Home > Cisco > Interface > Cisco Ise 13 User Guide

Cisco Ise 13 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Ise 13 User Guide. The Cisco manuals for Interface are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 691

    Page 691 endpointstoseethesessiontraceinformationforthatendpoint.Thefollowingfigureshowsanexampleof thesessiontraceinformationdisplayedforanendpoint. ThedatasetusedforsearchisbasedonEndpointIDasindexes.Therefore,whenauthenticationoccurs, itismandatorytohaveEndpointIDsfortheendpointsforthoseauthenticationstoincludetheminthe searchresultset. Note Figure 41: Session Trace of an Endpoint Youcanusetheclickabletimelineatthetoptoseemajorauthorizationtransitions.Youcanalsoexportthe... 
    endpointstoseethesessiontraceinformationforthatendpoint.Thefollowingfigureshowsanexampleof
thesessiontraceinformationdisplayedforanendpoint.
ThedatasetusedforsearchisbasedonEndpointIDasindexes.Therefore,whenauthenticationoccurs,
itismandatorytohaveEndpointIDsfortheendpointsforthoseauthenticationstoincludetheminthe
searchresultset.
Note
Figure 41: Session Trace of an Endpoint
Youcanusetheclickabletimelineatthetoptoseemajorauthorizationtransitions.Youcanalsoexportthe...

    Page 692

    Page 692 YoucanclickontheEndpointDetailslinktoseemoreauthentication,accounting,andprofilerinformation foraparticularendpoint.Thefollowingfigureshowsanexampleofendpointdetailsinformationdisplayed foranendpoint. Figure 42: Endpoint Details Session Removal from the Directory SessionsarecleanedfromthesessiondirectoryontheMonitoringandTroubleshootingnodeasfollows: •Terminatedsessionsarecleaned15minutesaftertermination. •Ifthereisauthenticationbutnoaccounting,thensuchsessionsareclearedafteronehour.... 
    YoucanclickontheEndpointDetailslinktoseemoreauthentication,accounting,andprofilerinformation
foraparticularendpoint.Thefollowingfigureshowsanexampleofendpointdetailsinformationdisplayed
foranendpoint.
Figure 42: Endpoint Details
Session Removal from the Directory
SessionsarecleanedfromthesessiondirectoryontheMonitoringandTroubleshootingnodeasfollows:
•Terminatedsessionsarecleaned15minutesaftertermination.
•Ifthereisauthenticationbutnoaccounting,thensuchsessionsareclearedafteronehour....

    Page 693

    Page 693 Troubleshoot Network Access Issues Procedure Step 1ChooseOperations>Reports>AuthenticationSummaryReport. Step 2FilterthereportforFailureReasons. Step 3ReviewthedataintheAuthenticationbyFailureReasonssectionofthereporttotroubleshootyournetwork accessproblem. AstheAuthenticationSummaryreportcollectsanddisplaysthelatestdatacorrespondingtofailed orpassedauthentications,thecontentsofthereportappearafteradelayofafewminutes. Note Diagnostic Troubleshooting Tools... 
    Troubleshoot Network Access Issues
Procedure
Step 1ChooseOperations>Reports>AuthenticationSummaryReport.
Step 2FilterthereportforFailureReasons.
Step 3ReviewthedataintheAuthenticationbyFailureReasonssectionofthereporttotroubleshootyournetwork
accessproblem.
AstheAuthenticationSummaryreportcollectsanddisplaysthelatestdatacorrespondingtofailed
orpassedauthentications,thecontentsofthereportappearafteradelayofafewminutes.
Note
Diagnostic Troubleshooting Tools...

    Page 694

    Page 694 Troubleshoot Unexpected RADIUS Authentication Results Procedure Step 1ChooseOperations>Troubleshoot>DiagnosticTools>>GeneralTools>RADIUSAuthentication Troubleshooting. Step 2Specifythesearchcriteriainthefieldsasneeded. Step 3ClickSearchtodisplaytheRADIUSauthenticationsthatmatchyoursearchcriteria. IfyouaresearchingforADrelatedauthentication,andanActiveDirectoryserverisnotconfiguredinyour deployment,amessagesaying'ADnotconfigured'isdisplayed. Step... 
    Troubleshoot Unexpected RADIUS Authentication Results
Procedure
Step 1ChooseOperations>Troubleshoot>DiagnosticTools>>GeneralTools>RADIUSAuthentication
Troubleshooting.
Step 2Specifythesearchcriteriainthefieldsasneeded.
Step 3ClickSearchtodisplaytheRADIUSauthenticationsthatmatchyoursearchcriteria.
IfyouaresearchingforADrelatedauthentication,andanActiveDirectoryserverisnotconfiguredinyour
deployment,amessagesaying'ADnotconfigured'isdisplayed.
Step...

    Page 695

    Page 695 Evaluate Configuration Validator Tool Youcanusethisdiagnostictooltoevaluatetheconfigurationofanetworkdeviceandidentifyanyconfiguration problems.TheExpertTroubleshootercomparestheconfigurationofthedevicewiththestandardconfiguration. Troubleshoot Network Device Configuration Issues Procedure Step 1ChooseOperations>Troubleshoot>DiagnosticTools>GeneralTools>EvaluateConfiguration Validator. Step 2EntertheNetworkDeviceIPaddressofthedevicewhoseconfigurationyouwanttoevaluate,andspecify otherfieldsasnecessary.... 
    Evaluate Configuration Validator Tool
Youcanusethisdiagnostictooltoevaluatetheconfigurationofanetworkdeviceandidentifyanyconfiguration
problems.TheExpertTroubleshootercomparestheconfigurationofthedevicewiththestandardconfiguration.
Troubleshoot Network Device Configuration Issues
Procedure
Step 1ChooseOperations>Troubleshoot>DiagnosticTools>GeneralTools>EvaluateConfiguration
Validator.
Step 2EntertheNetworkDeviceIPaddressofthedevicewhoseconfigurationyouwanttoevaluate,andspecify
otherfieldsasnecessary....

    Page 696

    Page 696 TCP Dump Utility to Validate the Incoming Traffic Thisisatooltosniffthepacket,whenyouwanttoexaminethattheexpectedpacketreallyreachedanode. Forexample,whenthereisnoincomingauthenticationorlogindicatedinthereport,youmaysuspectthat thereisnoincomingtrafficorthattheincomingtrafficcannotreachCiscoISE.Insuchcases,youcanrun thistooltovalidate. YoucanconfiguretheTCPDumpoptionsandthencollectdatafromthenetworktraffictohelpyou troubleshootinganetworkissue.... 
    TCP Dump Utility to Validate the Incoming Traffic
Thisisatooltosniffthepacket,whenyouwanttoexaminethattheexpectedpacketreallyreachedanode.
Forexample,whenthereisnoincomingauthenticationorlogindicatedinthereport,youmaysuspectthat
thereisnoincomingtrafficorthattheincomingtrafficcannotreachCiscoISE.Insuchcases,youcanrun
thistooltovalidate.
YoucanconfiguretheTCPDumpoptionsandthencollectdatafromthenetworktraffictohelpyou
troubleshootinganetworkissue....

    Page 697

    Page 697 CiscoISEdoesnotsupportframesgreaterthan1500MTU(jumboframes).Note Save a TCP Dump File Before You Begin Youshouldhavesuccessfullycompletedthetask,asdescribedintheUsingTCPDumptoMonitornetwork Trafficsection. YoucanalsoaccessTCPdumpthroughtheCiscoISECLI.Formoreinformation,refertotheCiscoIdentity ServicesEngineCLIReferenceGuide. Note Procedure Step 1ChooseOperations>Troubleshoot>DiagnosticTools>GeneralTools>TCPDump. Step 2ChooseaFormatfromthedrop-downlist.HumanReadableisthedefault. Step... 
    CiscoISEdoesnotsupportframesgreaterthan1500MTU(jumboframes).Note
Save a TCP Dump File
Before You Begin
Youshouldhavesuccessfullycompletedthetask,asdescribedintheUsingTCPDumptoMonitornetwork
Trafficsection.
YoucanalsoaccessTCPdumpthroughtheCiscoISECLI.Formoreinformation,refertotheCiscoIdentity
ServicesEngineCLIReferenceGuide.
Note
Procedure
Step 1ChooseOperations>Troubleshoot>DiagnosticTools>GeneralTools>TCPDump.
Step 2ChooseaFormatfromthedrop-downlist.HumanReadableisthedefault.
Step...

    Page 698

    Page 698 DescriptionProcess Stage ConnectstothedevicewiththeIPaddressthatyouprovided,andobtainstheaccess controllists(ACLs)foreachsourceanddestinationSGTpair. 1 CheckstheegresspolicythatisconfiguredinCiscoISEandobtainstheACLsfor eachsourceanddestinationSGTpair. 2 ComparestheSGACLpolicythatisobtainedfromthenetworkdevicewiththe SGACLpolicythatisobtainedfromCiscoISE. 3 DisplaysthesourceanddestinationSGTpairifthereisamismatch.Also,displays thematchingentriesasadditionalinformation. 4 Troubleshoot Connectivity Issues... 
    DescriptionProcess Stage
ConnectstothedevicewiththeIPaddressthatyouprovided,andobtainstheaccess
controllists(ACLs)foreachsourceanddestinationSGTpair.
1
CheckstheegresspolicythatisconfiguredinCiscoISEandobtainstheACLsfor
eachsourceanddestinationSGTpair.
2
ComparestheSGACLpolicythatisobtainedfromthenetworkdevicewiththe
SGACLpolicythatisobtainedfromCiscoISE.
3
DisplaysthesourceanddestinationSGTpairifthereisamismatch.Also,displays
thematchingentriesasadditionalinformation.
4
Troubleshoot Connectivity Issues...

    Page 699

    Page 699 Device SGT Tool FordevicesthatareenabledwiththeTrustsecsolution,eachnetworkdeviceisassignedanSGTvaluethrough RADIUSauthentication.TheDeviceSGTdiagnostictoolconnectstothenetworkdevice(withtheIPaddress thatyouprovide)andobtainsthenetworkdeviceSGTvalue.ItthencheckstheRADIUSauthentication recordstodeterminetheSGTvaluethatwasassignedmostrecently.Finally,itdisplaystheDevice-SGTpairs inatabularformat,andidentifieswhethertheSGTvaluesarethesameordifferent. Troubleshoot Connectivity Issues in a Trustsec-Enabled... 
    Device SGT Tool
FordevicesthatareenabledwiththeTrustsecsolution,eachnetworkdeviceisassignedanSGTvaluethrough
RADIUSauthentication.TheDeviceSGTdiagnostictoolconnectstothenetworkdevice(withtheIPaddress
thatyouprovide)andobtainsthenetworkdeviceSGTvalue.ItthencheckstheRADIUSauthentication
recordstodeterminetheSGTvaluethatwasassignedmostrecently.Finally,itdisplaystheDevice-SGTpairs
inatabularformat,andidentifieswhethertheSGTvaluesarethesameordifferent.
Troubleshoot Connectivity Issues in a Trustsec-Enabled...

    Page 700

    Page 700 •Debuglogs—Capturesbootstrap,applicationconfiguration,run-time,deployment,publickey infrastructure(PKI)informationandmonitoringandreporting. DebuglogsprovidetroubleshootinginformationforspecificCiscoISEcomponents.Toenabledebug logs,seeChapter11,“Logging”.Ifyoudonotenablethedebuglogs,alltheinformationalmessages (INFO)willbeincludedinthesupportbundle.Formoreinformation,seeCiscoDebugLogs,onpage 655. •Locallogs—ContainssyslogmessagesfromthevariousprocessesthatrunonCiscoISE.... 
    •Debuglogs—Capturesbootstrap,applicationconfiguration,run-time,deployment,publickey
infrastructure(PKI)informationandmonitoringandreporting.
DebuglogsprovidetroubleshootinginformationforspecificCiscoISEcomponents.Toenabledebug
logs,seeChapter11,“Logging”.Ifyoudonotenablethedebuglogs,alltheinformationalmessages
(INFO)willbeincludedinthesupportbundle.Formoreinformation,seeCiscoDebugLogs,onpage
655.
•Locallogs—ContainssyslogmessagesfromthevariousprocessesthatrunonCiscoISE....
    Start reading Cisco Ise 13 User Guide

    Related Manuals for Cisco Ise 13 User Guide

    All Cisco manuals