Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
•Configuredebuglogsandthedebugloglevels. Procedure Step 1ChooseOperations>Troubleshoot>DownloadLogs>>Appliancenodelist. Step 2Clickthenodefromwhichyouwanttodownloadthesupportbundles. Step 3IntheSupportBundletab,choosetheparametersthatyouwanttobepopulatedinyoursupportbundle. Ifyouincludeallthelogs,yoursupportbundlewillbeexcessivelylargeandthedownloadwilltakealong time.Tooptimizethedownloadprocess,choosetodownloadonlythemostrecentnnumberoffiles. Step 4EntertheFromandTodatesforwhichyouwanttogeneratethesupportbundle. Step 5Enterandre-entertheencryptionkeyforthesupportbundle. Step 6ClickCreateSupportBundle. Step 7ClickDownloadtodownloadthenewly-createdsupportbundle. Thesupportbundleisatar.gpgfilethatisdownloadedtotheclientsystemthatisrunningyourapplication browser. What to Do Next DownloaddebugLogsforspecificcomponents. Cisco Debug Logs DebuglogsprovidetroubleshootinginformationforvariousCiscocomponents.Debuglogscontaincritical andwarningalarmsgeneratedinthelast30daysandinfoalarmsgeneratedinthelast7days.Whilereporting problems,youmightbeaskedtoenablethesedebuglogsandsendthemfordiagnosisandresolutionofyour problems. Obtain Debug Logs Procedure Step 1ConfigurethecomponentsforwhichyouwanttoobtainthedebuglogsontheDebugLogConfigurationpage. Step 2Downloadthedebuglogs. Cisco Components and the Corresponding Debug Logs Table 54: Components and Corresponding Debug Logs Debug LogComponent ad_agent.logActiveDirectory Cisco Identity Services Engine Administrator Guide, Release 1.3 655 Obtaining Additional Troubleshooting Information
Debug LogComponent tracking.logCacheTracker edf.logEntityDefinitionFramework (EDF) ise-psc.logJMS ise-psc.logLicense tracking.logNotificationTracker replication.logReplication-Deployment replication.logReplication-JGroup tracking.logReplicationTracker ise-psc.logRuleEngine-Attributes ise-psc.logRuleEngine-Policy-IDGroups ise-psc.logaccessfilter ise-psc.logadmin-infra ise-psc.logboot-strapwizard ise-psc.logcisco-mnt ise-psc.logclient ise-psc.logcpm-clustering ise-psc.logcpm-mnt ise-psc.logepm-pdp ise-psc.logepm-pip ise-psc.logeps ise-psc.loganc ise-psc.logers ise-psc.logguest ise-psc.logguestauth ise-psc.logguestportal ise-psc.logidentitystore-AD ise-psc.loginfrastructure ise-psc.logmdm ise-psc.logmdm-pip alarms.logmnt-alarm Cisco Identity Services Engine Administrator Guide, Release 1.3 656 Obtaining Additional Troubleshooting Information
Debug LogComponent reports.logmnt-report ise-psc.logmydevices ise-psc.lognsf ise-psc.lognsf-session ise-psc.logorg-apache ise-psc.logorg-apache-cxf ise-psc.logorg-apache-digester ise-psc.logposture profiler.logprofiler ise-psc.logprovisioning prrt-management.logprrt-JNI prrt-management.logruntime-AAA prrt-management.logruntime-config prrt-management.logruntime-logging ise-psc.logsponsorportal ise-psc.logswiss Download Debug Logs Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseOperations>Troubleshoot>DownloadLogs>>Appliancenodelist. Step 2FromtheAppliancenodelist,clickthenodefromwhichyouwanttodownloadthedebuglogs. Step 3ClicktheDebugLogstab. Alistofdebuglogtypesanddebuglogsisdisplayed.Thislistisbasedonyourdebuglogconfiguration. Step 4Clickthelogfilethatyouwanttodownloadandsaveittothesystemthatisrunningyourclientbrowser. Youcanrepeatthisprocesstodownloadotherlogfilesasneeded.Thefollowingareadditionaldebuglogs thatyoucandownloadfromtheDebugLogspage: •isebootstrap.log—Providesbootstrappinglogmessages •monit.log—Provideswatchdogmessages •pki.log—Providesthethird-partycryptolibrarylogs Cisco Identity Services Engine Administrator Guide, Release 1.3 657 Obtaining Additional Troubleshooting Information
•iseLocalStore.log—Provideslogsaboutthelocalstorefiles •ad_agent.log—ProvidesMicrosoftActiveDirectorythird-partylibrarylogs •catalina.log—Providesthird-partylogs Monitoring Database TherateandamountofdatathatisutilizedbyMonitoringfunctionsrequiresaseparatedatabaseonadedicated nodethatisusedforthesepurposes. LikePolicyService,Monitoringhasadedicateddatabasethatrequiresyoutoperformmaintenancetasks, suchasthetopicscoveredinthissection: Back Up and Restore of the Monitoring Database Monitoringdatabasehandleslargevolumesofdata.Overtime,theperformanceandefficiencyofthemonitoring nodedependsonhowwellyoumanagethatdata.Toincreaseefficiency,werecommendthatyoubackupthe dataandtransferittoaremoterepositoryonaregularbasis.Youcanautomatethistaskbyschedulingautomatic backups. Youshouldnotperformabackupwhenapurgeoperationisinprogress.Ifyoustartabackupduringa purgeoperation,thepurgeoperationstopsorfails. Note IfyouregisterasecondaryMonitoringnode,werecommendthatyoufirstbackuptheprimaryMonitoring nodeandthenrestorethedatatothenewsecondaryMonitoringnode.Thisensuresthatthehistoryofthe primaryMonitoringnodeisinsyncwiththenewsecondarynodeasnewchangesarereplicated. Monitoring Database Purge ThepurgingprocessallowsyoutomanagethesizeoftheMonitoringdatabasebyspecifyingthenumberof monthstoretaindataduringapurge.Thedefaultisthreemonths.Thisvalueisutilizedwhenthediskspace usagethresholdforpurging(percentageofdiskspace)ismet.Forthisoption,eachmonthconsistsof30days. Adefaultofthreemonthsequals90days. Guidelines for Purging the Monitoring Database ThefollowingaresomeguidelinestofollowrelatingtoMonitoringdatabasediskusage: •IftheMonitoringdatabasediskusageisgreaterthan80percentofthethresholdsetting,criticalalarm isgeneratedindicatingthatthedatabasesizehasexceededtheallocateddisksize.Ifthediskusageis greaterthan90percentanotheralarmisgenerated. Apurgeprocessruns,creatingastatushistoryreportthatyoucanviewbychoosingOperations> Reports>DeploymentStatus>DataPurgingAudit.Aninformation(INFO)alarmisgeneratedwhen thepurgecompletes. Cisco Identity Services Engine Administrator Guide, Release 1.3 658 Monitoring Database
•Purgingisalsobasedonthepercentageofconsumeddiskspaceforthedatabase.Whentheconsumed diskspacefortheMonitoringdatabaseisequaltoorexceedsthethreshold(thedefaultis80percent), thepurgeprocessstarts.Thisprocessdeletesonlythelastsevendaysofmonitoringdata,irrespective ofwhatisconfiguredintheAdminportal.Itwillcontinuethisprocessinaloopuntilthediskspaceis below80percent.PurgingalwayscheckstheMonitoringdatabasediskspacelimitbeforeproceeding. Purge Older Monitoring Data Before You Begin Toperformthefollowingtask,youmustbeaSuperAdminorSystemAdmin. Procedure Step 1ChooseAdministration>System>Maintenance>DataPurging. Step 2Specifythetimeperiodinmonths,forwhichthedatawillberetained.Allthedatapriortothespecifiedtime periodwillbepurged.Forthisoption,eachmonthconsistsof30days.Thedefaultofthreemonthsequals90 days. Iftheconfiguredretentionperiodislessthantheexistingretentionthresholdscorrespondingtothe diagnosticsdata,thentheconfiguredvalueoverridestheexistingthresholdvalues.Forexample,if youconfiguretheretentionperiodas3daysandthisvalueislessthantheexistingthresholdsinthe diagnosticstables(forexample,adefaultof5days),thendataispurgedaccordingtothevaluethat youconfigure(3days)inthispage. Note Step 3ClickSubmit. Step 4VerifythesuccessofthedatapurgebyviewingtheDataPurgingAuditreport. What to Do Next CiscoISELogCollection PerformanOn-demandBackup Cisco Identity Services Engine Administrator Guide, Release 1.3 659 Monitoring Database
Cisco Identity Services Engine Administrator Guide, Release 1.3 660 Monitoring Database
CHAPTER 26 Reports •CiscoISEReports,page661 •RunandViewReports,page661 •ReportsNavigation,page662 •ExportReports,page662 •ScheduleandSaveCiscoISEReports,page663 •AddFavoriteReports,page664 •CiscoISEActiveRADIUSSessions,page664 •AvailableReports,page666 Cisco ISE Reports CiscoIdentityServicesEngine(ISE)reportsareusedwithmonitoringandtroubleshootingfeaturestoanalyze trends,and,monitorsystemperformanceandnetworkactivitiesfromacentrallocation. CiscoISEcollectslogandconfigurationdatafromacrossthenetwork.Itthenaggregatesthedataintoreports foryoutoviewandanalyze.CiscoISEprovidesastandardsetofpredefinedreportsthatyoucanuseand customizetofityourneeds. CiscoISEreportsarepreconfiguredandegroupedintologicalcategorieswithinformationrelatedto authentication,sessiontraffic,deviceadministration,configurationandadministration,andtroubleshooting. Run and View Reports Thissectiondescribeshowtorun,view,andnavigatereportsusingReportsView.Youcanspecifytime incrementsoverwhichtodisplaydatainareport. Cisco Identity Services Engine Administrator Guide, Release 1.3 661
Procedure Step 1ChooseOperations>Reports>ISEReports. Step 2Clickareportfromthereportcategoriesavailable. Step 3Selectoneormorefilterstorunareport.Eachreporthasdifferentfiltersavailable,ofwhichsomearemandatory andsomeareoptional. Step 4Enteranappropriatevalueforthefilters. Step 5Runthereport. Related Topics AvailableReports,onpage666 Reports Navigation Youcangetdetailedinformationfromthereportsoutput.Forexample,ifyouhavegeneratedareportfora periodoffivemonths,thegraphandtablewilllisttheaggregatedataforthereportinascaleofmonths. Youcanclickaparticularvaluefromthetabletoseeanotherreportrelatedtothisparticularfield.Forexample, anauthenticationsummaryreportwilldisplaythefailedcountfortheuserorusergroup.Whenyouclickthe failedcount,anauthenticationsummaryreportisopenedforthatparticularfailedcount. Export Reports YoucanexportreportdatatoanExcelspreadsheetasacomma-separatedvalues(.csv)file.Afteryouexport thedata,youwillreceiveanemaildetailingthelocationofthereport. Youcannotexportthefollowingreports: •AuthenticationSummary •HealthSummary •RBACLDropSummary FlowsforRBACLdroppedpacketsareavailableonlywiththeCiscoCatalyst6500 seriesswitches. Note •GuestSponsorsummary •EndpointProfileChanges •NetworkDeviceSessionStatus Cisco Identity Services Engine Administrator Guide, Release 1.3 662 Reports Navigation
Toviewthenon-Englishcharacterscorrectlyafterexportingareport,youmustimportthefileintoMicrosoft ExcelbyenablingUTF-8characterencoding.Ifyouchoosetoopentheexported.csvfiledirectlyin MicrosoftExcelwithoutenablingUTF-8characterencoding,thenon-Englishcharactersinthereport appearinsomegarbageform. Note Youcanexportreportdatatoa.csvformatonlyfromthePrimaryPAN.Note Procedure Step 1Runareport,asdescribedintheRunningandViewingReportssection. Step 2ClickExportinthetopright-handcornerofthereportsummarypage. Step 3Specifythedatacolumnsthatyouwanttoexport. Step 4Choosearepositoryfromthedrop-downlist. Step 5ClickExport. Schedule and Save Cisco ISE Reports Youcancustomizeareportandsavethechangesasanewreport,orrestorethedefaultreportsettings. YoucanalsocustomizeandscheduleCiscoISEreportstorunandre-runatspecifictimeortimeintervals. Youcanalsosendandreceiveemailnotificationsoncethereportsaregenerated. Youcannotschedulethefollowingreports: •AuthenticationSummary •HealthSummary •RBACLDropSummary FlowsforRBACLdroppedpacketsareavailableonlywiththeCiscoCatalyst6500 seriesswitches. Note •GuestSponsorsummary •EndpointProfileChanges •NetworkDeviceSessionStatus Youcansaveorschedule(customize)CiscoISEreportsonlyfromthePrimaryPAN.Note Cisco Identity Services Engine Administrator Guide, Release 1.3 663 Schedule and Save Cisco ISE Reports
Procedure Step 1RunareportasdescribedintheRunningandViewingReportssection. Step 2ClickSaveAsinthetopright-handcornerofthereportsummarypage. Step 3ChooseReportorScheduledReport. Step 4Entertherequireddetailsinthedialogbox. Step 5ClickSaveasNew. Aftersavingareport,whenyougobacktothesavedreportallthefilteroptionsarecheckedbydefault.You needtouncheckthefiltersthatyoudonotwishtouse. Add Favorite Reports Youcanaddpreconfiguredsystemreportstoyourfavoriteslist,aswellasreportsthatyouhavecustomized. Youcanaddreportsthatyouusefrequentlytoalistoffavoritestomakethemeasiertofind,similartohow youbookmarkfavoritewebsitesinabrowser.Youcanviewandedittheparametersofyourfavoritereports, andthensavethecustomizedreportsforreuse. Everyadministratoraccountisassignedoneormoreadministrativeroles.Dependingontherolesthatare assignedtoyouraccount,youmaynotbeabletoperformthetasksthataredescribedinthissection. Note Procedure Step 1Runareport,asdescribedinRunningandViewingReportssection. Step 2ClickFavoriteinthetopright-handcornerofthereportsummarypage. ThereportappearsinyourFavoriteslist. Youcanaddpreconfiguredsystemreportstoyourfavoriteslistonlyfromthe PAN. Note Cisco ISE Active RADIUS Sessions CiscoISEprovidesadynamicChangeofAuthorization(CoA)featurefortheLiveSessionsthatallowsyou todynamicallycontrolactiveRADIUSsessions.Youcansendreauthenticateordisconnectrequeststoa NetworkAccessDevice(NAD)toperformthefollowingtasks: •Troubleshootissuesrelatedtoauthentication—YoucanusetheSessionreauthenticationoptiontofollow upwithanattempttoreauthenticateagain.However,youmustnotusethisoptiontorestrictaccess.To restrictaccess,usetheshutdownoption. Cisco Identity Services Engine Administrator Guide, Release 1.3 664 Add Favorite Reports