Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
endpointstoseethesessiontraceinformationforthatendpoint.Thefollowingfigureshowsanexampleof thesessiontraceinformationdisplayedforanendpoint. ThedatasetusedforsearchisbasedonEndpointIDasindexes.Therefore,whenauthenticationoccurs, itismandatorytohaveEndpointIDsfortheendpointsforthoseauthenticationstoincludetheminthe searchresultset. Note Figure 41: Session Trace of an Endpoint Youcanusetheclickabletimelineatthetoptoseemajorauthorizationtransitions.Youcanalsoexportthe resultsin.csvformatbyclickingtheExportResultsbutton.Thereportgetsdownloadedtoyourbrowser. Cisco Identity Services Engine Administrator Guide, Release 1.3 645 Session Trace for an Endpoint
YoucanclickontheEndpointDetailslinktoseemoreauthentication,accounting,andprofilerinformation foraparticularendpoint.Thefollowingfigureshowsanexampleofendpointdetailsinformationdisplayed foranendpoint. Figure 42: Endpoint Details Session Removal from the Directory SessionsarecleanedfromthesessiondirectoryontheMonitoringandTroubleshootingnodeasfollows: •Terminatedsessionsarecleaned15minutesaftertermination. •Ifthereisauthenticationbutnoaccounting,thensuchsessionsareclearedafteronehour. •Allinactivesessionsarecleanedaftersevendays. Authentication Summary Report Youcantroubleshootnetworkaccessforaspecificuser,device,orsearchcriteriabasedonattributesthatare relatedtotheauthenticationrequests.YoudothisbyrunninganAuthenticationSummaryreport. Cisco Identity Services Engine Administrator Guide, Release 1.3 646 Authentication Summary Report
Troubleshoot Network Access Issues Procedure Step 1ChooseOperations>Reports>AuthenticationSummaryReport. Step 2FilterthereportforFailureReasons. Step 3ReviewthedataintheAuthenticationbyFailureReasonssectionofthereporttotroubleshootyournetwork accessproblem. AstheAuthenticationSummaryreportcollectsanddisplaysthelatestdatacorrespondingtofailed orpassedauthentications,thecontentsofthereportappearafteradelayofafewminutes. Note Diagnostic Troubleshooting Tools DiagnostictoolshelpyoudiagnoseandtroubleshootproblemsonaCiscoISEnetworkandprovideadetailed instructionsonhowtoresolveproblems.Youcanusethesetoolstotroubleshootauthenticationsandevaluate theconfigurationofanynetworkdeviceonyournetwork,includingTrustsecdevices. RADIUS Authentication Troubleshooting Tool ThistoolallowsyoutosearchandselectaRADIUSauthenticationoranActiveDirectoryrelatedRADIUS authenticationfortroubleshootingwhenthereisanunexpectedauthenticationresult.Youmightusethistool ifyouexpectedanauthenticationtopass,butitfailedorifyouexpectedauserormachinetohaveacertain levelofprivileges,andtheuserormachinedidnothavethoseprivileges. •SearchingRADIUSauthenticationsbasedonUsername,EndpointID,NetworkAccessService(NAS) IPaddress,andreasonsforauthenticationfailurefortroubleshooting,CiscoISEdisplaysauthentications onlyforthesystem(current)date. •SearchingRADIUSauthenticationsbasedonNASPortfortroubleshooting,CiscoISEdisplaysallNAS Portvaluessincethebeginningofthepreviousmonthtothecurrentdate. WhensearchingRADIUSauthenticationsbasedonNASIPaddressandEndpointID fields,asearchisfirstperformedintheoperationaldatabase,andthenintheconfiguration database. Note Cisco Identity Services Engine Administrator Guide, Release 1.3 647 Diagnostic Troubleshooting Tools
Troubleshoot Unexpected RADIUS Authentication Results Procedure Step 1ChooseOperations>Troubleshoot>DiagnosticTools>>GeneralTools>RADIUSAuthentication Troubleshooting. Step 2Specifythesearchcriteriainthefieldsasneeded. Step 3ClickSearchtodisplaytheRADIUSauthenticationsthatmatchyoursearchcriteria. IfyouaresearchingforADrelatedauthentication,andanActiveDirectoryserverisnotconfiguredinyour deployment,amessagesaying'ADnotconfigured'isdisplayed. Step 4SelectaRADIUSauthenticationrecordfromthetable,andclickTroubleshoot. IfyouneedtotroubleshootADrelatedauthentication,gototheDiagnosticsToolunderAdministration> IdentityManagement>ExternalIdentitySources>ActiveDirectory>ADnode. Step 5ClickUserInputRequired,modifythefieldsasneeded,andthenclickSubmit. Step 6ClickDone. Step 7ClickShowResultsSummaryafterthetroubleshootingiscomplete. Step 8Toviewadiagnosis,thestepstoresolvetheproblem,andatroubleshootingsummary,clickDone. Execute Network Device Tool TheExecuteNetworkDeviceCommanddiagnostictoolallowsyoutoruntheshowcommandonanynetwork device.Theresultsareexactlywhatyouwouldseeonaconsole,andcanbeusedtoidentifyproblemsinthe configurationofthedevice.Youcanuseitwhenyoususpectthattheconfigurationiswrong,youwantto validateit,orifyouarejustcuriousabouthowitisconfigured. Execute IOS Show Commands to Check Configuration Procedure Step 1ChooseOperations>Troubleshoot>DiagnosticTools>GeneralTools>ExecuteNetworkDevice Command. Step 2Entertheinformationintheappropriatefields. Step 3ClickRuntoexecutethecommandonthespecifiednetworkdevice. Step 4ClickUserInputRequired,andmodifythefieldsasnecessary. Step 5ClickSubmittorunthecommandonthenetworkdevice,andviewtheoutput. Cisco Identity Services Engine Administrator Guide, Release 1.3 648 Diagnostic Troubleshooting Tools
Evaluate Configuration Validator Tool Youcanusethisdiagnostictooltoevaluatetheconfigurationofanetworkdeviceandidentifyanyconfiguration problems.TheExpertTroubleshootercomparestheconfigurationofthedevicewiththestandardconfiguration. Troubleshoot Network Device Configuration Issues Procedure Step 1ChooseOperations>Troubleshoot>DiagnosticTools>GeneralTools>EvaluateConfiguration Validator. Step 2EntertheNetworkDeviceIPaddressofthedevicewhoseconfigurationyouwanttoevaluate,andspecify otherfieldsasnecessary. Step 3Selecttheconfigurationoptionstocompareagainsttherecommendedtemplate. Step 4ClickRun. Step 5ClickUserInputRequired,andmodifythefieldsasnecessary. Step 6Checkthecheckboxesnexttotheinterfacesthatyouwanttoanalyze,andclickSubmit. Step 7ClickShowResultsSummary. Posture Troubleshooting Tool ThePostureTroubleshootingtoolhelpsyoufindthecauseofaposture-checkfailuretoidentifythefollowing: •Whichendpointsweresuccessfulinpostureandwhichwerenot. •Ifanendpointfailedinposture,whatstepsfailedinthepostureprocess. •Whichmandatoryandoptionalcheckspassedandfailed. Youdeterminethisinformationbyfilteringrequestsbasedonparameters,suchasusername,MACaddress, andposturestatus. Troubleshoot Endpoint Posture Failure Procedure Step 1ChooseOperations>Troubleshoot>DiagnosticTools>GeneralTools>PostureTroubleshooting. Step 2Entertheinformationintheappropriatefields. Step 3ClickSearch. Step 4Tofindanexplanationanddeterminearesolutionforanevent,selecttheeventinthelistandclick Troubleshoot. Cisco Identity Services Engine Administrator Guide, Release 1.3 649 Diagnostic Troubleshooting Tools
TCP Dump Utility to Validate the Incoming Traffic Thisisatooltosniffthepacket,whenyouwanttoexaminethattheexpectedpacketreallyreachedanode. Forexample,whenthereisnoincomingauthenticationorlogindicatedinthereport,youmaysuspectthat thereisnoincomingtrafficorthattheincomingtrafficcannotreachCiscoISE.Insuchcases,youcanrun thistooltovalidate. YoucanconfiguretheTCPDumpoptionsandthencollectdatafromthenetworktraffictohelpyou troubleshootinganetworkissue. StartingaTCPDumpautomaticallydeletesapreviousdumpfile.Tosaveapreviousdumpfile,perform thetask,asdescribedintheSavingaTCPDumpFilesectionbeforeyoubeginanewTCPDumpsession. Caution Use TCP Dump to Monitor Network Traffic Before You Begin •TheNetworkInterfacedrop-downlistintheTCPDumppagedisplaysonlythenetworkinterfacecards (NICs)thathaveanIPv4orIPv6addressconfigured.Bydefault,allNICsareconnectedonaVMware, andtherefore,NICsareconfiguredwithanIPv6addressanddisplayedintheNetworkInterfacedrop-down list. •YoumusthaveAdobeFlashPlayerinstalledontheCiscoISEadministrationnodetobeabletoview thetcpdumpfile. Procedure Step 1ChooseOperations>Troubleshoot>DiagnosticTools>GeneralTools>TCPDump. Step 2ChooseaHostNameasthesourcefortheTCPDumputility.InlinePosturenodesarenotsupported. Step 3ChooseaNetworkInterfacetomonitorfromthedrop-downlist. Step 4SetPromiscuousModebyclickingtheradiobuttontoOnorOff.ThedefaultisOn. Promiscuousmodeisthedefaultpacketsniffingmodeinwhichthenetworkinterfacepassesalltraffictothe system’sCPU.WerecommendthatyouleaveitsettoOn. Step 5IntheFiltertextbox,enterabooleanexpressiononwhichtofilter. Supportedstandardtcpdumpfilterexpressions: iphost10.77.122.123 iphost10.77.122.123andnot10.77.122.119 iphostISE123 Step 6ClickStarttobeginmonitoringthenetwork. Step 7ClickStopwhenyouhavecollectedasufficientamountofdata,orwaitfortheprocesstoconclude automaticallyafteraccumulatingthemaximumnumberofpacketswhichis500,000. Cisco Identity Services Engine Administrator Guide, Release 1.3 650 TCP Dump Utility to Validate the Incoming Traffic
CiscoISEdoesnotsupportframesgreaterthan1500MTU(jumboframes).Note Save a TCP Dump File Before You Begin Youshouldhavesuccessfullycompletedthetask,asdescribedintheUsingTCPDumptoMonitornetwork Trafficsection. YoucanalsoaccessTCPdumpthroughtheCiscoISECLI.Formoreinformation,refertotheCiscoIdentity ServicesEngineCLIReferenceGuide. Note Procedure Step 1ChooseOperations>Troubleshoot>DiagnosticTools>GeneralTools>TCPDump. Step 2ChooseaFormatfromthedrop-downlist.HumanReadableisthedefault. Step 3ClickDownload,navigatetothedesiredlocation,andthenclickSave. Step 4Togetridofthepreviousdumpfilewithoutsavingitfirst,clickDelete. Compare Unexpected SGACL for an Endpoint or User Procedure Step 1ChooseOperations>Troubleshoot>DiagnosticTools>TrustsecTools>Egress(SGACL)Policy. Step 2EntertheNetworkDeviceIPaddressoftheTrustsecdevicewhoseSGACLpolicyyouwanttocompare. Step 3ClickRun. Step 4ClickUserInputRequiredandmodifythefieldsasnecessary. Step 5ClickSubmit. Step 6ClickShowResultsSummarytoviewthediagnosisandsuggestedresolutionsteps. Egress Policy Diagnostic Flow Theegresspolicydiagnostictoolusestheprocessdescribedinthefollowingtableforitscomparison: Cisco Identity Services Engine Administrator Guide, Release 1.3 651 TCP Dump Utility to Validate the Incoming Traffic
DescriptionProcess Stage ConnectstothedevicewiththeIPaddressthatyouprovided,andobtainstheaccess controllists(ACLs)foreachsourceanddestinationSGTpair. 1 CheckstheegresspolicythatisconfiguredinCiscoISEandobtainstheACLsfor eachsourceanddestinationSGTpair. 2 ComparestheSGACLpolicythatisobtainedfromthenetworkdevicewiththe SGACLpolicythatisobtainedfromCiscoISE. 3 DisplaysthesourceanddestinationSGTpairifthereisamismatch.Also,displays thematchingentriesasadditionalinformation. 4 Troubleshoot Connectivity Issues in a Trustsec-Enabled Network with SXP-IP Mappings Procedure Step 1ChooseOperations>Troubleshoot>DiagnosticTools>TrustsecTools>SXP-IPMappings. Step 2EnterthenetworkdeviceIPaddressofthenetworkdevice,andclickSelect. Step 3ClickRun,andthenclickUserInputRequiredandmodifythenecessaryfields. TheExpertTroubleshooterretrievesTrustsecSXPconnectionsfromthenetworkdeviceandagainprompts youtoselectthepeerSXPdevices. Step 4ClickUserInputRequired,andenterthenecessaryinformation. Step 5CheckthecheckboxofthepeerSXPdevicesforwhichyouwanttocompareSXPmappings,andenterthe commonconnectionparameters. Step 6ClickSubmit. Step 7ClickShowResultsSummarytoviewthediagnosisandresolutionsteps. Troubleshoot Connectivity Issues in a Trustsec-Enabled Network with IP-SGT Mappings Procedure Step 1ChooseOperations>Troubleshoot>DiagnosticTools>TrustsecTools>IPUserSGT. Step 2Entertheinformationinthefieldsasneeded. Step 3ClickRun. Youarepromptedforadditionalinput. Step 4ClickUserInputRequired,modifythefieldsasnecessary,andthenclickSubmit. Step 5ClickShowResultsSummarytoviewthediagnosisandresolutionsteps. Cisco Identity Services Engine Administrator Guide, Release 1.3 652 TCP Dump Utility to Validate the Incoming Traffic
Device SGT Tool FordevicesthatareenabledwiththeTrustsecsolution,eachnetworkdeviceisassignedanSGTvaluethrough RADIUSauthentication.TheDeviceSGTdiagnostictoolconnectstothenetworkdevice(withtheIPaddress thatyouprovide)andobtainsthenetworkdeviceSGTvalue.ItthencheckstheRADIUSauthentication recordstodeterminetheSGTvaluethatwasassignedmostrecently.Finally,itdisplaystheDevice-SGTpairs inatabularformat,andidentifieswhethertheSGTvaluesarethesameordifferent. Troubleshoot Connectivity Issues in a Trustsec-Enabled Network by Comparing Device SGT Mappings Procedure Step 1ChooseOperations>Troubleshoot>DiagnosticTools>TrustsecTools>DeviceSGT. Step 2Entertheinformationinthefieldsasneeded. ThedefaultportnumberforTelnetis23andSSHis22. Step 3ClickRun. Step 4ClickShowResultsSummarytoviewtheresultsofthedeviceSGTcomparison. Obtaining Additional Troubleshooting Information CiscoallowsyoutodownloadsupportandtroubleshootinginformationfromtheAdminportal.Youcanuse thesupportbundletopreparediagnosticinformationfortheCiscoTechnicalAssistanceCenter(TAC)to troubleshootproblemswithCisco. ThesupportbundlesanddebuglogsprovideadvancedtroubleshootinginformationforTACandare difficulttointerpret.YoucanusethevariousreportsandtroubleshootingtoolsthatCiscoprovidesto diagnoseandtroubleshootissuesthatyouarefacinginyournetwork. Note Cisco Support Bundle Youcanconfigurethelogsthatyouwanttobepartofyoursupportbundle.Forexample,youcanconfigure logsfromaparticularservicetobepartofyourdebuglogs.Youcanalsofilterthelogsbasedondates. Thelogsthatyoucandownloadarecategorizedasfollows: •Fullconfigurationdatabase—TheCiscoconfigurationdatabaseisdownloadedinahuman-readable XMLformat.Whenyouaretryingtotroubleshootissues,youcanimportthisdatabaseconfiguration inanotherCiscoISEnodetorecreatethescenario. Cisco Identity Services Engine Administrator Guide, Release 1.3 653 Obtaining Additional Troubleshooting Information
•Debuglogs—Capturesbootstrap,applicationconfiguration,run-time,deployment,publickey infrastructure(PKI)informationandmonitoringandreporting. DebuglogsprovidetroubleshootinginformationforspecificCiscoISEcomponents.Toenabledebug logs,seeChapter11,“Logging”.Ifyoudonotenablethedebuglogs,alltheinformationalmessages (INFO)willbeincludedinthesupportbundle.Formoreinformation,seeCiscoDebugLogs,onpage 655. •Locallogs—ContainssyslogmessagesfromthevariousprocessesthatrunonCiscoISE. •Corefiles—Containscriticalinformationthatwouldhelpidentifythecauseofacrash.Theselogsare createdwhentheapplicationcrashesandincludesheapdumps. •Monitoringandreportinglogs—Containsinformationaboutalertsandreports. •Systemlogs—ContainsCiscoApplicationDeploymentEngine(ADE)-relatedinformation. •Policyconfiguration—ContainspoliciesconfiguredinCiscoISEinhumanreadableformat. YoucandownloadtheselogsfromtheCiscoISECLIbyusingthebackup-logscommand.Formore information,refertotheCiscoIdentityServicesEngineCLIReferenceGuide. ForInlinePosturenodes,youcannotdownloadthesupportbundlefromtheAdminportal.Youmustuse thebackup-logscommandfromtheCiscoISECLItodownloadlogsforInlinePosturenodes. Note IfyouchoosetodownloadtheselogsfromtheAdminportal,youcandothefollowing: •Downloadonlyasubsetoflogsbasedonthelogtypesuchasdebuglogsorsystemlogs. •Downloadonlythelatest“n”numberoffilesfortheselectedlogtype.Thisoptionallowsyoutocontrol thesizeofthesupportbundleandthetimetakenfordownload. Monitoringlogsprovideinformationaboutthemonitoring,reporting,andtroubleshootingfeatures.Formore informationaboutdownloadinglogs,seeDownloadCiscoLogFiles,onpage654. Support Bundle Youcandownloadthesupportbundletoyourlocalcomputerasasimpletar.gpgfile.Thesupportbundlewill benamedwiththedateandtimestampsintheformat ise-support-bundle_ise-support-bundle-mm-dd-yyyy--hh-mm.tar..gpg.Thebrowserpromptsyoutosavethe supportbundletoanappropriatelocation.Youcanextractthecontentofthesupportbundleandtheviewthe README.TXTfile,whichdescribesthecontentsofthesupportbundle,aswellashowtoimportthecontents oftheISEdatabaseifitisincludedinthesupportbundle. Download Cisco Log Files YoucandownloadtheCiscologfilestolookformoreinformationwhiletroubleshootingissuesinyour network. Before You Begin •YoumusthaveSuperAdminorSystemAdminprivilegestoperformthefollowingtask. Cisco Identity Services Engine Administrator Guide, Release 1.3 654 Obtaining Additional Troubleshooting Information