Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
DescriptionField Priorityvalueofthemessage;a combinationofthefacilityvalueand theseverityvalueofthemessage. Priorityvalue=(facilityvalue*8)+ severityvalue.SeeSetSeverityLevels forMessageCodesforsecuritylevels. Thefacilitycodevalidoptionsare: •LOCAL0(Code=16) •LOCAL1(Code=17) •LOCAL2(Code=18) •LOCAL3(Code=19) •LOCAL4(Code=20) •LOCAL5(Code=21) •LOCAL6(Code=22;default) •LOCAL7(Code=23) pri_num Cisco Identity Services Engine Administrator Guide, Release 1.3 205 Cisco ISE System Logs
DescriptionField Dateofthemessagegeneration, accordingtothelocalclockofthe originatingCiscoISEserver,inthe formatYYYYMmmDDhh:mm:ss. Possiblevaluesare: •YYYY=Numericrepresentation oftheyear. •Mmm=Representationofthe month—Jan,Feb,Mar,Apr, May,Jun,Jul,Aug,Sep,Oct, Nov,Dec. •DD=Numericrepresentationof thedayofthemonth.For single-digitdays(1to9),aspace precedesthenumber. •hh=Thehouroftheday—00to 23. •mm=Theminuteofthe hour—00to59. •ss=Thesecondofthe minute—00to59. Somedevicesendmessagesthat specifyatimezoneintheformat -/+hhmm,where-and+identifiesthe directionaloffsetfromtheCiscoISE server’stimezone,hhisthenumber ofoffsethours,andmmisthenumber ofminutesoftheoffsethour.For example,+02:00indicatesthatthe messageoccurredatthetimeindicated bythetimestamp,andonaCiscoISE nodethatistwohoursaheadofthe CiscoISEserver’stimezone. time IPaddressoftheoriginatingCiscoISE node,orthehostname. xx:xx:xx:xx/host_name Loggingcategorynameprecededby theCSCOxxxstring. cat_name Cisco Identity Services Engine Administrator Guide, Release 1.3 206 Cisco ISE System Logs
DescriptionField UniquemessageID;1to4294967295. ThemessageIDincreasesby1with eachnewmessage.MessageIDs restartat1eachtimetheapplication isrestarted. msg_id Totalnumberofsegmentsinalog message.Longmessagesaredivided intomorethanonesegment. Thetotal_segdependsonthe MaximumLengthsettingin theremoteloggingtargets page.SeeRemoteLogging TargetSettings. Note total_seg Segmentsequencenumberwithina message.Usethisnumbertodetermine whatsegmentofthemessageyouare viewing. seg_num ThesyslogmessagedataorpayloadisthesameastheLocalStoreSyslogMessageFormat.Theremotesyslog servertargetsareidentifiedbythefacilitycodenamesLOCAL0toLOCAL7(LOCAL6isthedefaultlogging location.)LogmessagesthatyouassigntotheremotesyslogserveraresenttothedefaultlocationforLinux syslog(/var/log/messages),however;youcanconfigureadifferentlocationontheserver. Configure Remote Syslog Collection Locations Youcancreateexternallocationstostorethesyslogs. TheUDPSysLog(LogCollector)isthedefaultremoteloggingtarget.Whenyoudisablethisloggingtarget, itnolongerfunctionsasalogcollectorandisremovedfromtheLoggingCategoriespage.Whenyouenable thisloggingtarget,itbecomesalogcollectorintheLoggingCategoriespage. Procedure Step 1ChooseAdministration>System>Logging>RemoteLoggingTargets. Step 2ClickAdd. Step 3Entertherequireddetails. Step 4ClickSave. Step 5GototheRemoteLoggingTargetspageandverifythecreationofthenewtarget. Theloggingtargetscanthenbemappedtoeachoftheloggingcategoriesbelow.ThePSNnodessendthe relevantlogstotheremoteloggingtargetsdependingontheservicesthatareenabledonthosenodes. •AAAAudit •AAADiagnostics Cisco Identity Services Engine Administrator Guide, Release 1.3 207 Configure Remote Syslog Collection Locations
•Accounting •ExternalMDM •PassiveID •PostureandClientProvisioningAudit •PostureandClientProvisioningDiagnostics •Profiler Logsofthefollowingcategoriesaresentbyallnodesinthedeploymenttotheloggingtargets: •AdministrativeandOperationalAudit •SystemDiagnostics •SystemStatistics Cisco ISE Message Codes Aloggingcategoryisabundleofmessagecodesthatdescribeafunction,aflow,orausecase.InCiscoISE, eachlogisassociatedwithamessagecodethatisbundledwiththeloggingcategoriesaccordingtothelog messagecontent.Loggingcategorieshelpdescribethecontentofthemessagesthattheycontain. Loggingcategoriespromoteloggingconfiguration.Eachcategoryhasaname,target,andseveritylevelthat youcanset,asperyourapplicationrequirement. CiscoISEprovidespredefinedloggingcategoriesforservices,suchasPosture,Profiler,Guest,AAA (authentication,authorization,andaccounting),andsoon,towhichyoucanassignlogtargets. Set Severity Levels for Message Codes Youcansetthelogseveritylevelandchooseloggingtargetswherethelogsofselectedcategorieswillbe stored. Procedure Step 1ChooseAdministration>System>Logging>LoggingCategories. Step 2Clicktheradiobuttonnexttothecategorythatyouwanttoedit,andclickEdit. Step 3Modifytherequiredfieldvalues. Step 4ClickSave. Step 5GototheLoggingCategoriespageandverifytheconfigurationchangesthatweremadetothespecific category. Cisco Identity Services Engine Administrator Guide, Release 1.3 208 Cisco ISE Message Codes
Cisco ISE Message Catalogs YoucanusetheMessageCatalogpagetoviewallpossiblelogmessagesandthedescriptions.Choose Administration>System>Logging>MessageCatalog. TheLogMessageCatalogpageappears,fromwhichyoucanviewallpossiblelogmessagesthatcanappear inyourlogfiles.Thedataavailableinthispagearefordisplayonly. Debug Logs Debuglogscapturebootstrap,applicationconfiguration,runtime,deployment,monitoring,reporting,and publickeyinfrastructure(PKI)information.Criticalandwarningalarmsforthepast30daysandinfoalarms forthepast7daysareincludedinthedebuglogs. Youcanconfigurethedebuglogseveritylevelforindividualcomponents. Youcanstorethedebuglogsinthelocalserver. Debuglogconfigurationisnotsavedwhenasystemisrestoredfromabackuporupgraded.Note View Logging Components for a Node Procedure Step 1ChooseAdministration>System>Logging>DebugLogConfiguration. Step 2Selectthenodeforwhichyouwanttoviewtheloggingcomponents,andthenclickEdit. TheDebugLevelConfigurationpageappears.Youcanviewthefollowingdetails: •Listofloggingcomponentsbasedontheservicesthatarerunningontheselectednode •Descriptionforeachcomponent •Currentloglevelthatissetfortheindividualcomponents Configure Debug Log Severity Level Youcanconfiguretheseveritylevelsforthedebuglogs. Procedure Step 1ChooseAdministration>System>Logging>DebugLogConfiguration. Step 2Selectthenode,andthenclickEdit. Cisco Identity Services Engine Administrator Guide, Release 1.3 209 Cisco ISE Message Catalogs
TheDebugLogConfigurationpagedisplaysalistofcomponentsbasedontheservicesthatarerunningin theselectednodeandthecurrentloglevelthatissetfortheindividualcomponents. Step 3Selectthecomponentforwhichyouwanttoconfigurethelogseveritylevel,andthenclickEdit.Choosethe desiredlogseveritylevelfromtheLogLeveldrop-downlist,andclickSave. Changingthelogseverityleveloftheruntime-AAAcomponentchangestheloglevelofits subcomponentprrt-JNIaswell.Achangeinsubcomponentlogleveldoesnotaffectitsparent component. Note Endpoint Debug Log Collector Totroubleshootissueswithaspecificendpoint,youcandownloaddebuglogsforthatparticularendpoint basedonitsIPaddressorMACaddress.Thelogsfromthevariousnodesinyourdeploymentspecifictothat particularendpointgetcollectedinasinglefilethushelpingyoutroubleshootyourissuequicklyandefficiently. Youcanrunthistroubleshootingtoolonlyforoneendpointatatime.ThelogfilesarelistedintheGUI.You candownloadthelogsforanendpointfromasinglenodeorfromallthenodesinyourdeployment. Download Debug Logs for a Specific Endpoint Totroubleshootissuesrelatedtoaspecificendpointinyournetwork,youcanusetheDebugEndpointtool fromtheAdminportal.Alternatively,youcanrunthistoolfromtheAuthenticationspage.Right-clickthe EndpointIDfromtheAuthenticationspageandclickEndpointDebug.Thistoolprovidesalldebuginformation forallservicesrelatedtothespecificendpointinasinglefile. Before You Begin YouneedtheIPaddressorMACaddressoftheendpointwhosedebuglogsyouwanttocollect. Procedure Step 1ChooseOperations>Troubleshoot>DiagnosticTools>GeneralTools>EndpointDebug. Step 2ClicktheMACAddressorIPradiobuttonandentertheMACorIPaddressoftheendpoint. Step 3ChecktheAutomaticdisableafternMinutescheckboxifyouwanttostoplogcollectionafteraspecified amountoftime.Ifyoucheckthischeckbox,youmustenteratimebetween1and60minutes. Thefollowingmessageappears:"EndpointDebugdegradesthedeploymentperformance.Wouldyouliketo continue?" Step 4ClickContinuetocollectthelogs. Step 5ClickStopwhenyouwanttomanuallystopthelogcollection. Cisco Identity Services Engine Administrator Guide, Release 1.3 210 Endpoint Debug Log Collector
Collection Filters YoucanconfiguretheCollectionFilterstosuppressthesyslogmessagesbeingsenttothemonitoringand externalservers.ThesuppressioncanbeperformedatthePolicyServicesNodelevelsbasedondifferent attributetypes.Youcandefinemultiplefilterswithspecificattributetypeandacorrespondingvalue. Beforesendingthesyslogmessagestomonitoringnodeorexternalserver,CiscoISEcomparesthesevalues withfieldsinsyslogmessagestobesent.Ifanymatchisfound,thenthecorrespondingmessageisnotsent. Configure Collection Filters Youcanconfiguremultiplecollectionfiltersbasedonvariousattributetypes.Itisrecommendedtolimitthe numberoffiltersto20.Youcanadd,edit,ordeleteacollectionfilter. Procedure Step 1ChooseAdministration>System>Logging>CollectionFilters. Step 2ClickAdd. Step 3ChoosetheFilterTypefromthefollowinglist: •UserName •MACAddress •PolicySetName •NASIPAddress •DeviceIPAddress Step 4EnterthecorrespondingValueforthefiltertypeyouhaveselected. Step 5ChoosetheResultfromthedrop-downlist.TheresultcanbeAll,Passed,orFailed. Step 6ClickSubmit. Event Suppression Bypass Filter CiscoISEallowsyoutosetfilterstosuppresssomesyslogmessagesfrombeingsenttotheMonitoringnode andotherexternalserversusingtheCollectionFilters.Attimes,youneedaccesstothesesuppressedlog messages.CiscoISEnowprovidesyouanoptiontobypasstheeventsuppressionbasedonaparticularattribute suchasusernameforaconfigurableamountoftime.Thedefaultis50minutes,butyoucanconfigurethe durationfrom5minutesto480minutes(8hours).Afteryouconfiguretheeventsuppressionbypass,ittakes effectimmediately.Ifthedurationthatyouhavesetelapses,thenthebypasssuppressionfilterexpires. YoucanconfigureasuppressionbypassfilterfromtheCollectionFilterspageintheCiscoISEuserinterface. Usingthisfeature,youcannowviewallthelogsforaparticularidentity(user)andtroubleshootissuesfor thatidentityinrealtime. Youcanenableordisableafilter.Ifthedurationthatyouhaveconfiguredinabypasseventfilterelapses, thefilterisdisabledautomaticallyuntilyouenableitagain. Cisco Identity Services Engine Administrator Guide, Release 1.3 211 Collection Filters
CiscoISEcapturestheseconfigurationchangesintheChangeConfigurationAuditReport.Thisreportprovides informationonwhoconfiguredaneventsuppressionorabypasssuppressionandthedurationoftimefor whichtheeventwassuppressedorthesuppressionbypassed. Cisco Identity Services Engine Administrator Guide, Release 1.3 212 Collection Filters
CHAPTER 12 Backup and Restore Operations •BackupDataType,page213 •BackupandRestoreRepositories,page213 •On-DemandandScheduledBackups,page215 •CiscoISERestoreOperation,page220 •ExportAuthenticationandAuthorizationPolicyConfiguration,page226 •SynchronizePrimaryandSecondaryNodesinaDistributedEnvironment,page226 •RecoveryofLostNodesinStandaloneandDistributedDeployments,page226 Backup Data Type CiscoISEallowsyoutobackupdatafromthePrimaryPANandfromtheMonitoringnode.Backupcanbe donefromtheCLIoruserinterface. CiscoISEallowsyoutobackupthefollowingtypeofdata: •Configurationdata—Containsbothapplication-specificandCiscoADEoperatingsystemconfiguration data.BackupcanbedoneviathePrimaryPANusingtheGUIorCLI. •OperationalData—Containsmonitoringandtroubleshootingdata.BackupcanbedoneviathePrimary PANGUIorusingtheCLIfortheMonitoringnode. Restoreoperation,canbeperformedwiththebackupfilesofpreviousversionsofCiscoISEandrestoredon alaterversion.Forexample,ifyouhaveabackupfromanISEnodefromCiscoISE,Release1.2,youcan restoreitonCiscoISE,Release1.3. Backup and Restore Repositories CiscoallowsyoutocreateanddeleterepositoriesthroughtheAdminportal.Youcancreatethefollowing typesofrepositories: •DISK •FTP Cisco Identity Services Engine Administrator Guide, Release 1.3 213
•SFTP •NFS •CD-ROM •HTTP •HTTPS Repositoriesarelocaltoeachdevice.Note Werecommendthatyouhavearepositorysizeof10GBforsmalldeployments(100endpointsorless), 100GBformediumdeployments,and200GBforlargedeployments. Note Create Repositories YoucanusetheCLIandGUItocreaterepositories.WerecommendthatyouusetheGUIduetothefollowing reasons: •RepositoriesthatarecreatedthroughtheCLIaresavedlocallyanddonotgetreplicatedtotheother deploymentnodes.TheserepositoriesdonotgetlistedintheGUI’srepositorypage. •RepositoriesthatarecreatedonthePrimaryPANgetreplicatedtotheotherdeploymentnodes. Before You Begin •Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>Maintenance>Repository. Step 2ClickAddtoaddanewrepository. Step 3Enterthevaluesasrequiredtosetupnewrepository.SeeRepositorySettings,onpage708foradescription ofthefields. Step 4ClickSubmittocreatetherepository. Step 5VerifythattherepositoryiscreatedsuccessfullybyclickingRepositoryintheOperationsnavigationpane ontheleftorclicktheRepositoryListlinkatthetopofthispagetogototherepositorylistingpage. What to Do Next •Ensurethattherepositorythatyouhavecreatedisvalid.YoucandosofromtheRepositorylistingpage. SelecttherepositoryandclickValidate.Alternatively,youcanexecutethefollowingcommandfrom theCiscoISEcommand-lineinterface: Cisco Identity Services Engine Administrator Guide, Release 1.3 214 Backup and Restore Repositories