Monitoring and Troubleshooting Service in Cisco ISE
The Monitoring and Troubleshooting (MnT) service is a comprehensive identity solution for all Cisco ISE run-time services. The Operations menu contains the following components, and can be viewed only from the primary Policy Administration Node (PAN). Note that the Operations menu does not appear in the primary Monitoring node.
-
Monitoring: Provides real-time presentation of meaningful data representing the state of access activities on a network. This insight allows you to easily interpret and monitor operational conditions.
-
Troubleshooting: Provides contextual guidance for resolving access issues on networks. You can then address user concerns and provide resolution in a timely manner.
-
Reporting: Provides a catalog of standard reports that you can use to analyze trends and monitor system performance and network activities. You can customize reports in various ways and save them for future use. You can search records using wild cards and multiple values in all the reports for the Identity, Endpoint ID, and ISE Node (except the Health Summary report) fields.
For a complete list of troubleshooting TechNotes, see ISE Troubleshooting TechNotes. |
Open TAC Support Cases
You can now open TAC support cases through Cisco ISE to request support for deployment issues with Cisco ISE. Using the TAC Support Case feature, you can easily raise a support case for specific nodes that you face issues with. Along with the information you provide through the form that is provided on the Support Case Manager (SCM), information such as the serial number of your node and the Cisco ISE version in use are also sent to Cisco TAC.
![]() Note |
The Support Case Manager (SCM) feature does not function when Cisco ISE is deployed in an air-gapped environment. |
Procedure
Step 1 |
In the Cisco ISE portal home page, click the question mark icon at the top-right corner. |
Step 2 |
In the Interactive Help menu that is displayed, from the Resources drop-down list, choose TAC Support Cases. |
Step 3 |
From the Node List drop-down in the TAC Support Cases window, choose up to four nodes for which to open a case. The Primary PAN and MnT nodes are chosen by default. |
Step 4 |
Click Open A Case. The Support Case Manager will open in a new tab. (Optional) Click Cases List to view the statuses of the created TAC cases on the Support Case Manager. |
Step 5 |
In the SSO Authentication window of the Support Case Manager, log in using your cisco.com credentials. If you are unable to login, consult Cisco customer support for assistance. |
Step 6 |
Fill the required details and open a new TAC support case for your Cisco ISE deployment on SCM. We recommend that you use the procedure of opening TAC support cases in Support Case Manager (SCM) for assistance and troubleshooting. |
Remote Support Authorization
The Remote Support Authorization feature includes two default CLI users customersuppadmin
and customersuppreadonly
. By default, these users are disabled.
When Remote Support Authorization is enabled, these users are activated to provide access to the RADKit CLI. When RADKit is disabled, these users are deactivated automatically.
#show users status
USERNAME ROLE DISABLED LOCKED
admin Admin
customersuppadmin Admin *
customersuppreadonly User *
This feature is not enabled by default. Follow these steps to enable and configure the Remote Support Authorization service.
Before you begin
-
Ensure that you have the required credentials to complete Cisco SSO authentication.
-
The Cisco ISE deployment needs to connect to certain URLs. You must add these URLs to the Allowed list on your firewall or proxy for outbound connection. For a list of required URLs and IP addresses, see https://prod.radkit-cloud.cisco.com/endpoints
-
This feature requires internet access. If you do not have direct internet access, configure required proxy settings. For more information, see Configure Proxy Settings on Cisco ISE.
-
Your enrollment of the Cisco ISE node to RADKit is done through SSO authentication of the user's email address. After SSO authentication, the RADKit certificate is downloaded in the Cisco ISE node for further encrypted communication between the RADKit cloud and the Cisco ISE node.
The RADKit implementation is the same in both on-prem and cloud environments.
Procedure
Step 1 |
In the Cisco ISE GUI, click the Menu icon ( |
Step 2 |
In the Email field, enter the email ID linked with your Cisco account and click Start Configuration. |
Step 3 |
In the Remote Support Authorization page, click Create a Remote Support Authorization to set up the authorization. The Set up the Authorization page is displayed. |
Step 4 |
In the Cisco Specialist Email Address tab, enter the email ID of the Cisco specialist. |
Step 5 |
In the Access level field, choose Observer (Read-only) if you want to provide read-only access or Admin (Read-write) to provide full admin access to the Cisco ISE UI or CLI. (Optional) If you have an open service request, enter the service request numbers in the Existing SR numbers field. |
Step 6 |
Click Next. In the Schedule the Access page, specify the time and duration of the access.
|
Step 7 |
Click Next. |
Step 8 |
Enter these details in the Access Permission Agreement page: |
Step 9 |
Click Next. A Summary page is displayed with all the details that were entered in the previous pages. Click the Copy button to copy the information and provide the service ID displayed on the Summary page to the Cisco specialist. |
Step 10 |
Click Finish. Click Edit in the Current Authorization page to edit the details for the current authorization session. Click Cancel Authorization to cancel the remote support authorization session. Click View Logs to view the UI session audit report for the UI admin user. To view the CLI session audit logs, choose . Download the specific files under the RADKit section to view the session logs.You can see the previous authorizations in the Past Authorizations tab in the Remote Support Authorization page. |
Disable Remote Support Authorization
Procedure
Step 1 |
In the Cisco ISE GUI, click the Menu icon ( |
||
Step 2 |
Click Disable to disable the Remote Support Authorization service.
|
Health Check
Cisco ISE has an on-demand health check option to diagnose all the nodes in your Cisco ISE deployment. Running a health check on all the nodes before any operation helps to reduce the downtime and improve the overall functionality of Cisco ISE system by identifying critical issues, if any. Health Check provides the working status of a component and displays troubleshooting recommendations regarding issues, if any, in your deployment.
Deployment Type |
Description |
---|---|
Platform Support Check |
Checks the supported platforms in the deployment. A platform that does not meet the recommended requirement specification may cause performance issues. Checks the 34xx and other unsupported platform details and checks if the system has a minimum of 12 core CPU, 300-GB hard disk, 16-GB memory. |
Deployment Validation |
Checks if the state-of-the-deployment node is in sync or in progres. |
DNS Resolvability |
Checks for the forward and reverse lookup of host name and IP address. Both forward and reverse DNS resolutions are recommended for deployment Health Check to function properly. |
Trust Store Certificate Validation |
Checks if your Trust Store certificate is valid or has expired. Delete or renew unused or expired certificates to ensure optimum Cisco ISE functionality. |
System Certificate Validation |
Checks the system certificate validation for each node. Delete or renew unused or expired certificates to ensure optimum Cisco ISE functionality. |
Disk Space Check |
Checks the hard disk located in the Platform Support Check, and the free space available in the disk for further upgrade procedures. We recommend that you run a Disk Space Check before you begin the upgrade operation to avoid performance issues. |
NTP Reachability and Time Source Check |
Checks the NTP configured in the system and whether the time source is the NTP server. NTP synchronization is essential for Cisco ISE services such as AD operations, upgrade workflows, and so on. |
Load Average Check |
Checks system load at specified intervals. The valid interval configurations are 1, 5, and 15 minutes. Load Average Check failures could lead to performance issues in Cisco ISE. |
MDM Validation |
Checks for connectivity between the configured MDM servers and Cisco ISE PSN servers. To use the MDM-supported features in Cisco ISE, the MDM Validation Check must be successful. |
License Validation |
Checks if Smart Licensing is configured and valid. If your smart licences are not configured or are valid, a warning is displayed in the Cisco ISE GUI asking you to configure and validate your licenses. Cisco ISE supports only Smart Licensing. Convert your traditional licenses to smart licenses before you upgrade to the latest Cisco ISE release. |
Services or Process Failures |
Checks if the status of a service or application is in Running or Failed state. |
I/O Bandwidth Performance Check |
Checks for the disk read and write speeds to avoid any Cisco ISE performance issues. |
![]() Note |
The numbers adjacent to the deployment indicates the number of nodes and their health check details. For example, if a deployment has 0/2, 0 indicates the number of nodes that are in Failed, In progress, and Completed and 2 indicates the number of nodes in the deployment. |
![]() Note |
During the health check, if any node does not send back response for 15 minutes, health check for that specific node gets timed out. |
Run Health Check
Procedure
Step 1 |
In the Cisco ISE GUI, click the Menu icon ( |
|||||||||||||||
Step 2 |
Click Start health checks. An information pop-up window displays the following message: Health Checks triggered. |
|||||||||||||||
Step 3 |
Click Ok to view the status. |
|||||||||||||||
Step 4 |
In the Health Checks window, you will be able to view the health status of each component. The following colors indicate the health status of a corresponding Cisco ISE component:
|
|||||||||||||||
Step 5 |
Click Download report. A HealthChecksReport.json file is saved on your local system with detailed health status information of your Cisco ISE deployment. After the health check is triggered, the status is retained in the Health Check window for next three hours. You will not be able to run health check until the Health Checks window is refreshed or has expired. |
Network Privilege Framework Event Flow Process
The Network Privilege Framework (NPF) authentication and authorization event flow uses the process described in the following table:
Process Stage |
Description |
---|---|
1 |
Network Access Device (NAD) performs either a normal authorization or a flex authorization. |
2 |
An unknown agentless identity is profiled with web authorization. |
3 |
A RADIUS server authenticates and authorizes the identity. |
4 |
Authorization is provisioned for the identity at the port. |
5 |
Unauthorized endpoint traffic is dropped. |
User Roles and Permissions for Monitoring and Troubleshooting Capabilities
Monitoring and troubleshooting capabilities are associated with default user roles. The tasks you are allowed to perform are directly related to your assigned user role.
See Cisco ISE Administrator Groups for information on the permissions and restrictions set for each user role.
![]() Note |
Accessing Cisco ISE using the root shell without Cisco TAC supervision is not supported, and Cisco is not responsible for any service disruption that might be caused as a result. |
Data Stored in the Monitoring Database
The Cisco ISE monitoring service collects and stores data in a specialized monitoring database. The rate and amount of data utilized to monitor network functions may require a node dedicated solely to monitoring. If your Cisco ISE network collects logging data at a high rate from policy service nodes or network devices, we recommend a Cisco ISE node dedicated to monitoring.
To manage the information stored in the monitoring database, perform full and incremental backups of the database. This includes purging unwanted data and then restoring the database.