Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Alarm ResolutionAlarm DescriptionAlarm Name Pleaseverifythatthenodeisreachable andpartofthedeployment. Sloworastuckreplicationisdetected.SlowReplicationInfo Pleaseverifythatthenodeisreachable andpartofthedeployment. Sloworastuckreplicationisdetected.SlowReplication Warning ISEServices Ifthisissuepersists,contacttheCisco TACforassistance. ADConnectorstoppedunexpectedlyand hadtoberestarted. ADConnectorhadtobe restarted CheckDNSconfiguration,Kerberos configuration,errorconditions,and networkconnectivity. ActiveDirectoryforestGC(Global Catalog)isunavailable,andcannotbe usedforauthentication,authorization andgroupandattributeretrieval. ActiveDirectoryforestis unavailable CheckDNSconfiguration,Kerberos configuration,errorconditions,and networkconnectivity. Authenticationdomainisunavailable, andcannotbeusedforauthentication, authorizationandgroupandattribute retrieval. Authenticationdomainis unavailable ChecktheISE/NADconfiguration. Checkthenetworkconnectivityofthe ISE/NADinfrastructure. CiscoISEpolicyservicenodesarenot receivingauthenticationrequestsfrom thenetworkdevices. ISEAuthentication Inactivity IfthisisatimewhenUser Authenticationsareexpected(e.g.work hours),thenchecktheconnectionto ActiveDirectorydomaincontrollers. NoUserAuthenticationeventswere collectedbytheIdentityMapping serviceinthelast15minutes. IDMap.Authentication Inactivity Ensurethatthenetworkdeviceis configuredtoacceptChangeof Authorization(CoA)fromCiscoISE. EnsureifCoAisissuedonavalid session. NetworkdevicehasdeniedtheChange ofAuthorization(CoA)requestissued byCiscoISEpolicyservicenodes. COAFailed CheckDNSconfigurationandnetwork connectivity. Configurednameserverisdownor unavailable. Configurednameserver isdown Verifythatthesupplicantisconfigured properlytoconductafullEAP conversationwithCiscoISE.Verify thatNASisconfiguredproperlyto transferEAPmessagesto/fromthe supplicant.Verifythatthesupplicant orNASdoesnothaveashorttimeout forEAPconversation. CiscoISEsentlastmessagetotheclient 120secondsagobutthereisnoresponse fromtheclient. SupplicantStopped Responding Cisco Identity Services Engine Administrator Guide, Release 1.3 635 Cisco ISE Alarms
Alarm ResolutionAlarm DescriptionAlarm Name Checkthere-authtimerinthenetwork devices.Checkthenetwork connectivityoftheCiscoISE infrastructure. Oncethethresholdismet,the ExcessiveAuthenticationAttemptsand ExcessiveFailedAttemptsalarmsare triggered.Thenumbersdisplayednext totheDescriptioncolumnarethetotal numberofauthenticationsthatare authenticatedorfailedagainstCisco ISEinlast15minutes. CiscoISEpolicyservicenodesare experiencinghigherthanexpectedrate ofauthentications. ExcessiveAuthentication Attempts Checktheauthenticationstepsto identifytherootcause.ChecktheCisco ISE/NADconfigurationforidentity andsecretmismatch. Oncethethresholdismet,the ExcessiveAuthenticationAttemptsand ExcessiveFailedAttemptsalarmsare triggered.Thenumbersdisplayednext totheDescriptioncolumnarethetotal numberofauthenticationsthatare authenticatedorfailedagainstCisco ISEinlast15minutes. CiscoISEpolicyservicenodesare experiencinghigherthanexpectedrate offailedauthentications. ExcessiveFailed Attempts CheckthattheISEmachineaccount existsandisvalid.Alsocheckfor possibleclockskew,replication, Kerberosconfigurationand/ornetwork errors. ISEserverTGT(TicketGrantingTicket) refreshhasfailed;itisusedforAD connectivityandservices. AD:MachineTGT refreshfailed CheckthattheISEmachineaccount passwordisnotchangedandthatthe machineaccountisnotdisabledor restricted.Checktheconnectivityto KDC. ISEserverhasfailedtoupdateit'sAD machineaccountpassword. AD:ISEaccount passwordupdatefailed CheckDNSconfiguration,Kerberos configuration,errorconditions,and networkconnectivity. Joineddomainisunavailable,andcannot beusedforauthentication,authorization andgroupandattributeretrieval. Joineddomainis unavailable Checkthenetworkconnectivity betweenCiscoISEandidentitystore. CiscoISEpolicyservicenodesare unabletoreachtheconfiguredidentity stores. IdentityStore Unavailable Cisco Identity Services Engine Administrator Guide, Release 1.3 636 Cisco ISE Alarms
Alarm ResolutionAlarm DescriptionAlarm Name ToomanyduplicateRADIUS accountinginformationhasbeensent toISEfromNAS.ConfigureNASwith accurateaccountingfrequency. CiscoISEhasdetectedtoomany RADIUSaccountinginformationfrom NAS MisconfiguredNetwork DeviceDetected Ensurethattheconfigurationon Supplicantiscorrect. CiscoISEhasdetectedmis-configured supplicantonthenetwork MisconfiguredSupplicant Detected EnsurethatRADIUSaccountingis configuredonthenetworkdevice. Checkthenetworkdevice configurationforlocalauthorization. CiscoISEpolicyservicenodeshave authorizedasessionbutdidnotreceive accountingstartfromthenetwork device. NoAccountingStart Checkifthenetworkdeviceisa genuinerequestandaddittothe configuration.Ensurethatthesecret matches. CiscoISEpolicyservicenodesare receivingauthenticationrequestsfrom anetworkdevicethatisnotconfigured inCiscoISE. UnknownNAD RuntheRBACLdropsummaryreport andreviewthesourcecausingthe SGACLdrops.IssueaCoAtothe offendingsourcetoreauthorizeor disconnectthesession. SecureGroupAccess(SGACL)drops occurred.ThisoccursifaTrustsec capabledevicedropspacketsdueto SGACLpolicyviolations. SGACLDrops CheckthattheNAD/AAAclienthasa validconfigurationinCiscoISE.Check whetherthesharedsecretsonthe NAD/AAAclientandCiscoISE matches.EnsurethattheAAAclient andthenetworkdevice,haveno hardwareproblemsorproblemswith RADIUScompatibility.Alsoensure thatthenetworkthatconnectsthe devicetoCiscoISEhasnohardware problems. Theauthentication/accountingrequest fromaNADissilentlydiscarded.This mayoccurduetounknownNAD, mismatchedsharedsecrets,orinvalid packetcontentperRFC. RADIUSRequest Dropped Waitforafewsecondsbeforeinvoking anotherRADIUSrequestwithnew EAPsession.Ifsystemoverload continuestooccur,tryrestartingthe ISEServer. ARADIUSrequestwasdroppeddueto reachingEAPsessionslimit.This conditioncanbecausedbytoomany parallelEAPauthenticationrequests. EAPSessionAllocation Failed Waitforafewsecondsbeforeinvoking anewRADIUSrequest.Ifsystem overloadcontinuestooccur,try restartingtheISEServer. ARADIUSrequestwasdroppeddueto systemoverload.Thisconditioncanbe causedbytoomanyparallel authenticationrequests. RADIUSContext AllocationFailed SystemHealth Cisco Identity Services Engine Administrator Guide, Release 1.3 637 Cisco ISE Alarms
Alarm ResolutionAlarm DescriptionAlarm Name Checkifthesystemhassufficient resources.Checktheactualamountof workonthesystemforexample, numberofauthentications,profiler activityetc.Addadditionalserverto distributetheload. CiscoISEsystemisexperiencinghigh diskI/Outilization. HighDiskI/OUtilization Checkifthesystemhassufficient resources.Checktheactualamountof workonthesystemforexample, numberofauthentications,profiler activityetc.Addadditionalserverto distributetheload. CiscoISEsystemisexperiencinghigh diskspaceutilization. HighDiskSpace Utilization Checkifthesystemhassufficient resources.Checktheactualamountof workonthesystemforexample, numberofauthentications,profiler activityetc.Addadditionalserverto distributetheload. CiscoISEsystemisexperiencinghigh loadaverage. HighLoadAverage Checkifthesystemhassufficient resources.Checktheactualamountof workonthesystemforexample, numberofauthentications,profiler activityetc.Addadditionalserverto distributetheload. CiscoISEsystemisexperiencinghigh memoryutilization. HighMemoryUtilization Checkandreducethepurge configurationwindowforthe operationsdata. CiscoISEmonitoringnodesare experiencinghighervolumeofsyslog datathanexpected. HighOperationsDB Usage Checkifthesystemhassufficient resources.Checktheactualamountof workonthesystemforexample, numberofauthentications,profiler activityetc.Addadditionalserverto distributetheload. CiscoISEsystemisexperiencinghigh authenticationlatency. HighAuthentication Latency EnsurethatCiscoISEnodesareupand running.EnsurethatCiscoISEnodes areabletocommunicatewiththe monitoringnodes. Themonitoringnodehasnotreceived healthstatusfromtheCiscoISEnode. HealthStatusUnavailable RestarttheCiscoISEapplication.OneoftheCiscoISEprocessesisnot running. ProcessDown Cisco Identity Services Engine Administrator Guide, Release 1.3 638 Cisco ISE Alarms
Alarm ResolutionAlarm DescriptionAlarm Name Checkifthesystemhassufficient resources,andensureEndPoint attributefilterisenabled. TheISEProfilerqueuesizelimithas beenreached.Eventsreceivedafter reachingthequeuesizelimitwillbe dropped. ProfilerQueueSizeLimit Reached Pleasecheckifthesystemhas sufficientresources. TheOCSPtransactionthresholdhas beenreached.Thisalarmistriggered wheninternalOCSPservicereachhigh volumetraffic. OCSPTransaction ThresholdReached Licensing ViewtheLicencingpageinCiscoISE toviewthelicenseusage. LicenseinstalledontheCiscoISEnodes areabouttoexpire. LicenseAbouttoExpire ContactCiscoAccountsteamto purchasenewlicenses. LicenseinstalledontheCiscoISEnodes hasexpired. LicenseExpired ContactCiscoAccountsteamto purchaseadditionallicenses. CiscoISEnodeshavedetectedthatyou areexceedingorabouttoexceedthe allowedlicensecount. LicenseViolation SystemError Thiswillnotimpacttheactual functionalityofthePolicyService nodes.ContactTACforfurther resolution. CiscoISEmonitoringcollectorprocess isunabletopersisttheauditlogs generatedfromthepolicyservicenodes. LogCollectionError Verifytheconfiguredrepository.Ifit hasbeendeleted,additback.Ifitis notavailableornotreachable, reconfiguretherepositorytoavalid one. Unabletocopytheexportedreport(CSV file)toconfiguredrepository. ScheduledReportExport Failure AlarmsarenottriggeredwhenyouaddusersorendpointstoCiscoISE. Add Custom Alarms CiscoISEcontains12defaultalarmtypes,suchasHighMemoryUtilizationandConfigurationChanges. Cisco-definedsystemalarmsarelistedintheAlarmsSettingspage(Administration>System>Settings> AlarmsSettings).Youcanonlyeditthesystemalarms. Inadditiontotheexistingsystemalarms,youcanadd,edit,ordeletecustomalarmsundertheexistingalarm types. Toaddanalarm: Cisco Identity Services Engine Administrator Guide, Release 1.3 639 Cisco ISE Alarms
Procedure Step 1ChooseAdministration>System>Settings>AlarmSettings. Step 2IntheAlarmConfigurationtab,clickAdd. Step 3Entertherequireddetails. Basedonthealarmtype(HighMemoryUtilization,ExcessiveRADIUSAuthenticationAttempts,andsoon), additionalattributesaredisplayedintheAlarmConfigurationpage.Forexample,ObjectName,ObjectType, andAdminNamefieldsaredisplayedforConfigurationChangealarms.Youcanaddmultipleinstancesof samealarmwithdifferentcriteria. Step 4ClickSubmit. Cisco ISE Alarm Notifications and Thresholds YoucanenableordisableCiscoISEalarmsandconfigurealarmnotificationbehaviortonotifyyouofcritical conditions.ForcertainalarmsyoucanconfigurethresholdslikemaximumfailedattemptsforExcessiveFailed AttemptsalarmormaximumdiskutilizationforHighDiskUtilizationalarm. Enable and Configure Alarms Procedure Step 1ChooseAdministration>System>Settings>AlarmSettings. Step 2SelectanalarmfromthelistofdefaultalarmsandclickEdit. Step 3SelectEnableorDisable. Step 4Configurealarmthresholdifapplicable. Step 5ClickSubmit. Cisco ISE Alarms for Monitoring CiscoISEprovidessystemalarmswhichnotifyyouwheneveranycriticalsystemconditionoccurs.Alarms thataregeneratedbyCiscoISEaredisplayedintheAlarmdashlet.Thesenotificationsautomaticallyappear inthealarmdashlet. TheAlarmdashletdisplaysalistofrecentalarms,whichyoucanselectfromtoviewthealarmdetails.You canalsoreceivenotificationofalarmsthroughe-mailandsyslogmessages. Cisco Identity Services Engine Administrator Guide, Release 1.3 640 Cisco ISE Alarms
View Monitoring Alarms Procedure Step 1GototheCiscoISEDashboard. Step 2ClickonanalarmintheAlarmsdashlet.Anewwindowopenswiththealarmdetailsandasuggestedaction. Step 3ClickRefreshtorefreshthealarms. Step 4ClickAcknowledgetoacknowledgeselectedalarms.Youcanselectthealarmsbyclickingthecheckbox availablepriortothetimestamp.Thisreducesthealarmcounters(numberoftimesanalarmisraised)when markedasread. Step 5ClicktheDetailslinkcorrespondingtothealarmthatyouselect.Anewwindowopenswiththedetails correspondingtothealarmthatyouselect. TheDetailslinkcorrespondingtothepreviousalarmsthatweregeneratedpriortopersonachange showsnodata. Note Log Collection Monitoringservicescollectlogandconfigurationdata,storethedata,andthenprocessittogeneratereports andalarms.Youcanviewthedetailsofthelogsthatarecollectedfromanyoftheserversinyourdeployment. Alarm Syslog Collection Location Ifyouconfiguremonitoringfunctionstosendalarmnotificationsassyslogmessages,youneedasyslogtarget toreceivethenotification.Alarmsyslogtargetsarethedestinationswherealarmsyslogmessagesaresent. Youmustalsohaveasystemthatisconfiguredasasyslogservertobeabletoreceivesyslogmessages.You cancreate,edit,anddeletealarmsyslogtargets. CiscoISEmonitoringrequiresthatthelogging-sourceinterfaceconfigurationusethenetworkaccess server(NAS)IPaddress.YoumustconfigureaswitchforCiscoISEmonitoring. Note Live Authentications YoucanmonitorrecentRADIUSauthenticationsastheyhappenfromtheLiveAuthenticationspage.The pagedisplaysthetop10RADIUSauthenticationsinthelast24hours.Thissectionexplainsthefunctionsof theLiveAuthenticationspage. TheLiveAuthenticationspageshowstheliveauthenticationentriescorrespondingtotheauthenticationevents astheyhappen.Inadditiontoauthenticationentries,thispagealsoshowsthelivesessionentriescorresponding totheevents.Youcanalsodrill-downthedesiredsessiontoviewadetailedreportcorrespondingtothat session. Cisco Identity Services Engine Administrator Guide, Release 1.3 641 Log Collection
TheLiveAuthenticationspageprovidesatabularaccountofrecentRADIUSauthentications,intheorderin
whichtheyhappen.ThelastupdateshownatthebottomoftheLiveAuthenticationspageshowsthedateof
theserver,time,andtimezone.
Whenasingleendpointauthenticatessuccessfully,twoentriesappearintheLiveAuthenticationspage:one
correspondingtotheauthenticationrecordandanothercorrespondingtothesessionrecord(pulledfrom
sessionliveview).Subsequently,whenthedeviceperformsanothersuccessfulauthentication,therepeat
countercorrespondingtothesessionrecordisincremented.TheRepeatCounterthatappearsintheLive
Authenticationspageshowsthenumberofduplicateradiusauthenticationsuccessmessagesthataresuppressed.
SeetheLiveAuthenticationdatacategoriesthatareshownbydefaultthataredescribedintheRecentRADIUS
Authenticationssection.
Youcanchoosetoviewallofthecolumns,ortodisplayonlyselecteddatacolumns.Afterselectingthe
columnsthatyouwanttoappear,youcansaveyourselections.
Monitor Live Authentications
Procedure
Step 1ChooseOperations>Authentications.
Step 2SelectatimeintervalfromtheRefreshdrop-downlisttochangethedatarefreshrate.
Step 3ClicktheRefreshicontomanuallyupdatethedata.
Step 4ChooseanoptionfromtheShowdrop-downlisttochangethenumberofrecordsthatappear.
Step 5ChooseanoptionfromtheWithindrop-downlisttospecifyatimeinterval.
Step 6ClickAddorRemoveColumnsandchoosetheoptionsfromthedrop-downlisttochangethecolumnsthat
areshown.
Step 7ClickSaveatthebottomofthedrop-downlisttosaveyourmodifications.
Step 8ClickShowLiveSessionstoviewliveRADIUSsessions.
YoucanusethedynamicChangeofAuthorization(CoA)featurefortheLiveSessionsthatallowsyouto
dynamicallycontrolactiveRADIUSsessions.YoucansendreauthenticateordisconnectrequeststoaNetwork
AccessDevice(NAD).
Filter Data in Live Authentications Page
WiththefiltersintheLiveAuthenticationspage,youcanfilteroutinformationthatyouneedandtroubleshoot
networkauthenticationissuesquickly.YoucanfilterrecordsintheAuthentication(livelogs)pageandview
onlythoserecordsthatyouareinterestedin.Theauthenticationlogscontainmanydetailsandfilteringthe
authenticationsfromaparticularuserorlocationhelpsyouscanthedataquickly.Youcanuseseveraloperators
thatareavailableonvariousfieldsintheLiveAuthenticationspagetofilteroutrecordsbasedonyoursearch
criteria.
•'abc'-Contains'abc'
•'!abc'-Doesnotcontain'abc'
•'{}'-Isempty
Cisco Identity Services Engine Administrator Guide, Release 1.3
642
Live Authentications
•'!{}'-Isnotempty
•'abc*'-Startswith'abc'
•'*abc'-Endswith'abc'
•'\!','\*','\{','\\'-Escape
TheEscapeoptionallowsyoutofiltertextwithspecialcharacters(includingthespecialcharactersusedas
filters).Youmustprefixthespecialcharacterwithabackwardslash(\).Forexample,ifyouwanttoviewthe
authenticationrecordsofuserswithidentity"Employee!,"enter"Employee\!"intheidentityfiltertextbox.
Inthisexample,CiscoISEconsiderstheexclamationmark(!)asaliteralcharacterandnotasaspecial
character.
Inaddition,theStatusfieldallowsyoutofilteroutonlypassedauthenticationrecords,failedauthentications,
livesessions,andsoon.Thegreencheckmarkfiltersallpassedauthenticationsthatoccurredinthepast.The
redcrossmarkfiltersallfailedauthentications.Theblueiiconfiltersalllivesessions.Youcanalsochoose
toviewacombinationoftheseoptions.
Procedure
Step 1ChooseOperations>Authentications.
Step 2FilterdatabasedonanyofthefieldsintheShowLiveAuthenticationspage.
Youcanfiltertheresultsbasedonpassedorfailedauthentications,orlivesessions.
Global Search for Endpoints
YoucanusetheglobalsearchboxavailableatthetopoftheCiscoISEhomepagetosearchforendpoints.
Youcanuseanyofthefollowingcriteriatosearchforanendpoint:
•Username
•MACAddress
•IPAddress
•AuthorizationProfile
•EndpointProfile
•FailureReason
•IdentityGroup
•IdentityStore
•NetworkDevicename
•NetworkDeviceType
•OperatingSystem
•PostureStatus
Cisco Identity Services Engine Administrator Guide, Release 1.3
643
Global Search for Endpoints
•Location •SecurityGroup •UserType YoushouldenteratleastthreecharactersforanyofthesearchcriteriaintheSearchfieldtodisplaydata. Thesearchresultprovidesadetailedandat-a-glanceinformationaboutthecurrentstatusoftheendpoint, whichyoucanusefortroubleshooting.Searchresultsdisplayonlythetop25entries.Itisrecommendedto usefilterstonarrowdowntheresults. Thefollowingfigureshowsanexampleofthesearchresult. Figure 40: Search Result For Endpoints Youcanuseanyofthepropertiesintheleftpaneltofiltertheresults.Youcanalsoclickonanyendpointto seemoredetailedinformationabouttheendpoint,suchas: •Sessiontrace •Authenticationdetails •Accountingdetails •Posturedetails •Profilerdetails •ClientProvisioningdetails •Guestaccountingandactivity Session Trace for an Endpoint YoucanusetheglobalsearchboxavailableatthetopoftheCiscoISEhomepagetogetsessioninformation foraparticularendpoint.Whenyousearchwithacriteria,yougetalistofendpoints.Clickonanyofthese Cisco Identity Services Engine Administrator Guide, Release 1.3 644 Session Trace for an Endpoint