https://community.cisco.com/t5/network-access-control/is-username-quot-dummy-quot-exist-by-default-in-ise-used-when/m-p/3947387#M456390 <P>By default ISE will not disclose invalid usernames in the RADIUS logs.&nbsp; You can turn that annoying feature off in the RADIUS settings in ISE.&nbsp; As Damien said ISE can reject the authentication and the switch won't care as long as it is getting a response.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>I usually setup a policy set for the switch keep alives as I don't like not handling the request properly.&nbsp; I set the authentication to internal user and set the user not found to Continue.&nbsp; Then I put in an authorization rule to allow the access with a deny all DACL.&nbsp; Once I see the successful hits in the RADIUS logs I turn on suppression for the User ID so the switch probes aren't filling up my logs.</P> Thu, 24 Oct 2019 14:38:00 GMT paul 2019-10-24T14:38:00Z https://community.cisco.com/t5/network-access-control/is-username-quot-dummy-quot-exist-by-default-in-ise-used-when/m-p/3942102#M456383 <P>Hi,</P><P>&nbsp;</P><P>Is the password for this CLI "automate-tester username dummy probe-on" needed?</P><P>&nbsp;</P><P>radius server ise</P><P>automate-tester username dummy probe-on</P><P>key testise</P><P>Is "key testise" related to&nbsp;automate-tester username dummy probe-on?&nbsp;</P> Thu, 17 Oct 2019 01:02:13 GMT https://community.cisco.com/t5/network-access-control/is-username-quot-dummy-quot-exist-by-default-in-ise-used-when/m-p/3942102#M456383 getaway51 2019-10-17T01:02:13Z https://community.cisco.com/t5/network-access-control/is-username-quot-dummy-quot-exist-by-default-in-ise-used-when/m-p/3942132#M456386 "dummy" in the "automate-tester username dummy probe-on" command is an administrator defined username, dummy can be replaced with anything. The user does not need to exist anywhere, the switch is perfectly fine with ISE sending a radius-reject back in response to the probe. <BR /><BR />"key testise" is the radius shared secret that the switch uses to communicate with ISE. You set the key "testise" to anything you want, but it has to match on the network device configured within the ISE GUI. Thu, 17 Oct 2019 02:31:30 GMT https://community.cisco.com/t5/network-access-control/is-username-quot-dummy-quot-exist-by-default-in-ise-used-when/m-p/3942132#M456386 Damien Miller 2019-10-17T02:31:30Z https://community.cisco.com/t5/network-access-control/is-username-quot-dummy-quot-exist-by-default-in-ise-used-when/m-p/3942322#M456388 <P>Hi,</P><P>&nbsp;</P><P>So this "dummy" is not a username configured in ISE. Basically "dummy" is going to fail.&nbsp;</P><P>But the key needs to be correct same like in ISE.</P><P>AM i&nbsp; correct?&nbsp;</P> Thu, 17 Oct 2019 07:45:54 GMT https://community.cisco.com/t5/network-access-control/is-username-quot-dummy-quot-exist-by-default-in-ise-used-when/m-p/3942322#M456388 getaway51 2019-10-17T07:45:54Z https://community.cisco.com/t5/network-access-control/is-username-quot-dummy-quot-exist-by-default-in-ise-used-when/m-p/3945317#M456389 <P>Hi,</P><P>&nbsp;</P><P>If I check the username dummy(by filter) in the ISE live logs, can I see the failed session for user "dummy"?&nbsp;</P> Tue, 22 Oct 2019 13:26:39 GMT https://community.cisco.com/t5/network-access-control/is-username-quot-dummy-quot-exist-by-default-in-ise-used-when/m-p/3945317#M456389 getaway51 2019-10-22T13:26:39Z https://community.cisco.com/t5/network-access-control/is-username-quot-dummy-quot-exist-by-default-in-ise-used-when/m-p/3947387#M456390 <P>By default ISE will not disclose invalid usernames in the RADIUS logs.&nbsp; You can turn that annoying feature off in the RADIUS settings in ISE.&nbsp; As Damien said ISE can reject the authentication and the switch won't care as long as it is getting a response.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>I usually setup a policy set for the switch keep alives as I don't like not handling the request properly.&nbsp; I set the authentication to internal user and set the user not found to Continue.&nbsp; Then I put in an authorization rule to allow the access with a deny all DACL.&nbsp; Once I see the successful hits in the RADIUS logs I turn on suppression for the User ID so the switch probes aren't filling up my logs.</P> Thu, 24 Oct 2019 14:38:00 GMT https://community.cisco.com/t5/network-access-control/is-username-quot-dummy-quot-exist-by-default-in-ise-used-when/m-p/3947387#M456390 paul 2019-10-24T14:38:00Z https://community.cisco.com/t5/network-access-control/is-username-quot-dummy-quot-exist-by-default-in-ise-used-when/m-p/4092341#M560689 <P>Is it possible to share your authentication and authorization rules in your policy set?&nbsp; I would like to do this as the "Invalid" errors is filling up the Live logs.</P><P>&nbsp;</P><P>Thanks</P> Tue, 26 May 2020 19:00:26 GMT https://community.cisco.com/t5/network-access-control/is-username-quot-dummy-quot-exist-by-default-in-ise-used-when/m-p/4092341#M560689 fhowzejr2 2020-05-26T19:00:26Z https://community.cisco.com/t5/network-access-control/is-username-quot-dummy-quot-exist-by-default-in-ise-used-when/m-p/4092366#M560691 <P>Skip the policy set and just go to Administration-&gt;System-&gt;Logging-&gt;Collection Filters and setup a new collection filter to Filter All for the username "dummy" or whatever you are using for your switch keep-alive probes.</P> Tue, 26 May 2020 19:29:58 GMT https://community.cisco.com/t5/network-access-control/is-username-quot-dummy-quot-exist-by-default-in-ise-used-when/m-p/4092366#M560691 paul 2020-05-26T19:29:58Z https://community.cisco.com/t5/network-access-control/is-username-quot-dummy-quot-exist-by-default-in-ise-used-when/m-p/4092398#M560693 Thanks so much, I applied the collection filter and no longer have the clutter in Live Logs.<BR /><BR /><BR /> Tue, 26 May 2020 20:32:22 GMT https://community.cisco.com/t5/network-access-control/is-username-quot-dummy-quot-exist-by-default-in-ise-used-when/m-p/4092398#M560693 fhowzejr2 2020-05-26T20:32:22Z