup is running at the same time.

  • Check the available disk space for the configured repository.

    • Monitoring (operational) backup fails if the monitoring data takes up more than 75% of the allocated monitoring database size. For example, if your Monitoring node is allocated 600 GB, and the monitoring data takes up more than 450 GB of storage, then monitoring backup fails.

    • If the database disk usage is greater than 90%, a purge occurs to bring the database size to less than or equal to 75% of its allocated size.

  • Verify if a purge is in progress. Backup and restore operations will not work while a purge is in progress.

  • Verify if the repository is configured correctly.

Cisco ISE Restore Operation

You can restore configuration data on a primary or standalone administration node. After you restore data on the Primary PAN, you must manually synchronize the secondary nodes with the Primary PAN.

The process for restoring the operational data is different depending on the type of deployment.


Note

The new backup/restore user interface in Cisco ISE makes use of meta-data in the backup filename. Therefore, after a backup completes, you should not modify the backup filename manually. If you manually modify the backup filename, the Cisco ISE backup/restore user interface will not be able to recognize the backup file. If you have to modify the backup filename, you should use the Cisco ISE CLI to restore the backup.


Guidelines for Data Restoration

Following are guidelines to follow when you restore Cisco ISE backup data.

  • Cisco ISE allows you to obtain a backup from an ISE node (A) and restore it on another ISE node (B), both having the same host names (but different IP addresses). However, after you restore the backup on node B, do not change the hostname of node B because it might cause issues with certificates and portal group tags.

  • If you obtain a backup from the Primary PAN in one timezone and try to restore it on another Cisco ISE node in another timezone, the restore process might fail. This failure happens if the timestamp in the backup file is later than the system time on the Cisco ISE node on which the backup is restored. If you restore the same backup a day after it was obtained, then the timestamp in the backup file is in the past and the restore process succeeds.

  • When you restore a backup on the Primary PAN with a different hostname than the one from which the backup was obtained, the Primary PAN becomes a standalone node. The deployment is broken and the secondary nodes become nonfunctional. You must make the standalone node the primary node, reset the configuration on the secondary nodes, and reregister them with the primary node. To reset the configuration on Cisco ISE nodes, enter the following command from the Cisco ISE CLI:

    • application reset-config ise

  • We recommend that you do not change the system timezone after the initial Cisco ISE installation and setup.

  • If you changed the certificate configuration on one or more nodes in your deployment, you must obtain another backup to restore the data from the standalone Cisco ISE node or Primary PAN. Otherwise, if you try to restore data using an older backup, the communication between the nodes might fail.

  • After you restore the configuration backup on the Primary PAN, you can import the Cisco ISE CA certificates and keys that you exported earlier.

    Note

    If you did not export the Cisco ISE CA certificates and keys, then after you restore the configuration backup on the Primary PAN, generate the root CA and subordinate CAs on the Primary PAN and Policy Service Nodes (PSNs).


  • If you are trying to restore a platinum database without using the correct FQDN (FQDN of a platinum database), you need to regenerate the CA certificates. (choose Administration > Certificates > Certificate Signing Requests > Replace ISE Root CA certificate chain).However, If you restore the platinum database with the correct FQDN, note that the CA certificates regenerated automatically.

  • You need a data repository, which is the location where Cisco ISE saves your backup file. You must create a repository before you can run an on-demand or scheduled backup.

  • If you have a standalone administration node that fails, you must run the configuration backup to restore it. If the Primary PAN fails, you can use the distributed setup to promote your Secondary Administration Node to become the primary. You can then restore data on the Primary PAN after it comes up.


    Note

    Cisco ISE also provides the backup-logs CLI command that you can use to collect log and configuration files for troubleshooting purposes.


Restoration of Configuration or Monitoring (Operational) Backup from the CLI

Defaults

To restore configuration data through the Cisco ISE CLI, use the restore command in the EXEC mode. Use the following command to restore data from a configuration or operational backup:

restore filename repository repository-name encryption-key hash|plain encryption-key name include-adeos

Syntax Description

restore

Type this command to restore data from a configuration or operational backup.

filename

Name of the backed-up file that resides in the repository. Supports up to 120 alphanumeric characters.

Note 

You must add the .tar.gpg extension after the filename (for example, myfile.tar.gpg).

repository

Specifies the repository that contains the backup.

repository-name

Name of the repository you want to restore the backup from.

encryption-key

(Optional) Specifies user-defined encryption key to restore backup.

hash

Hashed encryption key for restoring backup. Specifies an encrypted (hashed) encryption key that follows. Supports up to 40 characters.

plain

Plaintext encryption key for restoring backup. Specifies an unencrypted plaintext encryption key that follows. Supports up to 15 characters.

encryption-key name

Enter the encryption key.

include-adeos

(Optional, applicable only for configuration backup) Enter this command operator parameter if you want to restore ADE-OS configuration from a configuration backup. When you restore a configuration backup, if you do not include this parameter, Cisco ISE restores only the Cisco ISE application configuration data.

No default behavior or values.

EXEC

When you use restore commands in Cisco ISE, the Cisco ISE server restarts automatically.

The encryption key is optional while restoring data. To support restoring earlier backups where you have not provided encryption keys, you can use the restore command without the encryption key.


ise/admin# restore mybackup-100818-1502.tar.gpg repository myrepository encryption-key plain Lab12345
Restore may require a restart of application services. Continue? (yes/no) [yes] ? yes
Initiating restore.  Please wait...
ISE application restore is in progress.
This process could take several minutes. Please wait...
Stopping ISE Application Server...
Stopping ISE Monitoring & Troubleshooting Log Processor...
Stopping ISE Monitoring & Troubleshooting Log Collector...
Stopping ISE Monitoring & Troubleshooting Alert Process...
Stopping ISE Monitoring & Troubleshooting Session Database...
Stopping ISE Database processes...
Starting ISE Database processes...
Starting ISE Monitoring & Troubleshooting Session Database...
Starting ISE Application Server...
Starting ISE Monitoring & Troubleshooting Alert Process...
Starting ISE Monitoring & Troubleshooting Log Collector...
Starting ISE Monitoring & Troubleshooting Log Processor...
Note: ISE Processes are initializing. Use 'show application status ise'
      CLI to verify all processes are in running state.
ise/admin#

Description

backup

Performs a backup (Cisco ISE and Cisco ADE OS) and places the backup in a repository.

backup-logs

Backs up system logs.

repository

Enters the repository submode for configuration of backups.

show repository

Displays the available backup files located on a specific repository.

show backup history

Displays the backup history of the system.

show backup status

Displays the status of the backup operation.

show restore status

Displays the status of the restore operation.

If the sync status and replication status after application restore for any secondary node is Out of Sync, you have to reimport the certificate of that secondary node to the Primary PAN and perform a manual synchronization.

Restore Configuration Backups from the GUI

You can restore a configuration backup from the Admin portal. The GUI lists only the backups that are taken from the current release. To restore backups that are prior to this release, use the restore command from the CLI.

Before you begin

Ensure that the Primary PAN auto-failover configuration, if enabled in your deployment, is turned off. When you restore a configuration backup, the application server processes are restarted. There might be a delay while these services restart. Due to this delay in restart of services, auto-failover of Secondary PAN might get initiated.

When your deployment was dual node during configuration backup:

  • And the Source and Target nodes for the restore are same as the ones used for the configuration back up, the target node can be either stand-alone or primary.

  • And the Source and Target nodes for the restore are different from the ones used in the configuration back up, the target node must be stand-alone.


Note

You can restore configuration database backup and regenerate the Root CA on a Primary PAN only. However, you cannot restore the configuration database backup on a registered PAN.


Procedure


Step 1

Choose Administration > System > Backup and Restore.

Step 2

Select the name of the backup from the list of Configurational backup and click Restore.

Step 3

Enter the Encryption Key used during the backup.

Step 4

Click Restore.


What to do next

If you are using the Cisco ISE CA service, you must:

  1. Regenerate the entire Cisco ISE CA root chain.

  2. Obtain a backup of the Cisco ISE CA certificates and keys from the Primary PAN and restore it on the Secondary PAN. This ensures that the Secondary PAN can function as the root CA or subordinate CA of an external PKI in case of a Primary PAN failure and you promote the Secondary PAN to be the Primary PAN.

Restoration of Monitoring Database

The process for restoring the Monitoring database is different depending on the type of deployment. The following sections explain how to restore the Monitoring database in standalone and distributed deployments.

You must use the CLI to restore an on-demand Monitoring database backup from previous releases of Cisco ISE. Restoring a scheduled backup across Cisco ISE releases is not supported.


Note

If you attempt to restore data to a node other than the one from which the data was taken, you must configure the logging target settings to point to the new node. This ensures that the monitoring syslogs are sent to the correct node.


Restore a Monitoring (Operational) Backup in a Standalone Environment

The GUI lists only the backups that are taken from the current release. To restore backups that obtained from earlier releases, use the restore command from the CLI.

Before you begin
  • Purge the old monitoring data.

  • Schedule a backup or perform an on-demand backup.

Procedure

Step 1

Choose Administration > System > Backup and Restore.

Step 2

Select the name of the backup from the list of Operational backup and click Restore.

Step 3

Enter the Encryption Key used during the backup.

Step 4

Click Restore.


Restore a Monitoring Backup with Administration and Monitor Personas

You can restore a Monitoring backup in a distributed environment with Administration and Monitor personas.

Before you begin
  • Purge the old monitoring data.

  • Schedule a backup or perform an on-demand backup.

Procedure

Step 1

If you are using a primary and secondary PAN, synchronize the PANs.

When you synchronize the PANs, you must chose a PAN an promote that to be the active primary.

Step 2

Before you deregister the Monitoring node, assign the Monitoring persona to another node in the deployment.

Every deployment must have at least one functioning Monitoring node.

Step 3

Deregister the Monitoring node to be backed up.

Step 4

Restore the Monitoring backup to the newly deregistered node.

Step 5

Register the newly restored node with the current Administration node.

Step 6

Promote the newly restored and registered node as the active Monitoring node.


Restore a Monitoring Backup with a Monitoring Persona

You can restore a Monitoring backup in a distributed environment with only Monitoring persona.

Before you begin
  • Purge the old monitoring data.

  • Schedule a backup or perform an on-demand backup.

Procedure

Step 1

Prepare to deregister the node to be restored by assigning the Monitoring persona to another node in the deployment.

A deployment must have at least one functioning Monitoring node.

Step 2

Deregister the node to be restored.

Note 

Wait until the deregistration is complete before proceeding with the restore. The node must be in a standalone state before you can continue with the restore.

Step 3

Restore the Monitoring backup to the newly deregistered node.

Step 4

Register the newly restored node with the current Administration node.

Step 5

Promote the newly restored and registered node as the PAN.


Restore History

You can obtain information about all restore operations, log events, and statuses from the Operations Audit report.


Note

However, the Operations Audit report does not provide information about the start times corresponding to the previous restore operations.


For troubleshooting information, you have to run the backup-logs command from the Cisco ISE CLI and look at the ADE.log file.

While the restore operation is in progress, all Cisco ISE services are stopped. You can use the show restore status CLI command to check the progress of the restore operation.

Export Authentication and Authorization Policy Configuration

You can export authentication and authorization policy configuration in the form of an XML file that you can read offline to identify any configuration errors and use for troubleshooting purposes. This XML file includes authentication and authorization policy rules, simple and compound policy conditions, dACLs, and authorization profiles. You can choose to email the XML file or save it to your local system.

Procedure


Step 1

Choose Administration > System > Backup & Restore.

Step 2

Click Policy Export.

Step 3

Enter the values as needed.

Step 4

Click Export.

Use a text editor such as WordPad to view the contents of the XML file.


Schedule Policy Export Settings

The following table describes the fields on the Schedule Policy Export page. The navigation path for this page is: Administration > System > Backup and Restore > Policy Export.
Table 4. Schedule Policy Export Settings
Fields Usage Guidelines

Encryption

Encryption Key

Enter a key to encrypt and decrypt the export data. This field will be enabled only if you select the Export with Encryption Key option.

Destination

Download file to local computer

Allows you to download the policy export file to your local system.

Email file to

Enter multiple email addresses separated by a comma.

Repository

Select the repository where your export data should be saved. You cannot enter a repository name here. You can only choose an available repository from the drop-down list. Ensure that you create the repository before scheduling the policy export.

Export Now

Click this option to export the data to the specified repository immediately.

Schedule

Schedule Options

Choose the frequency of the export schedule and enter the other details accordingly.

Synchronize Primary and Secondary Nodes in a Distributed Environment

In a distributed environment, sometimes the Cisco ISE database in the primary and secondary nodes are not synchronized automatically after restoring a backup file on the PAN. If this happens, you can manually force a full replication from the PAN to the secondary ISE nodes. You can force a synchronization only from the PAN to the secondary nodes. During the sync-up operation, you cannot make any configuration changes. Cisco ISE allows you to navigate to other Cisco ISE Admin portal pages and make any configuration changes only after the synchronization is complete.

Before you begin

To perform the following task, you must be a Super Admin or System Admin.

Procedure


Step 1

Choose Administration > System > Deployment.

Step 2

Check the check boxes next to the secondary ISE nodes with an Out of Sync replication status.

Step 3

Click Syncup and wait until the nodes are synchronized with the PAN. You will have to wait until this process is complete before you can access the Cisco ISE Admin portal again.


Recovery of Lost Nodes in Standalone and Distributed Deployments

This section provides troubleshooting information that you can use to recover lost nodes in standalone and distributed deployments. Some of the following use cases use the backup and restore functionality and others use the replication feature to recover lost data.

Recovery of Lost Nodes Using Existing IP Addresses and Hostnames in a Distributed Deployment

Scenario

In a distributed deployment, a natural disaster leads to a loss of all the nodes. After recovery, you want to use the existing IP addresses and hostnames.

For example, you have two nodes: N1 (Primary Policy Administration Node or Primary PAN) and N2 (Secondary Policy Administration Node or Secondary PAN.) A backup of the N1 node, which was taken at time T1, is available. Later, both N1 and N2 nodes fail because of a natural disaster.

Assumption

All Cisco ISE nodes in the deployment were destroyed. The new hardware was imaged using the same hostnames and IP addresses.

Resolution Steps

  1. You have to replace both the N1 and N2 nodes. N1 and N2 nodes will now have a standalone configuration.

  2. Obtain a license with the UDI of the N1 and N2 nodes and install it on the N1 node.

  3. You must then restore the backup on the replaced N1 node. The restore script will try to sync the data on N2, but N2 is now a standalone node and the synchronization fails. Data on N1 will be reset to time T1.

  4. You must log in to the N1 Admin portal to delete and reregister the N2 node. Both the N1 and N2 nodes will have data reset to time T1.

Recovery of Lost Nodes Using New IP Addresses and Hostnames in a Distributed Deployment

Scenario

In a distributed deployment, a natural disaster leads to loss of all the nodes. The new hardware is reimaged at a new location and requires new IP addresses and hostnames.

For example, you have two ISE nodes: N1 (Primary Policy Administration Node or Primary PAN) and N2 (Secondary Policy Service Node.) A backup of the N1 node which was taken at time T1, is available. Later, both N1 and N2 nodes fail because of a natural disaster. The Cisco ISE nodes are replaced at a new location and the new hostnames are N1A (Primary PAN) and N2A (Secondary Policy Service Node). N1A and N2A are standalone nodes at this point in time.

Assumptions

All Cisco ISE nodes in the deployment were destroyed. The new hardware was imaged at a different location using different hostnames and IP addresses.

Resolution Steps

  1. Obtain the N1 backup and restore it on N1A. The restore script will identify the hostname change and domain name change, and will update the hostname and domain name in the deployment configuration based on the current hostname.

  2. You must generate a new self-signed certificate.

  3. You must log in to the Cisco ISE Admin portal on N1A, choose Administration > System > Deployment, and do the following:

    Delete the old N2 node.

    Register the new N2A node as a secondary node. Data from the N1A node will be replicated to the N2A node.

Recovery of a Node Using Existing IP Address and Hostname in a Standalone Deployment

Scenario

A standalone administration node is down.

For example, you have a standalone administration node, N1. A backup of the N1 database was taken at time T1. The N1 node goes down because of a physical failure and must be reimaged or a new hardware is required. The N1 node must be brought back up with the same IP address and hostname.

Assumptions

This deployment is a standalone deployment and the new or reimaged hardware has the same IP address and hostname.

Resolution Steps

Once the N1 node is up after a reimage or you have introduced a new Cisco ISE node with the same IP address and hostname, you must restore the backup taken from the old N1 node. You do not have to make any role changes.

Recovery of a Node Using New IP Address and Hostname in a Standalone Deployment

Scenario

A standalone administration node is down.

For example, you have a standalone administration node, N1. A backup of the N1 database taken at time T1 is available. The N1 node is down because of a physical failure and will be replaced by a new hardware at a different location with a different IP address and hostname.

Assumptions

This is a standalone deployment and the replaced hardware has a different IP address and hostname.

Resolution Steps

  1. Replace the N1 node with a new hardware. This node will be in a standalone state and the hostname is N1B.

  2. You can restore the backup on the N1B node. No role changes are required.

Configuration Rollback

Problem

There may be instances where you inadvertently make configuration changes that you later determine were incorrect. For example, you may delete several NADs or modify some RADIUS attributes incorrectly and realize this issue several hours later. In this case, you can revert back to the original configuration by restoring a backup that was taken before you made the changes.

Possible Causes

There are two nodes: N1 (Primary Policy Administration Node or Primary PAN) and N2 (Secondary Policy Administration Node or Secondary PAN) and a backup of the N1 node is available. You made some incorrect configuration changes on N1 and want to remove the changes.

Solution

Obtain a backup of the N1 node that was taken before the incorrect configuration changes were made. Restore this backup on the N1 node. The restore script will synchronize the data from N1 to N2.

Recovery of Primary Node in Case of Failure in a Distributed Deployment

Scenario

In a multinode deployment, the PAN fails.

For example, you have two Cisco ISE nodes, N1 (PAN) and N2 (Secondary Administration Node). N1 fails because of hardware issues.

Assumptions

Only the primary node in a distributed deployment has failed.

Resolution Steps

  1. Log in to the N2 Admin portal. Choose Administration > System > Deployment and configure N2 as your primary node.

    The N1 node is replaced with a new hardware, reimaged, and is in the standalone state.

  2. From the N2 Admin portal, register the new N1 node as a secondary node.

    Now, the N2 node becomes your primary node and the N1 node becomes your secondary node.

If you wish to make the N1 node the primary node again, log in to the N1 Admin portal and make it the primary node. N2 automatically becomes a secondary server. There is no data loss.

Recovery of Secondary Node in Case of Failure in a Distributed Deployment

Scenario

In a multinode deployment, a single secondary node has failed. No restore is required.

For example, you have multiple nodes: N1 (Primary PAN), N2 (Secondary PAN), N3 (Secondary Policy Service Node), N4 (Secondary Policy Service Node). One of the secondary nodes, N3, fails.

Resolution Steps

  1. Reimage the new N3A node to the default standalone state.

  2. Log in to the N1 Admin portal and delete the N3 node.

  3. Reregister the N3A node.

    Data is replicated from N1 to N3A. No restore is required.

Cisco ISE Logging Mechanism

Cisco ISE provides a logging mechanism that is used for auditing, fault management, and troubleshooting. The logging mechanism helps you to identify fault conditions in deployed services and troubleshoot issues efficiently. It also produces logging output from the monitoring and troubleshooting primary node in a consistent fashion.

You can configure a Cisco ISE node to collect the logs in the local systems using a virtual loopback address. To collect logs externally, you configure external syslog servers, which are called targets. Logs are classified into various predefined categories. You can customize logging output by editing the categories with respect to their targets, severity level, and so on.

As a best practice, do not configure network devices to send syslogs to a Cisco ISE Monitoring and Troubleshooting (MnT) node as this could result in the loss of some Network Access Device (NAD) syslogs, and overloads the MnT servers resulting in loading issues.


Note

If the Monitoring node is configured as the syslog server for a network device, ensure that the logging source sends the correct network access server (NAS) IP address in the following format:

<message_number>sequence_number: NAS_IP_address: timestamp: syslog_type: <message_text>

Otherwise, this might impact functionalities that depend on the NAS IP address.


Configure Syslog Purge Settings

Use this process to set local log-storage periods and to delete local logs after a certain period of time.

Procedure


Step 1

Choose Administration > System > Logging > Local Log Settings.

Step 2

In the Local Log Storage Period field, enter the maximum number of days to keep the log entries in the configuration source.

Logs may be deleted earlier than the configured Local Log Storage Period if the size of the localStore folder reaches 97 GB.

Step 3

Click Delete Logs Now to delete the existing log files at any time before the expiration of the storage period.

Step 4

Click Save.


Cisco ISE System Logs

In Cisco ISE, system logs are collected at locations called logging targets. Targets refer to the IP addresses of the servers that collect and store logs. You can generate and store logs locally, or you can use the FTP facility to transfer them to an external server. Cisco ISE has the following default targets, which are dynamically configured in the loopback addresses of the local system:

  • LogCollector—Default syslog target for the Log Collector.

  • ProfilerRadiusProbe—Default syslog target for the Profiler Radius Probe.

By default, AAA Diagnostics subcategories and System Diagnostics subcategories logging targets are disabled during a fresh Cisco ISE installation or an upgrade to reduce the disk space. You can configure logging targets manually for these subcategories but local logging for these subcategories are always enabled.

You can use the default logging targets that are configured locally at the end of the Cisco ISE installation or you can create external targets to store the logs.


Note

If a syslog server is configured in a distributed deployment, syslog messages are sent directly from the authenticating PSNs to the syslog server and not from the MnT node.


Configure Remote Syslog Collection Locations

You can use the web interface to create remote syslog server targets to which system log messages are sent. Log messages are sent to the remote syslog server targets in accordance with the syslog protocol standard (see RFC-3164). The syslog protocol is an unsecure UDP.

A message is generated when an event occurs. An event may be one that displays a status, such as a message displayed when exiting a program, or an alarm. There are different types of event messages generated from different facilities such as the kernel, mail, user level, and so on. An event message is associated with a severity level, which allows an administrator to filter the messages and prioritize it. Numerical codes are assigned to the facility and the severity level. A syslog server is an event message collector and collects event messages from these facilities. The administrator can select the event message collector to which messages will be forwarded based upon their severity level.

The UDP syslog (log collector) is the default remote logging target. When you disable this logging target, it no longer functions as a log collector and is removed from the Logging Categories page. When you enable this logging target, it becomes a log collector in the Logging Categories page.

Procedure


Step 1

Choose Administration > System > Logging > Remote Logging Targets.

Step 2

Click Add.

Step 3

Enter the required details.

Step 4

Click Save.

Step 5

Go to the Remote Logging Targets page and verify the creation of the new target.

The logging targets can then be mapped to each of the logging categories below. The PSN nodes send the relevant logs to the remote logging targets depending on the services that are enabled on those nodes.

  • AAA Audit

  • AAA Diagnostics

  • Accounting

  • External MDM

  • Passive ID

  • Posture and Client Provisioning Audit

  • Posture and Client Provisioning Diagnostics

  • Profiler

Logs of the following categories are sent by all nodes in the deployment to the logging targets:

  • Administrative and Operational Audit

  • System Diagnostics

  • System Statistics


Cisco ISE Message Codes

A logging category is a bundle of message codes that describe a function, a flow, or a use case. In Cisco ISE, each log is associated with a message code that is bundled with the logging categories according to the log message content. Logging categories help describe the content of the messages that they contain.

Logging categories promote logging configuration. Each category has a name, target, and severity level that you can set, as per your application requirement.

Cisco ISE provides predefined logging categories for services, such as Posture, Profiler, Guest, AAA (authentication, authorization, and accounting), and so on, to which you can assign log targets.

For the logging category Passed Authentications, the option to allow local logging is disabled by default. Enabling local logging for this category will result in high utilization of operational space, and fill prrt-server.log along with the iseLocalStore.log.

If you choose to enable local logging for Passed Authentications, go to Administration > System > Logging > Logging Categories, click Passed Authentications from the category section, and check the check box against Local Logging.

Set Severity Levels for Message Codes

You can set the log severity level and choose logging targets where the logs of selected categories will be stored.

Procedure


Step 1

Choose Administration > System > Logging > Logging Categories.

Step 2

Click the radio button next to the category that you want to edit, and click Edit.

Step 3

Modify the required field values.

Step 4

Click Save.

Step 5

Go to the Logging Categories page and verify the configuration changes that were made to the specific category.


Cisco ISE Message Catalogs

You can use the Message Catalog page to view all possible log messages and the descriptions. Choose Administration > System > Logging > Message Catalog.

The Log Message Catalog page appears, from which you can view all possible log messages that can appear in your log files. Choose Export to export all the syslog messages in the form of a CSV file.

You can also refer to the Cisco ISE Syslogs document for a comprehensive list of the syslog messages sent by Cisco ISE, what they mean, and how they are recorded in local and remote targets.

Debug Logs

Debug logs capture bootstrap, application configuration, runtime, deployment, monitoring, reporting, and public key infrastructure (PKI) information. Critical and warning alarms for the past 30 days and info alarms for the past 7 days are included in the debug logs.

You can configure the debug log severity level for individual components.

You can use the Reset to Default option for a node or component to reset the log level back to factory-shipped default values.

You can store the debug logs in the local server.


Note

Debug log configuration is not saved when a system is restored from a backup or upgraded.


View Logging Components for a Node

Procedure


Step 1

Choose Administration > System > Logging > Debug Log Configuration.

Step 2

Select the node for which you want to view the logging components, and then click Edit.

The Debug Level Configuration page appears. You can view the following details:

  • List of logging components based on the services that are running on the selected node

  • Description for each component

  • Current log level that is set for the individual components


Configure Debug Log Severity Level

You can configure the severity levels for the debug logs.

Procedure


Step 1

Choose Administration > System > Logging > Debug Log Configuration.

Step 2

Select the node, and then click Edit.

The Debug Log Configuration page displays a list of components based on the services that are running in the selected node and the current log level that is set for the individual components.

You can use the Reset to Default option for a node or component to reset the log level back to factory-shipped default values.

Step 3

Select the component for which you want to configure the log severity level, and then click Edit. Choose the desired log severity level from the Log Level drop-down list, and click Save.

Note 

Changing the log severity level of the runtime-AAA component changes the log level of its subcomponent prrt-JNI as well. A change in subcomponent log level does not affect its parent component.


Endpoint Debug Log Collector

To troubleshoot issues with a specific endpoint, you can download debug logs for that particular endpoint based on its IP address or MAC address. The logs from the various nodes in your deployment specific to that particular endpoint get collected in a single file thus helping you troubleshoot your issue quickly and efficiently. You can run this troubleshooting tool only for one endpoint at a time. The log files are listed in the GUI. You can download the logs for an endpoint from a single node or from all the nodes in your deployment.

Download Debug Logs for a Specific Endpoint

To troubleshoot issues related to a specific endpoint in your network, you can use the Debug Endpoint tool from the Admin portal. Alternatively, you can run this tool from the Authentications page. Right-click the Endpoint ID from the Authentications page and click Endpoint Debug. This tool provides all debug information for all services related to the specific endpoint in a single file.

Before you begin

You need the IP address or MAC address of the endpoint whose debug logs you want to collect.

Procedure


Step 1

Choose Operations > Troubleshoot > Diagnostic Tools > General Tools > Endpoint Debug.

Step 2

Click the MAC Address or IP radio button and enter the MAC or IP address of the endpoint.

Step 3

Check the Automatic disable after n Minutes check box if you want to stop log collection after a specified amount of time. If you check this check box, you must enter a time between 1 and 60 minutes.

The following message appears: "Endpoint Debug degrades the deployment performance. Would you like to continue?"

Step 4

Click Continue to collect the logs.

Step 5

Click Stop when you want to manually stop the log collection.


Collection Filters

You can configure the Collection Filters to suppress the syslog messages being sent to the monitoring and external servers. The suppression can be performed at the Policy Services Node levels based on different attribute types. You can define multiple filters with specific attribute type and a corresponding value.

Before sending the syslog messages to monitoring node or external server, Cisco ISE compares these values with fields in syslog messages to be sent. If any match is found, then the corresponding message is not sent.

Configure Collection Filters

You can configure multiple collection filters based on various attribute types. It is recommended to limit the number of filters to 20. You can add, edit, or delete a collection filter.

Procedure


Step 1

Choose Administration > System > Logging > Collection Filters.

Step 2

Click Add.

Step 3

Choose the Filter Type from the following list:

  • User Name

  • MAC Address

  • Policy Set Name

  • NAS IP Address

  • Device IP Address

Step 4

Enter the corresponding Value for the filter type you have selected.

Step 5

Choose the Result from the drop-down list. The result can be All, Passed, or Failed.

Step 6

Click Submit.


Event Suppression Bypass Filter

Cisco ISE allows you to set filters to suppress some syslog messages from being sent to the Monitoring node and other external servers using the Collection Filters. At times, you need access to these suppressed log messages. Cisco ISE now provides you an option to bypass the event suppression based on a particular attribute such as username for a configurable amount of time. The default is 50 minutes, but you can configure the duration from 5 minutes to 480 minutes (8 hours). After you configure the event suppression bypass, it takes effect immediately. If the duration that you have set elapses, then the bypass suppression filter expires.

You can configure a suppression bypass filter from the Collection Filters page in the Cisco ISE user interface. Using this feature, you can now view all the logs for a particular identity (user) and troubleshoot issues for that identity in real time.

You can enable or disable a filter. If the duration that you have configured in a bypass event filter elapses, the filter is disabled automatically until you enable it again.

Cisco ISE captures these configuration changes in the Change Configuration Audit Report. This report provides information on who configured an event suppression or a bypass suppression and the duration of time for which the event was suppressed or the suppression bypassed.

Cisco ISE Reports

Cisco Identity Services Engine (ISE) reports are used with monitoring and troubleshooting features to analyze trends, and, monitor system performance and network activities from a central location.

Cisco ISE collects log and configuration data from across the network. It then aggregates the data into reports for you to view and analyze. Cisco ISE provides a standard set of predefined reports that you can use and customize to fit your needs.

Cisco ISE reports are preconfigured and e grouped into logical categories with information related to authentication, session traffic, device administration, configuration and administration, and troubleshooting.

Report Filters

There are two types of reports, single-section and multi-section. Single-section reports contain a single grid (Radius Authentications report) and multi-section reports contain many grids (Authentications Summary report) and represent data in the form of charts and tables. The Filter drop-down menu in the single-section reports contains the Quick Filter and Advanced Filter. In the multi-section reports, you can specify only advanced filters.

Multi-section reports may contain one or more mandatory advanced filters that require your input. For example, when you click the Health Summary report (Operations > Reports > Diagnostics page), it displays two mandatory advanced filters—Server and Time Range. You must specify the operator command, server name, required values for both these filters, and click Go to generate the report. You can add new advanced filters by clicking the Plus (+) symbol. You can export multi-section reports only in the PDF format. You cannot schedule Cisco ISE multi-section reports to run and re-run at specific time or time intervals.


Note

When you click a report, data for the current date is generated by default. However, some multi-section reports require mandatory input from the user apart from the time range.


By default, the Quick Filter is displayed as the first row in single-section reports. The fields may contain a drop-down list from which you can select the search criteria or may be a text box.

An Advanced Filter contains an outer criteria that contains one or more inner criteria. The outer criteria is used to specify if the search should meet All or Any specified inner criteria. The inner criteria contains one or more conditions that is used to specify the Category (Endpoint ID, Identity Group) Method (operator commands, such as Contains, Does Not Contain), and Time Range for the condition.

When using the Quick Filter, you can choose a date or time from the Logged At drop-down list to generate reports for a data set logged in the last 30 days or less. If you want to generate a report for a date or time prior to 30 days, use the Advanced Filter to set the required time frame in the From and To fields of the Custom option from the drop-down list.

Create the Quick Filter Criteria

The section describes how to create a quick filter criteria. You can create quick filter criteria for only single-section reports.

Procedure


Step 1

Choose Operations > Reports and click the required report.

Step 2

From the Settings drop-down list, choose the required fields.

Step 3

In the required field, you can choose from the drop-down list or type the specific characters to filter data. The search uses the Contains operator command. For example, to filter by text that begins with “K”, enter K or to filter text that has “geo” anywhere in the text, enter geo. You can also use asterisks (*), for example, the regex starting with *abc and ending with *def.

The quick filter uses the following conditions: contains, starts with, ends with, starts with or ends with, and multiple values with OR operator.

Step 4

Press Enter.


Create the Advanced Filter Criteria

The section describes how to create an advanced filter criteria. You can create advanced filters for single- and multi-section reports. The Filter drop-down menu in the single-section reports contains the Quick Filter and Advanced Filter. In the multi-section reports, you can specify only advanced filters.

Procedure


Step 1

Choose Operations > Reports and click the required report.

Step 2

In the Filters section, from the Match drop-down list, choose one of the options.

  1. Choose All to match all specified conditions.

  2. Choose Any to match any one specified condition.

Step 3

From the Time Range drop-down list, choose the required category.

Step 4

From the Operator Commands drop-down list, choose the required command. For example, you can filter text that begins with a specific character (use Begin With), or specific characters anywhere in the text (use Contains). Or, you can choose the Logged Time and corresponding Custom option and specify the From and To date and time from the calendar to filter data.

Step 5

From the Time Range drop-down list, choose the required option.

Step 6

Click Go.


You can save a filtered report and retrieve it from the Filter drop-down list for future reference.

Run and View Reports

This section describes how to run, view, and navigate reports using Reports View. When you click a report, by default, data for the last seven days is generated. Each report displays 500 rows of data per page. You can specify time increments over which to display data in a report.

Procedure


Step 1

Choose Operations > Reports > ISE Reports.

You can also navigate to the Reports link under each work center to view the set of reports specific to that work center.

Step 2

Click a report from the report categories available.

Step 3

Select one or more filters to run a report. Each report has different filters available, of which some are mandatory and some are optional.

Step 4

Enter an appropriate value for the filters.

Step 5

Click Go.


Reports Navigation

You can get detailed information from the reports output. For example, if you have generated a report for a period of five months, the graph and table will list the aggregate data for the report in a scale of months.

You can click a particular value from the table to see another report related to this particular field. For example, an authentication summary report will display the failed count for the user or user group. When you click the failed count, an authentication summary report is opened for that particular failed count.

Export Reports

You can export report data in the following file formats:
  • Excel spreadsheet as a Comma Separated Values (.csv) file. After you export the data, you will receive an email detailing the location of the report.

  • Microsoft Excel Comma Separated Values (.csv) file that can be saved to a local disk.

  • Adobe Acrobat Document (.pdf) file that can be saved to a local disk.


Note

You can export 5000 records for Microsoft Excel and 1000 records for PDF file formats.

You can only export the PDF file format of the following reports:

  • Authentication Summary

  • Health Summary

  • RBACL Drop Summary


    Note

    Flows for RBACL dropped packets are available only with the Cisco Catalyst 6500 series switches.
  • Guest Sponsor summary

  • End point Profile Changes

  • Network Device Session Status


Note

To view the non-English characters correctly after exporting a report, you must import the file into Microsoft Excel by enabling UTF-8 character encoding. If you choose to open the exported .csv file directly in Microsoft Excel without enabling UTF-8 character encoding, the non-English characters in the report appear in some garbage form.

Note

You can export report data to a .csv format only from the Primary PAN.

Procedure


Step 1

Run a report, as described in the Running and Viewing Reports section.

Step 2

Click Export To in the top right-hand corner of the report summary page.

Step 3

Specify the data columns that you want to export.

Step 4

Choose a repository from the drop-down list.

Step 5

Click Export .


Schedule and Save Cisco ISE Reports

You can customize a report and save the changes as a new report, or restore the default report settings in My Reports at the top right corner of the report summary page.

You can also customize and schedule Cisco ISE reports to run and re-run at specific time or time intervals. You can also send and receive email notifications for the reports generated.

When scheduling reports with Hourly frequency, you can have the report run over multiple days, but the timeframe cannot spread across two days.

For example, when scheduling an hourly report from May 4, 2019, to May 8, 2019, you can set the time interval as between 6:00 a.m. and 11:00 p.m. each day, but not between 6:00 p.m. of one day and 11:00 a.m. of the next. Cisco ISE displays an error message that the time range is invalid in the latter case.


Note

If an external administrator (for example: Active Directory Administrator) creates a scheduled report without filling the email-id field, no email notifications will be sent.


You cannot schedule the following reports:

  • Authentication Summary

  • Health Summary

  • RBACL Drop Summary

  • Guest Sponsor summary

  • Endpoint Profile Changes

  • Network Device Session Status


Note

You can save or schedule (customize) Cisco ISE reports only from the PAN.


Procedure


Step 1

Run a report as described in the Running and Viewing Reports section.

Step 2

Click My Reports in the top right-hand corner of the report summary page.

Step 3

Enter the required details in the dialog box.

Step 4

Click Save as New.


When you go back to a saved report, all the filter options are checked by default. Uncheck the filters that you do not wish to use.

You can also remove a saved report from My Reports category.

Cisco ISE Active RADIUS Sessions

Cisco ISE provides a dynamic Change of Authorization (CoA) feature for the Live Sessions that allows you to dynamically control active RADIUS sessions. You can send reauthenticate or disconnect requests to a Network Access Device (NAD) to perform the following tasks:

  • Troubleshoot issues related to authentication—You can use the Session reauthentication option to follow up with an attempt to reauthenticate again. However, you must not use this option to restrict access. To restrict access, use the shutdown option.

  • Block a problematic host—You can use the Session termination with port shutdown option to block an infected host that sends a lot of traffic over the network. However, the RADIUS protocol does not currently support a method for re-enabling a port that has been shut down.

  • Force endpoints to reacquire IP addresses—You can use the Session termination with port bounce option for endpoints that do not have a supplicant or client to generate a DHCP request after a VLAN change.

  • Push an updated authorization policy to an endpoint—You can use the Session reauthentication option to enforce an updated policy configuration, such as a change in the authorization policy on existing sessions based on the discretion of the administrator. For example, if posture validation is enabled, when an endpoint gains access initially, it is usually quarantined. After the identity and posture of the endpoint are known, it is possible to send the Session reauthentication command to the endpoint for the endpoint to acquire the actual authorization policy based on its posture.

For CoA commands to be understood by the device, it is important that you configure the options appropriately.

For CoA to work properly, you must configure the shared secret of each device that requires a dynamic change of authorization. Cisco ISE uses the shared secret configuration to request access from the device and issue CoA commands to it.


Note

In this release of Cisco ISE, the maximum number of active authenticated endpoint sessions that can be displayed is limited to 100,000.


Change Authorization for RADIUS Sessions

Some Network Access Devices on your network may not send an Accounting Stop or Accounting Off packet after a reload. As a result, you might find two sessions in the Session Directory reports, one which has expired.

To dynamically change the authorization of an active RADIUS session or disconnect an active RADIUS session, be sure to choose the most recent session.

Procedure


Step 1

Choose Operations > RADIUS Livelog.

Step 2

Switch the view to Show Live Session.

Step 3

Click the CoA link for the RADIUS session that you want to issue CoA and choose one of the following options:

  • SAnet Session Query—Use this to query information about sessions from SAnet supported devices.

  • Session reauthentication—Reauthenticate session. If you select this option for a session established on an ASA device supporting COA, this will invoke a Session Policy Push CoA.

  • Session reauthentication with last—Use the last successful authentication method for this session.

  • Session reauthentication with rerun—Run through the configured authentication method from the beginning.

    Note 

    Session reauthentication with last and Session reauthentication with rerun options are not currently supported in Cisco IOS software.

  • Session termination—Just end the session. The switch reauthenticates the client in a different session.

  • Session termination with port bounce—Terminate the session and restart the port.

  • Session termination with port shutdown—Terminate the session and shutdown the port.

Step 4

Click Run to issue CoA with the selected reauthenticate or terminate option.

If your CoA fails, it could be one of the following reasons:

  • Device does not support CoA.

  • Changes have occurred to the identity or authorization policy.

  • There is a shared secret mismatch.


Available Reports

The following table lists the preconfigured reports, grouped according to their category. Descriptions of the report functionality and logging category are also provided.

Report Name

Description

Logging Category

Audit

Adaptive Network Control Audit

The Adaptive Network Control Audit report is based on the RADIUS accounting. It displays historical reporting of all network sessions for each endpoint.

Choose Administration > System > Logging > Logging Categories and select Passed Authentications and RADIUS Accounting.

Administrator Logins

The Administrator Logins report provides information about all GUI-based administrator login events as well as successful CLI login events.

Choose Administration > System > Logging > Logging Categories and select Administrative and Operational audit.

Change Configuration Audit

The Change Configuration Audit report provides details about configuration changes within a specified time period. If you need to troubleshoot a feature, this report can help you determine if a recent configuration change contributed to the problem.

Choose Administration > System > Logging > Logging Categories and select Administrative and Operational audit.

Data Purging Audit

The Data Purging Audit report records when the logging data is purged.

This report reflects two sources of data purging.

At 4AM daily, Cisco ISE checks whether there are any logging files that meet the criteria you have set on the Administration > Maintenance > Data Purging page. If so, the files are deleted and recorded in this report. Additionally, Cisco ISE continually maintains a maximum of 80% used storage space for the log files. Every hour, Cisco ISE verifies this percentage and deletes the oldest data until it reaches the 80% threshold again. This information is also recorded in this report.

If there is high disk space utilization, an alert message stating ISE Monitor node(s) is about to exceed the maximum amount allocated is displayed at the 80 percent threshold. Subsequently, an alert message stating ISE Monitor node(s) has exceeded the maximum amount allocated is displayed at the 90 percent threshold.

Endpoints Purge Activities

The Endpoints Purge Activities report enables the user to review the history of endpoints purge activities. This report requires that the Profiler logging category is enabled. It is enabled by default.

Choose Administration > System > Logging > Logging Categories and select Profiler.

Internal Administrator Summary

The Internal Administrator Summary report enables you to verify the entitlement of administrator users. From this report, you can also access the Administrator Logins and Change Configuration Audit reports, which enables you to view these details for each administrator.

Operations Audit

The Operations Audit report provides details about any operational changes, such as: running backups, registering a Cisco ISE node, or restarting an application.

Choose Administration > System > Logging > Logging Categories and select Administrative and Operational audit.

pxGrid Administrator Audit

The pxGrid Administrator Audit report provides the details of the pxGrid administration actions such as client registration, client deregistration, client approval, topic creation, topic deletion, publisher-subscriber addition, and publisher-subscriber deletion on the Primary PAN.

Every record has the administrator name who has performed the action on the node.

You can filter the pxGrid Administrator Audit report based on the administrator and message criteria.

Secure Communications Audit

The Secure Communications Audit report provides auditing details about security-related events in Cisco ISE Admin CLI, which includes authentication failures, possible break-in attempts, SSH logins, failed passwords, SSH logouts, invalid user accounts, and so on.

User Change Password Audit

The User Change Password Audit report displays verification about employee's password changes.

Administrative and Operational audit

Device Administration

Authentication Summary

The TACACS Authentication Summary report provides details about the most common authentications and the reason for any authentication failures.

TACACS Accounting

The TACACS Accounting report provides accounting details for a device session. It displays information related to generated and logged time of the users and devices.

Choose Administration > System > Logging > Logging Categories and select TACACS Accounting.

Top N Authentication by Failure Reason

The Top N Authentication by Failure Reason report displays the total number of authentications by failure reason for the specific period based on the selected parameters.

Top N Authentication by Network Device

The Top N Authentication by Network Device report displays the number of passed and failed authentications by the network device name for the specific period based on the selected parameters.

Top N Authentication by User

The Top N Authentication by User report displays the number of passed and failed authentications by the user name for the specific period based on the selected parameters.

Diagnostics

AAA Diagnostics

The AAA Diagnostics report provides details of all network sessions between Cisco ISE and users. If users cannot access the network, you can review this report to identify trends and identify whether the issue is isolated to a particular user or indicative of a more widespread problem.

Note 
Sometimes ISE will silently drop the Accounting Stop request of an endpoint if user authentication is in progress. However, ISE starts acknowledging all accounting requests once the user authentication is completed.

Choose Administration > System > Logging > Logging Categories and select these logging categories: Policy Diagnostics, Identity Stores Diagnostics, Authentication Flow Diagnostics, and RADIUS Diagnostics.

AD Connector Operations

The AD Connector Operations report provides log of operations performed by AD Connector such as Cisco ISE Server password refresh, Kerberos tickets management, DNS queries, DC discovery, LDAP, and RPC Connections management, etc.

If some AD failures are encountered, you can review the details in this report to identify the possible causes.

Choose Administration > System > Logging > Logging Categories and select AD Connector.

Endpoint Profile Changes

The Top Authorization by Endpoint (MAC address) report displays how many times each endpoint MAC address was authorized by Cisco ISE to access the network.

Passed Authentications, Failed Attempts

Health Summary

The Health Summary report provides details similar to the Dashboard. However, the Dashboard only displays data for the past 24 hours, and you can review more historical data using this report.

You can evaluate this data to see consistent patterns in data. For example, you would expect heavier CPU usage when most employees start their work days. If you see inconsistencies in these trends, you can identify potential problems.

The CPU Usage table lists the percentage of CPU usage for the different Cisco ISE functions. The output of the show cpu usage CLI command is presented in this table and you can correlate these values with the issues in your deployment to identify possible causes.

ISE Counters

The ISE Counters report lists the threshold values for various attributes. The values for these different attributes are collected at different intervals and the data is presented in a tabular format; one at five minute interval and another greater than five minutes.

You can evaluate this data to see the trend and if you find values that are higher than the threshold, you can correlate this information with the issues in your deployment to identify possible causes.

Cisco ISE, by default, collects the values for these attributes. You can choose to disable this data collection from the Cisco ISE CLI using the application configure ise command.Choose option 14 to enable or disable counter attribute collection.

Key Performance Metrics

The Key Performance Metrics report provides statistical information about the number of endpoints that connect to your deployment and the amount of RADIUS requests that are processed by each of the PSNs on an hourly basis. This report lists the average load on the server, average latency per request, and the average transactions per second.

Misconfigured NAS

The Misconfigured NAS report provides information about NADs with inaccurate accounting frequency typically when sending accounting information frequently. If you have taken corrective actions and fix the mis-configured NADs, the report displays fixed acknowledgment in the report.

Note 
RADIUS Suppression should be enabled to run this report.

Misconfigured Supplicants

The Misconfigured Supplicants report provides a list of mis-configured supplicants along with the statistics due to failed attempts that are performed by a specific supplicant. If you have taken corrective actions and fix the mis-configured supplicant, the report displays fixed acknowledgment in the report.

Note 
RADIUS Suppression should be enabled to run this report.

Network Device Session Status

The Network Device Session Status Summary report enables you to display the switch configuration without logging into the switch directly.

Cisco ISE accesses these details using an SNMP query and requires that your network devices are configured with SNMP v1/v2c.

If a user is experiencing network issues, this report can help you identify if the issue is related to the switch configuration rather than with Cisco ISE.

OCSP Monitoring

The OCSP Monitoring Report specifies the status of the Online Certificate Status Protocol (OCSP) services. It identifies whether Cisco ISE can successfully contact a certificate server and provides certificate status auditing. Provides a summary of all the OCSP certificate validation operations performed by Cisco ISE. It retrieves information related to the good and revoked primary and secondary certificates from the OCSP server. Cisco ISE caches the responses and utilizes them for generating subsequent OCSP Monitoring Reports. In the event the cache is cleared, it retrieves information from the OCSP server.

Choose Administration > System > Logging > Logging Categories and select System Diagnostics.

RADIUS Errors

The RADIUS Errors report enables you to check for RADIUS Requests Dropped (authentication/accounting requests discarded from unknown Network Access Device), EAP connection time outs, and unknown NADs.

Note 

You can view the report only for the past 5 days.

Choose Administration > System > Logging > Logging Categories and select Failed Attempts.

System Diagnostics

The System Diagnostic report provides details about the status of the Cisco ISE nodes. If a Cisco ISE node is unable to register, you can review this report to troubleshoot the issue.

This report requires that you first enable several diagnostic logging categories. Collecting these logs can negatively impact Cisco ISE performance. So, these categories are not enabled by default, and you should enable them just long enough to collect the data. Otherwise, they are automatically disabled after 30 minutes.

Choose Administration > System > Logging > Logging Categories and select these logging categories: Internal Operations Diagnostics, Distributed Management, Administrator Authentication and Authorization.

Endpoints and Users

Authentication Summary

The Authentication Summary report is based on the RADIUS authentications. It enables you to identify the most common authentications and the reason for any authentication failures. For example, if one Cisco ISE server is handling significantly more authentications than others, you might want to reassign users to different Cisco ISE servers to better balance the load.

Note 
As the Authentication Summary report or dashboard collects and displays the latest data corresponding to failed or passed authentications, the contents of the report appear after a delay of a few minutes.

Client Provisioning

The Client Provisioning report indicates the client provisioning agents applied to particular endpoints. You can use this report to verify the policies applied to each endpoint to verify whether the endpoints have been correctly provisioned.

Note 
MAC address of an endpoint is not displayed in the Endpoint ID column, if the endpoint does not connect with ISE (no session is established) or if a Network Address Translation (NAT) address is used for the session.

Choose Administration > System > Logging > Logging Categories and select Posture and Client Provisioning Audit and Posture and Client Provisioning Diagnostics.

Current Active Sessions

The Current Active Sessions report enables you to export a report with details about who was currently on the network within a specified time period.

If a user isn't getting network access, you can see whether the session is authenticated or terminated or if there is another problem with the session.

External Mobile Device Management

The External Mobile Device Management report provides details about integration between Cisco ISE and the external Mobile Device Management (MDM) server.

You can use this report to see which endpoints have been provisioned by the MDM server without logging into the MDM server directly. It also displays information such as registration and MDM-compliance status.

Choose Administration > System > Logging > Logging Categories and select MDM.

Passive ID

The Passive ID report enables you to monitor the state of WMI connection to the domain controller and gather statistics related to it (such as amount of notifications received, amount of user login/logouts per second etc.)

Note 

Sessions authenticated by this method do not have authentication details in the report.

Choose Administration > System > Logging > Logging Categories and select Identity Mapping.

Manual Certificate Provisioning

The Manual Certificate Provisioning report lists all the certificates that are provisioned manually via the certificate provisioning portal.

Posture Assessment by Condition

The Posture Assessment by Condition report enables you to view records based on the posture policy condition configured in ISE to validate that the most up-to-date security settings or applications are available on client machines.

Posture Assessment by Endpoint

The Posture Assessment by Endpoint report provides detailed information, such as the time, status, and PRA Action, of an endpoint. You can click Details to view further information of an endpoint.

Note 
The Posture Assessment by Endpoint report does not provide posture policy details of applications and hardware attributes of an endpoint. You can view this information only in the Context Visibility page.

Profiled Endpoints Summary

The Profiled Endpoints Summary report provides profiling details about endpoints that are accessing the network.

Note 
For endpoints that do not register a session time, such as a Cisco IP-Phone, the term Not Applicable is shown in the Endpoint session time field.

Choose Administration > System > Logging > Logging Categories and select Profiler.

RADIUS Accounting

The RADIUS Accounting report identifies how long users have been on the network. If users are losing network access, you can use this report to identify whether Cisco ISE is the cause of the network connectivity issues.

Note 

Radius accounting interim updates are included in the RADIUS Accounting report if the interim updates contain information about the changes to the IPv4 or IPv6 addresses for the given sessions.

Choose Administration > System > Logging > Logging Categories and select RADIUS Accounting.

RADIUS Authentications

The RADIUS Authentications report enables you to review the history of authentication failures and successes. If users cannot access the network, you can review the details in this report to identify possible causes.

Choose Administration > System > Logging > Logging Categories and select these logging categories: Passed Authentications and Failed Attempts.

Registered Endpoints

The Registered Endpoints report displays all personal devices registered by employees.

Rejected Endpoints

The Rejected Endpoints report lists all rejected or released personal devices that are registered by employees. The data for this report will be available only when you install the Plus license.

Supplicant Provisioning

The Supplicant Provisioning report provides details about the supplicants provisioned to employee's personal devices.

Posture and Client Provisioning Audit

Top Authorizations by Endpoint

The Top Authorization by Endpoint (MAC address) report displays how many times each endpoint MAC address was authorized by Cisco ISE to access the network.

Passed Authentications, Failed Attempts

Top Authorizations by User

The Top Authorization by User report displays how many times each user was authorized by Cisco ISE to access the network.

Passed Authentications, Failed Attempts

Top N Authentication by Access Service

The Top N Authentication by Access Service report displays the number of passed and failed authentications by the access service type for the specific period based on the selected parameters.

Top N Authentication by Failure Reason

The Top N Authentication by Failure Reason report displays the total number of authentications by failure reason for the specific period based on the selected parameters.

Top N Authentication by Network Device

The Top N Authentication by Network Device report displays the number of passed and failed authentications by the network device name for the specific period based on the selected parameters.

Top N Authentication by User

The Top N Authentication by User report displays the number of passed and failed authentications by the user name for the specific period based on the selected parameters.

Guest

AUP Acceptance Status

The AUP Acceptance Status report provides details of AUP acceptances from all the Guest portals.

Choose Administration > System > Logging > Logging Categories and select Guest.

Guest Accounting

The Guest Accounting report is a subset of the RADIUS Accounting report. All users assigned to the Activated Guest or Guest identity groups appear in this report.

Master Guest Report

The Master Guest Report combines data from various Guest Access reports and enables you to export data from different reporting sources. The Master Guest report also provides details about the websites that guest users are visiting. You can use this report for security auditing purposes to demonstrate when guest users accessed the network and what they did on it.

You must also enable HTTP inspection on the network access device (NAD) used for guest traffic. This information is sent back to Cisco ISE by the NAD.

To check when the clients reach the maximum simultaneous sessions limit, from the Admin portal, choose Administration > System > Logging > Logging Categories and do the following:

  1. Increase the log level of "Authentication Flow Diagnostics" logging category from WARN to INFO.

  2. Change LogCollector Target from Available to Selected under the "Logging Category" of AAA Diagnostics.

Choose Administration > System > Logging > Logging Categories and select Passed Authentications.

My Devices Login and Audit

The My Devices Login and Audit report provides details about the login activities and the operations performed by the users on the devices in My Devices Portal.

Choose Administration > System > Logging > Logging Categories and select My Devices.

Sponsor Login and Audit

The Sponsor Login and Audit report provides details of guest users' login, add, delete, enable, suspend and update operations and the login activities of the sponsors at the sponsors portal.

If guest users are added in bulk, they are visible under the column 'Guest Users.' This column is hidden by default. On export, these bulk users are also present in the exported file.

Choose Administration > System > Logging > Logging Categories and select Guest.

SXP

SXP Binding

The SXP Binding report provides information about the IP-SGT bindings that are exchanged over SXP connection.

SXP Connection

You can use this report to monitor the status of an SXP connection and gather information related to it, such as peer IP, SXP node IP, VPN name, SXP mode, and so on.

Trustsec

RBACL Drop Summary

The RBACL Drop Summary report is specific to the TrustSec feature, which is available only with an Advanced Cisco ISE license.

This report also requires that you configure the network devices to send NetFlow events for dropped events to Cisco ISE.

If a user violates a particular policy or access, packets are dropped and indicated in this report.

Note 
Flows for RBACL dropped packets are available only with the Cisco Catalyst 6500 series switches.

Top N RBACL Drops By User

The Top N RBACL Drops By User report is specific to the TrustSec feature, which is available only with an Advanced Cisco ISE license.

This report also requires that you configure the network devices to send NetFlow events for dropped events to Cisco ISE.

This report displays policy violations (based on packet drops) by specific users.

Note 
Flows for RBACL dropped packets are available only with the Cisco Catalyst 6500 series switches.

TrustSec ACI

This report lists the SGTs and SXP mappings that are synchronized with the IEPGs, EEPGs, endpoints, and subnet configuration of APIC. These details are displayed only if the TrustSec APIC integration feature is enabled.

TrustSec Deployment Verification

You can use this report to verify whether the latest TrustSec policies are deployed on all network devices or if there are any discrepancies between the policies configured in Cisco ISE and the network devices.

Click the Details icon to view the results of the verification process. You can view the following details:

  • When the verification process started and completed

  • Whether the latest TrustSec policies are successfully deployed on the network devices. You can also view the names and IP addresses of the network devices on which the latest TrustSec policies are deployed.

  • Whether if there are any discrepancies between the policies configured in Cisco ISE and the network devices. It displays the device name, IP address, and the corresponding error message for each policy difference.

You can view the TrustSec Deployment Verification alarms in the Alarms dashlet (under Work Centers > TrustSec > Dashboard and Home > Summary).

Note 
  • The time taken for reporting depends on the number of network devices and TrustSec groups in your deployment.

  • The error message length in the TrustSec Deployment Verification report is currently limited to 480 characters. Error messages with more than 480 characters will be truncated and only the first 480 characters will be displayed in the report.

Trustsec Policy Download

This report lists the requests sent by the network devices for policy (SGT/SGACL) download and the details sent by ISE. If the Workflow mode is enabled, the requests can be filtered for production or staging matrix.

To view this report, you must do the following:
  1. Choose Administration > System > Logging > Logging Categories.

  2. Choose AAA Diagnostics > RADIUS Diagnostics.

  3. Set the Log Severity Level to DEBUG for RADIUS Diagnostics.

Threat Centric NAC Service

Adapter Status

The Adapter Status report displays the status of the threat and vulnerability adapters.

COA Events

When a vulnerability event is received for an endpoint, Cisco ISE triggers CoA for that endpoint. The CoA Events report displays the status of these CoA events. It also displays the old and new authorization rules and the profile details for these endpoints.

Threat Events

The Threat Events report provides a list of all the threat events that Cisco ISE receives from the various adapters that you have configured.

Vulnerability Assessment

The Vulnerability Assessment report provides information about the assessments that are happening for your endpoints. You can view this report to check if the assessment is happening based on the configured policy.

RADIUS Live Logs

The following table describes the fields in the RADIUS Live logs page, which displays the recent RADIUS authentications. The navigation path for this page is: Operations > RADIUS > Live Logs. You can view the RADIUS live logs only in the Primary PAN.

Table 5. RADIUS Live Logs

Options

Usage Guidelines

Time

Shows the time that the log was received by the monitoring and troubleshooting collection agent. This column is required and cannot be deselected.

Status

Shows if the authentication was successful or a failure. This column is required and cannot be deselected. Green is used to represent passed authentications. Red is used to represent failed authentications.

Details

Clicking the icon under the Details column opens the Authentication Detail Report in a new browser window. This report offers information about authentication and related attributes, and authentication flow. In the Authentication Details box, Response Time is the total time it takes Cisco ISE to process the authentication flow. For example, if authentication consists of three roundtrip messages, which took 300 ms for the initial message, 150 ms for the next message, and 100 ms for the last, Response Time is 300 + 150 + 100 = 550 750 ms.

Note 

You cannot view the details for endpoints that are active for more than 48 hours. You might see a page with the following message when you click the Details icon for endpoints that are active for more than 48 hours: No Data available for this record. Either the data is purged or authentication for this session record happened a week ago. Or if this is an 'PassiveID' or 'PassiveID Visibility' session, it will not have authentication details on ISE but only the session.

Repeat Count

Shows the number of time the authentication requests were repeated in last 24 hours, without any change in the context of identity, network devices, and authorization

Identity

Shows the logged in username that is associated with the authentication.

If the username is not present in any ID Store, it is displayed as INVALID. If the authentication fails due to any other reason, it is displayed as USERNAME.

Note 

This is applicable only for users. This is not applicable for MAC addresses.

To aid in debugging, you can force Cisco ISE to display invalid usernames. Check the Disclose Invalid Usernames check box under Administration > System > Settings > Protocols > RADIUS > Suppression & Reports > Authentication Details. This option is disabled automatically after 30 minutes.

Endpoint ID

Shows the unique identifier for an endpoint, usually a MAC or IP address.

Endpoint Profile

Shows the type of endpoint that is profiled, for example, profiled to be an iPhone, Android, MacBook, Xbox, and so on.

Authentication Policy

Shows the name of the policy selected for specific authentication.

Authorization Policy

Shows the name of the policy selected for specific authorization.

Authorization Profiles

Shows an authorization profile that was used for authentication.

IP Address

Shows the IP address of the endpoint device.

Network Device

Shows the IP address of the Network Access Device.

Device Port

Shows the port number at which the endpoint is connected.

Identity Group

Shows the identity group that is assigned to the user or endpoint, for which the log was generated.

Posture Status

Shows the status of posture validation and details on the authentication.

Server

Indicates the Policy Service from which the log was generated.

MDM Server Name

Shows the names of the MDM servers.

Event

Shows the event status.

Failure Reason

Shows a detailed reason for failure, if the authentication failed.

Auth Method

Shows the authentication method that is used by the RADIUS protocol, such as Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2), IEE 802.1x or dot1x, and the like.

Authentication Protocol

Shows the authentication protocol used, such as Protected Extensible Authentication Protocol (PEAP), Extensible Authentication Protocol (EAP), and the like.

Security Group

Shows the group that is identified by the authentication log.

Session ID

Shows the session ID.


Note

In the RADIUS Live Logs and TACACS+ Live Logs details page, a “Queried PIP” entry will appear for the first Attribute for each Policy authorization rule. If all the attributes within the authorization rule are related to a dictionary that was already queried for previous Rules, then no additional “Queried PIP” entry will appear.


You can do the following in the RADIUS Live Logs page:

  • Export the data in csv or pdf format.

  • Show or hide the columns based on your requirements.

  • Filter the data using quick or custom filter. You can also save your filters for later use.

  • Rearrange the columns and adjust the width of the columns.

  • Sort the column values.


Note

All the user customizations will be stored as user preferences.


RADIUS Live Sessions

The following table describes the fields in the RADIUSLive Sessions page, which displays live authentications. The navigation path for this page is: Operations > RADIUS > Live Sessions. You can view the RADIUS live sessions only in the Primary PAN.

Table 6. RADIUS Live Sessions

Field

Description

Initiated

Shows the timestamp when the session was initiated.

Updated

Shows the timestamp when the session was last updated due to any change.

Account Session Time

Shows the time span (in seconds) of a user's session.

Session Status

Shows the current status of the endpoint device.

Action

Click the Actions icon to re-authenticate an active RADIUS session or disconnect an active RADIUS session.

Repeat Count

Shows the number of times the user or endpoint is re-authenticated.

Endpoint ID

Shows the unique identifier for an endpoint, usually a MAC or IP address.

Identity

Shows the username of the endpoint device.

IP Address

Shows the IP address of the endpoint device.

Audit Session ID

Shows a unique session identifier.

Account Session ID

Shows a unique ID provided by the network device.

Endpoint Profile

Shows the endpoint profile for the device.

Posture Status

Shows the status of posture validation and details on the authentication.

Security Group

Shows the group that is identified by the authentication log.

Server

Indicates the Policy Service node from which the log was generated.

Auth Method

Shows the authentication method that is used by the RADIUS protocol, such as Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), IEE 802.1x or dot1x, and the like.

Authentication Protocol

Shows the authentication protocol used, such as Protected Extensible Authentication Protocol (PEAP), Extensible Authentication Protocol (EAP), and the like.

Authentication Policy

Shows the name of the policy selected for specific authentication.

Authorization Policy

Shows the name of the policy selected for specific authorization.

Authorization Profiles

Shows an authorization profile that was used for authentication.

NAS IP Address

Shows IP address of the network devices.

Device Port

Shows the connected port to the network device.

PRA Action

Shows the periodic reassessment action taken on a client after it is successfully postured for compliance on your network.

ANC Status

Adaptive Network Control status of a device as Quarantine, Unquarantine, or Shutdown.

WLC Roam

Shows the boolean (Y/N) used to track that an endpoint has been handed off during roaming, from one WLC to another. It has the value of cisco-av-pair=nas-update =Y or N.

Note 

Cisco ISE relies on nas-update=true attribute from WLC to identify whether the session is in roaming state. When the original WLC sends an accounting stop attribute with nas-update=true, the session is not deleted in ISE to avoid reauthentication. If roaming fails due to some reason, ISE clears the session after 5 days of inactivity.

Packets In

Shows the number of packets received.

Packets Out

Shows the number of packets sent.

Bytes In

Shows the number of bytes received.

Bytes Out

Shows the number of bytes sent.

Session Source

Indicates whether it is a RADIUS session or PassiveID session.

User Domain Name

Shows the registered DNS name of the user.

Host Domain Name

Shows the registered DNS name of the host.

User NetBIOS Name

Shows the NetBIOS name of the user.

Host NetBIOS Name

Shows the NetBIOS name of the host.

License Type

Shows the type of license used—Base, Plus, Apex, or Plus and Apex.

License Details

Shows the license details.

Provider

Endpoint events are learned from different syslog sources. These syslog sources are referred to as providers.

  • Windows Management Instrumentation (WMI)—WMI is a Windows service that provides a common interface and object model to access management information about operating system, devices, applications, and services.

  • Agent—A program that runs on a client on behalf of the client or another program.

  • Syslog—A logging server to which a client sends event messages.

  • REST—A client is authenticated through a terminal server. The TS Agent ID, Source Port Start, Source Port End, and Source First Port values are displayed for this syslog source.

  • Span—Network information is discovered using span probes.

  • DHCP—DHCP event.

  • Endpoint

When two events from different providers are learned from an endpoint session, the providers are displayed as comma-separated values in the live sessions page.

MAC Address

Shows the MAC address of a client.

Endpoint Check Time

Shows the time at which the endpoint was last checked by the endpoint probe.

Endpoint Check Result

Shows the result of an endpoint probe. The possible values are:

  • Unreachable

  • User Logout

  • Active User

Source Port Start

(Values are displayed only for the REST provider) Shows the first port number in a port range.

Source Port End

(Values are displayed only for the REST provider) Shows the last port number in a port range.

Source First Port

(Values are displayed only for the REST provider) Shows the first port allocated by the Terminal Server (TS) Agent.

A Terminal Server (TS) refers to a server or network device that allows multiple endpoints to connect to it without a modem or network interface and facilities the connection of the multiple endpoints to a LAN network. The multiple endpoints appear to have the same IP address and therefore it is difficult to identify the IP address of a specific user. Consequently, to identify a specific user, a TS Agent is installed in the server, which allocates a port range to each user. This helps create an IP address-port-user mapping.

TS Agent ID

(Values are displayed only for the REST provider) Shows the unique identity of the Terminal Server (TS) agent that is installed on an endpoint.

AD User Resolved Identities

(Values are displayed only for AD user) Shows the potential accounts that matched.

AD User Resolved DNs

(Values are displayed only for AD user) Shows the Distinguished Name of AD user, for example, CN=chris,CN=Users,DC=R1,DC=com

TACACS Live Logs

The following table describes the fields in the TACACS Live Logs page, which displays the TACACS+ AAA details. The navigation path for this page is: Operations > TACACS Live Logs. You can view the TACACS live logs only in the Primary PAN.

Table 7. TACACS Live Logs

Fields

Usage Guidelines

Generated Time

Shows the syslog generation time based on when a particular event was triggered.

Logged Time

Shows the time when the syslog was processed and stored by the Monitoring node. This column is required and cannot be deselected.

Status

Shows if the authentication was successful or a failure. This column is required and cannot be deselected. Green is used to represent passed authentications. Red is used to represent failed authentications.

Details

Brings up a report when you click the magnifying glass icon, allowing you to drill down and view more detailed information on the selected authentication scenario. This column is required and cannot be deselected.

Session Key

Shows the session keys (found in the EAP success or EAP failure messages) returned by ISE to the network device.

Username

Shows the user name of the device administrator. This column is required and cannot be deselected.

Type

Consists of two Types—Authentication and Authorization. Shows user names who have passed or failed authentication, authorization, or both. This column is required and cannot be deselected.

Authentication Policy

Shows the name of the policy selected for specific authentication.

Authorization Policy

Shows the name of the policy selected for specific authorization.

ISE Node

Shows the name of the ISE Node through which the access request is processed.

Network Device Name

Shows the names of network devices.

Network Device IP

Shows the IP addresses of network devices whose access requests are processed.

Network Device Groups

Shows the name of the corresponding network device group to which a network device belongs.

Device Type

Shows the device type policy used to process access requests from different network devices.

Location

Shows the location based policy used to process access requests from network devices.

Device Port

Shows the device port number through which the access request is made.

Failure Reason

Shows the reason for rejecting an access request made by a network device.

Remote Address

Shows the IP address, MAC address, or any other string that uniquely identifies the end station.

Matched Command Set

Shows the MatchedCommandSet attribute value if it is present or shows an empty value if the MatchedCommandSet attribute value is empty or attribute itself does not exist in the syslog.

Shell Profile

Shows the privileges that were granted to a device administrator for executing commands on the network device.

You can do the following in the TACACS Live Logs page:

  • Export the data in csv or pdf format.

  • Show or hide the columns based on your requirements.

  • Filter the data using quick or custom filter. You can also save your filters for later use.

  • Rearrange the columns and adjust the width of the columns.

  • Sort the column values.


Note

All the user customizations will be stored as user preferences.

Export Summary

You can view the details of the reports exported by all the users in the last 7 days along with the status. The export summary includes both the manual and scheduled reports. The export summary page is automatically refreshed every 2 minutes. Click the Refresh icon to refresh the export summary page manually.

The super admin can cancel the export which is in-progress or in queued state. Other users are allowed only to cancel the export process that they have initiated.

By default, only 3 manual export of reports can run at a given point of time and the remaining triggered manual export of reports will be queued. There are no such limits for the scheduled export of reports.


Note

All the reports in the queued state will be scheduled again and the reports in the In-Progress or Cancellation-in-progress state will be marked as failed when the Cisco ISE server is restarted.

Note

If the primary MnT node is down, the scheduled report export job will run on secondary MnT node.

The following table describes the fields in the Export Summary page. The navigation path for this page is: Operations > Reports > Export Summary.

Table 8. Export Summary

Field

Description

Report Exported

Displays the name of the report.

Exported By

Shows the role of the user who initiated the export process.

Scheduled

Shows whether the report export is a scheduled one.

Triggered On

Shows the time when the export process has been triggered in the system.

Repository

Displays the name of the repository where the exported data will be stored.

Filter Parameters

Shows the filter parameters selected while exporting the report.

Status

Shows the status of the exported reports. It can be one of the following:

  • Queued

  • In-progress

  • Completed

  • Cancellation-in-progress

  • Cancelled

  • Failed

  • Skipped

Note 
Failed status indicates the reason for failure. Skipped status indicates that the scheduled export of reports is skipped as the primary MnT node is down.

You can do the following in the Export Summary page:

  • Show or hide the columns based on your requirements.

  • Filter the data using quick or custom filter. You can also save your filters for later use.

  • Rearrange the columns and adjust the width of the columns.