Cisco Ise 13 User Guide
Have a look at the manual Cisco Ise 13 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
•Blockaproblematichost—YoucanusetheSessionterminationwithportshutdownoptiontoblockan infectedhostthatsendsalotoftrafficoverthenetwork.However,theRADIUSprotocoldoesnot currentlysupportamethodforre-enablingaportthathasbeenshutdown. •ForceendpointstoreacquireIPaddresses—YoucanusetheSessionterminationwithportbounceoption forendpointsthatdonothaveasupplicantorclienttogenerateaDHCPrequestafteraVLANchange. •Pushanupdatedauthorizationpolicytoanendpoint—YoucanusetheSessionreauthenticationoption toenforceanupdatedpolicyconfiguration,suchasachangeintheauthorizationpolicyonexisting sessionsbasedonthediscretionoftheadministrator.Forexample,ifposturevalidationisenabled,when anendpointgainsaccessinitially,itisusuallyquarantined.Aftertheidentityandpostureoftheendpoint areknown,itispossibletosendtheSessionreauthenticationcommandtotheendpointfortheendpoint toacquiretheactualauthorizationpolicybasedonitsposture. ForCoAcommandstobeunderstoodbythedevice,itisimportantthatyouconfiguretheoptionsappropriately. ForCoAtoworkproperly,youmustconfigurethesharedsecretofeachdevicethatrequiresadynamicchange ofauthorization.CiscoISEusesthesharedsecretconfigurationtorequestaccessfromthedeviceandissue CoAcommandstoit. InthisreleaseofCiscoISE,themaximumnumberofactiveauthenticatedendpointsessionsthatcanbe displayedislimitedto100,000. Note Change Authorization for RADIUS Sessions SomeNetworkAccessDevicesonyournetworkmaynotsendanAccountingStoporAccountingOffpacket afterareload.Asaresult,youmightfindtwosessionsintheSessionDirectoryreports,onewhichhasexpired. TodynamicallychangetheauthorizationofanactiveRADIUSsessionordisconnectanactiveRADIUS session,besuretochoosethemostrecentsession. Procedure Step 1ChooseOperations>Authentications. Step 2SwitchtheviewtoShowLiveSession. Step 3ClicktheCoAlinkfortheRADIUSsessionthatyouwanttoissueCoAandchooseoneofthefollowing options: ForInlinePosturenodesandwherewirelessLANcontrollers(WLC)areinuse,onlytwooptions areavailable:SessionreauthenticationandSessiontermination. Note •SAnetSessionQuery—UsethistoqueryinformationaboutsessionsfromSAnetsupporteddevices. •Sessionreauthentication—Reauthenticatesession.Ifyouselectthisoptionforasessionestablished onanASAdevicesupportingCOA,thiswillinvokeaSessionPolicyPushCoA. •Sessionreauthenticationwithlast—Usethelastsuccessfulauthenticationmethodforthissession. •Sessionreauthenticationwithrerun—Runthroughtheconfiguredauthenticationmethodfromthe beginning. Cisco Identity Services Engine Administrator Guide, Release 1.3 665 Cisco ISE Active RADIUS Sessions
SessionreauthenticationwithlastandSessionreauthenticationwithrerunoptionsarenot currentlysupportedinCiscoIOSsoftware. Note •Sessiontermination—Justendthesession.Theswitchreauthenticatestheclientinadifferentsession. •Sessionterminationwithportbounce—Terminatethesessionandrestarttheport. •Sessionterminationwithportshutdown—Terminatethesessionandshutdowntheport. Step 4ClickRuntoissueCoAwiththeselectedreauthenticateorterminateoption. IfyourCoAfails,itcouldbeoneofthefollowingreasons: •DevicedoesnotsupportCoA. •Changeshaveoccurredtotheidentityorauthorizationpolicy. •Thereisasharedsecretmismatch. Available Reports Thefollowingtableliststhepreconfiguredreports,groupedaccordingtotheircategory.Descriptionsofthe reportfunctionalityandloggingcategoryarealsoprovided. Table 55: Available Reports Logging CategoryDescriptionReport Name AuthServicesStatus ChooseAdministration>System>Logging >LoggingCategoriesandselecttheselogging categories:PolicyDiagnostics,IdentityStores Diagnostics,AuthenticationFlowDiagnostics, andRADIUSDiagnostics. TheAAADiagnosticsreport providesdetailsofallnetwork sessionsbetweenCiscoISEand users.Ifuserscannotaccessthe network,youcanreviewthis reporttoidentifytrendsand identifywhethertheissueis isolatedtoaparticularuseror indicativeofamorewidespread problem. AAADiagnostics ChooseAdministration>System>Logging >LoggingCategoriesandselecttheselogging categories:PassedAuthenticationsandFailed Attempts. TheRADIUSAuthentications reportenablesyoutoreviewthe historyofauthenticationfailures andsuccesses.Ifuserscannot accessthenetwork,youcan reviewthedetailsinthisreportto identifypossiblecauses. RADIUS Authentications Cisco Identity Services Engine Administrator Guide, Release 1.3 666 Available Reports
Logging CategoryDescriptionReport Name ChooseAdministration>System>Logging >LoggingCategoriesandselectFailed Attempts. TheRADIUSErrorsreport enablesyoutocheckforRADIUS RequestsDropped (authentication/accounting requestsdiscardedfromunknown NetworkAccessDevice),EAP connectiontimeoutsand unknownNADs. SometimesISEwill silentlydropthe AccountingStoprequest ofanendpointifuser authenticationisin progress.However,ISE startsacknowledgingall accountingrequestsonce theuserauthenticationis completed. Note RADIUSErrors ChooseAdministration>System>Logging >LoggingCategoriesandselectRADIUS Accounting. TheRADIUSAccountingreport identifieshowlongusershave beenonthenetwork.Ifusersare losingnetworkaccess,youcan usethisreporttoidentifywhether CiscoISEisthecauseofthe networkconnectivityissues. RADIUSAccounting —TheAuthenticationSummary reportisbasedontheRADIUS authentications.Itenablesyouto identifythemostcommon authenticationsandthereasonfor anyauthenticationfailures.For example,ifoneCiscoISEserver ishandlingsignificantlymore authenticationsthanothers,you mightwanttoreassignusersto differentCiscoISEserversto betterbalancetheload. AstheAuthentication Summaryreportor dashboardcollectsand displaysthelatestdata correspondingtofailedor passedauthentications, thecontentsofthereport appearafteradelayofa fewminutes. Note Authentication Summary Cisco Identity Services Engine Administrator Guide, Release 1.3 667 Available Reports
Logging CategoryDescriptionReport Name ChooseAdministration>System>Logging >LoggingCategoriesandselectSystem Diagnostics. TheOCSPMonitoringReport specifiesthestatusoftheOnline CertificateStatusProtocol (OCSP)services.Itidentifies whetherCiscoISEcan successfullycontactacertificate serverandprovidescertificate statusauditing.Providesa summaryofalltheOCSP certificatevalidationoperations performedbyCiscoISE.It retrievesinformationrelatedtothe goodandrevokedprimaryand secondarycertificatesfromthe OCSPserver.CiscoISEcaches theresponsesandutilizesthem forgeneratingsubsequentOCSP MonitoringReports.Intheevent thecacheiscleared,itretrieves informationfromtheOCSP server. OCSPMonitoring ChooseAdministration>System>Logging >LoggingCategoriesandselectAD Connector. TheADConnectorOperations reportprovideslogofoperations performedbyADConnectorsuch asCiscoISEServerpassword refresh,Kerberostickets management,DNSqueries,DC discovery,LDAP,andRPC Connectionsmanagement,etc. IfsomeADfailuresare encountered,youcanreviewthe detailsinthisreporttoidentifythe possiblecauses. ADConnector Operations ChooseAdministration>System>Logging >LoggingCategoriesandselectIdentity Mapping. TheIdentityMappingreport enablesyoutomonitorthestate ofWMIconnectiontothedomain controllerandgatherstatistics relatedtoit(suchasamountof notificationsreceived,amountof userlogin/logoutspersecondetc.) IdentityMapping DeploymentStatus Cisco Identity Services Engine Administrator Guide, Release 1.3 668 Available Reports
Logging CategoryDescriptionReport Name ChooseAdministration>System>Logging >LoggingCategoriesandselect AdministrativeandOperationalaudit. TheAdministratorLoginsreport providesinformationaboutall GUI-basedadministratorlogin eventsaswellassuccessfulCLI loginevents. AdministratorLogins —TheInternalAdministrator Summaryreportenablesyouto verifytheentitlementof administratorusers.Fromthis report,youcanalsoaccessthe AdministratorLoginsandChange ConfigurationAuditreports, whichenablesyoutoviewthese detailsforeachadministrator. InternalAdministrator Summary ChooseAdministration>System>Logging >LoggingCategoriesandselect AdministrativeandOperationalaudit. TheChangeConfigurationAudit reportprovidesdetailsabout configurationchangeswithina specifiedtimeperiod.Ifyouneed totroubleshootafeature,this reportcanhelpyoudetermineif arecentconfigurationchange contributedtotheproblem. ChangeConfiguration Audit —TheSecureCommunications Auditreportprovidesauditing detailsaboutsecurity-related eventsinCiscoISEAdminCLI, whichincludesauthentication failures,possiblebreak-in attempts,SSHlogins,failed passwords,SSHlogouts,invalid useraccounts,andsoon. SecureCommunications Audit ChooseAdministration>System>Logging >LoggingCategoriesandselect AdministrativeandOperationalaudit. TheOperationsAuditreport providesdetailsaboutany operationalchanges,suchas: runningbackups,registeringa CiscoISEnode,orrestartingan application. OperationsAudit Cisco Identity Services Engine Administrator Guide, Release 1.3 669 Available Reports
Logging CategoryDescriptionReport Name ChooseAdministration>System>Logging >LoggingCategoriesandselecttheselogging categories:InternalOperationsDiagnostics, DistributedManagement,Administrator AuthenticationandAuthorization. TheSystemDiagnosticreport providesdetailsaboutthestatus oftheCiscoISEnodes.IfaCisco ISEnodeisunabletoregister,you canreviewthisreportto troubleshoottheissue. Thisreportrequiresthatyoufirst enableseveraldiagnosticlogging categories.Collectingtheselogs cannegativelyimpactCiscoISE performance.So,thesecategories arenotenabledbydefault,and youshouldenablethemjustlong enoughtocollectthedata. Otherwise,theyareautomatically disabledafter30minutes. SystemDiagnostics ChooseAdministration>System>Logging >LoggingCategoriesandselecttheselogging categories:SystemStatistics,System DiagnosticsandAdministrativeand OperationalAudit. TheHealthSummaryreport providesdetailssimilartothe Dashboard.However,the Dashboardonlydisplaysdatafor thepast24hours,andyoucan reviewmorehistoricaldatausing thisreport. Youcanevaluatethisdatatosee consistentpatternsindata.For example,youwouldexpect heavierCPUusagewhenmost employeesstarttheirworkdays. Ifyouseeinconsistenciesinthese trends,youcanidentifypotential problems. HealthSummary Cisco Identity Services Engine Administrator Guide, Release 1.3 670 Available Reports
Logging CategoryDescriptionReport Name —TheNetworkDeviceSession StatusSummaryreportenables youtodisplaytheswitch configurationwithoutlogginginto theswitchdirectly. CiscoISEaccessesthesedetails usinganSNMPqueryand requiresthatyournetworkdevices areconfiguredwithSNMP v1/v2c. Ifauserisexperiencingnetwork issues,thisreportcanhelpyou identifyiftheissueisrelatedto theswitchconfigurationrather thanwithCiscoISE. NetworkDeviceSession Status —TheDataPurgingAuditreport recordswhentheloggingdatais purged. Thisreportreflectstwosources ofdatapurging. At4AMdaily,CiscoISEchecks whetherthereareanyloggingfiles thatmeetthecriteriayouhaveset ontheAdministration> Maintenance>DataPurgingpage. Ifso,thefilesaredeletedand recordedinthisreport. Additionally,CiscoISE continuallymaintainsamaximum of80%usedstoragespaceforthe logfiles.Everyhour,CiscoISE verifiesthispercentageand deletestheoldestdatauntilit reachesthe80%thresholdagain. Thisinformationisalsorecorded inthisreport. DataPurgingAudit Cisco Identity Services Engine Administrator Guide, Release 1.3 671 Available Reports
Logging CategoryDescriptionReport Name —ThepxGridAdministratorAudit reportprovidesthedetailsofthe pxGridadministrationactions suchasclientregistration,client deregistration,clientapproval, topiccreation,topicdeletion, publisher-subscriberaddition,and publisher-subscriberdeletionon thePrimaryPAN. Everyrecordhastheadministrator namewhohasperformedthe actiononthenode. YoucanfilterthepxGrid AdministratorAuditreportbased ontheadministratorandmessage criteria. pxGridAdministrator Audit —TheMisconfiguredSupplicants reportprovidesalistof mis-configuredsupplicantsalong withthestatisticsduetofailed attemptsthatareperformedbya specificsupplicant.Ifyouhave takencorrectiveactionsandfix themis-configuredsupplicant,the reportdisplaysfixed acknowledgmentinthereport. RADIUSSuppression shouldbeenabledtorun thisreport. Note Misconfigured Supplicants —TheMisconfiguredNASreport providesinformationaboutNADs withinaccurateaccounting frequencytypicallywhensending accountinginformation frequently.Ifyouhavetaken correctiveactionsandfixthe mis-configuredNADs,thereport displaysfixedacknowledgment inthereport. RADIUSSuppression shouldbeenabledtorun thisreport. Note MisconfiguredNAS EndpointsandUsers Cisco Identity Services Engine Administrator Guide, Release 1.3 672 Available Reports
Logging CategoryDescriptionReport Name ChooseAdministration>System>Logging >LoggingCategoriesandselectPostureand ClientProvisioningAuditandPostureand ClientProvisioningDiagnostics. TheClientProvisioningreport indicatestheclientprovisioning agentsappliedtoparticular endpoints.Youcanusethisreport toverifythepoliciesappliedto eachendpointtoverifywhether theendpointshavebeencorrectly provisioned. ClientProvisioning ChooseAdministration>System>Logging >LoggingCategoriesandselecttheselogging categories:AccountingandRadiusAccounting. TheCurrentActiveSessions reportenablesyoutoexporta reportwithdetailsaboutwhowas currentlyonthenetworkwithina specifiedtimeperiod. Ifauserisn'tgettingnetwork access,youcanseewhetherthe sessionisauthenticatedor terminatedorifthereisanother problemwiththesession. CurrentActiveSessions ChooseAdministration>System>Logging >LoggingCategoriesandselectPassed AuthenticationsandRADIUSAccounting. TheEndpointProtectionService Auditreportisbasedonthe RADIUSaccounting.Itdisplays historicalreportingofallnetwork sessionsforeachendpoint. EndpointProtection ServiceAudit ChooseAdministration>System>Logging >LoggingCategoriesandselectMDM. TheExternalMobileDevice Managementreportprovides detailsaboutintegrationbetween CiscoISEandtheexternalMobile DeviceManagement(MDM) server. Youcanusethisreporttosee whichendpointshavebeen provisionedbytheMDMserver withoutloggingintotheMDM serverdirectly.Italsodisplays informationsuchasregistration andMDM-compliancestatus. ExternalMobileDevice Management Cisco Identity Services Engine Administrator Guide, Release 1.3 673 Available Reports
Logging CategoryDescriptionReport Name ChooseAdministration>System>Logging >LoggingCategoriesandselectPostureand ClientProvisioningAuditandPostureand ClientProvisioningDiagnostics. ThePostureDetailAssessment reportprovidesdetailsabout posturecompliancyfora particularendpoint.Ifanendpoint previouslyhadnetworkaccess andthensuddenlywasunableto accessthenetwork,youcanuse thisreporttodetermineifa postureviolationoccurred. PostureDetail Assessment ChooseAdministration>System>Logging >LoggingCategoriesandselectProfiler. TheProfiledEndpointSummary reportprovidesprofilingdetails aboutendpointsthatareaccessing thenetwork. Forendpointsthatdonot registerasessiontime, suchasaCisco IP-Phone,thetermNot Applicableisshownin theEndpointsession timefield. Note ProfiledEndpoint Summary —TheEndpointProfileChange reportservestwopurposes: •Comparestheprofile changesforaparticular endpointtoverifythatthe latestandmostcurrent profilehasbeenapplied. •Displaysprofilechanges initiatedbytheprofilerfeed service(whichisavailable withaCiscoISEPlus license). EndpointProfile Changes PassedAuthentications,FailedAttemptsTheTopAuthorizationby Endpoint(MACaddress)report displayshowmanytimeseach endpointMACaddresswas authorizedbyCiscoISEtoaccess thenetwork. TopAuthorizationsby Endpoint PassedAuthentications,FailedAttemptsTheTopAuthorizationbyUser reportdisplayshowmanytimes eachuserwasauthorizedbyCisco ISEtoaccessthenetwork. TopAuthorizationsby User Cisco Identity Services Engine Administrator Guide, Release 1.3 674 Available Reports