topic Re: ISE 2.4 Patch 6 Filtering of Live logs not possible in Network Access Control

ISE 2.4 Patch 6 Filtering of Live logs not possible

thomas.pflaum — Thu, 11 Apr 2019 08:18:33 GMT

Hello,

i have upgraded ISE form 2.3 to Version 2.4 Patch 6. I have used self created Filters for Live Logs, you are lost in logs if you are not able to use it....

Now in Version 2.4 Patch 6 you are able to use the self created filters, but the result of filtering is different than before. I only see Passed/Failed Authentications no Sessions any more. The Filtering is configured to get live logs only for one specific Authenication Policy.

The behavior is the same, if i´m filtering for a specific Authenication Polcy in the column in the Live Logs.

If you filter based on the Identity in Live Logs, i see Passed/Failed Authentications and Sessions.

Does anybody have this same problem, or i´m doing something wrong?

Thanks

Thomas

Re: ISE 2.4 Patch 6 Filtering of Live logs not possible

paul — Thu, 11 Apr 2019 13:25:09 GMT

I only use the quick filter, but I just tried advanced filter with Authorization Profile and I get all record types. How exactly are you doing the filtering? I hide my authentication and authorization policy columns and only do filtering on authorization profile column because every result in my ISE deployments has a unique name using a well structured naming convention.

Re: ISE 2.4 Patch 6 Filtering of Live logs not possible

thomas.pflaum — Thu, 11 Apr 2019 13:41:31 GMT

It doesn´t matter which way you are filtering the Data in Live Logs. It´s not working with quick filter. I want to filter for a specific policy set, like you see in the attached screenshot. On old ISE Version (2.3 Patch 5) i have filtered for a specific Policy set, and the result was that i saw all passed, failed Authentication and the Sessions. In New Version (2.4 Patch 6) I only see passed and failed Authentications without the sessions.

Re: ISE 2.4 Patch 6 Filtering of Live logs not possible

Timothy Abbott — Thu, 11 Apr 2019 15:47:40 GMT

You shouldn't be getting session information when filtering in RADIUS live logs. If you were getting it in the past, it was most likely a defect that we fixed in 2.4. To view session information, click the Live Sessions tab. You can then filter from there.

Regards,

-Tim

Re: ISE 2.4 Patch 6 Filtering of Live logs not possible

thomas.pflaum — Fri, 12 Apr 2019 06:04:20 GMT

Hey Tim,

filtering inlcuding all Status (session, auth failed, auth passed) works in Version 2.4 in all column´s of the livelogs except of Authentication Policy and Authorization Policy.

I have tried to filter for Authentication Policy and Authorization Policy in Live session tab without success.

This sounds for me like a bug, not a feature.

Thomas

Re: ISE 2.4 Patch 6 Filtering of Live logs not possible

paul — Fri, 12 Apr 2019 10:58:09 GMT

Thomas,

That is funny. Those are the two columns I hide and have all my customers hide because for the most part you don't need to use those columns if you have a good naming convention on your Authorization Profiles. I just unhid them and you are correct blue session records aren't shown when you filter using either of those two columns. Definitely a bug in my opinion. Open a TAC case and have them get a bug filed.

Re: ISE 2.4 Patch 6 Filtering of Live logs not possible

thomas.pflaum — Fri, 12 Apr 2019 11:54:34 GMT

Paul,

Thank you for you feedback. I already open a Case at Cisco.

Thomas

Re: ISE 2.4 Patch 6 Filtering of Live logs not possible

thomas.pflaum — Wed, 24 Apr 2019 06:16:49 GMT

Hello All,

result from opening TAC case:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp19738/?reffering_site=dumpcr

So it is definitely a bug in Version 2.4 Patch 6.

Thanks to all.

Thomas