https://community.cisco.com/t5/network-access-control/ise-2-2-permanently-hide-false-negatives-in-ise-live-logs-logs/m-p/3676108#M495924 <P>Hi,&nbsp;</P> <P>&nbsp;</P> <P>Thank you, I will try the suggestion.</P> <P>&nbsp;</P> <P>I am getting two failed authentications for each RAVPN session due to the following:</P> <P>&nbsp;</P> <P>- ASA is configured to use a SAML IdP for authentication and ISE for authorization</P> <P>-&nbsp;SAML : authentication is a two factor one in the solution I am working on, i.e. first session is a user and pass based authentication, then if this succeeds an SMS is sent to the user with an access code, once the access code has been entered the second session completes and the user is fully authenticated.</P> <P>- RADIUS : For each of the two authentication sessions mentioned above&nbsp;in the context of&nbsp;SAML, the ASA will send a RADIUS Access-Request to the ISE and will get an Access-Reject from ISE, which is normal, hence the reason i was referring to these as false negatives. Same RADIUS sessions will be used for authorization, specifically the second one will be the one which will&nbsp;send sufficient attributes to ISE (<SPAN>Cisco&nbsp;</SPAN><EM>AnyConnect</EM><SPAN>&nbsp;Identity Extensions (</SPAN><EM>ACIDex</EM><SPAN>)).</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thank you</SPAN></P> <P><SPAN>Istvan</SPAN></P> Fri, 27 Jul 2018 10:08:22 GMT Istvan Matyasovszki 2018-07-27T10:08:22Z https://community.cisco.com/t5/network-access-control/ise-2-2-permanently-hide-false-negatives-in-ise-live-logs-logs/m-p/3675482#M495921 <P>Hi</P> <P>&nbsp;</P> <P>I am using split authentication / authorization in a ravpn setup (ASA used to terminated the VPNs). Authentication is done by a third party software using SAML and Authorization done by ISE. The SAML IdP in question has no RADIUS interface.</P> <P>&nbsp;</P> <P>As in RADIUS we cannot separate the authentication session from the authorization and as the SAML authentication is a two factor one, for each stage of authentication</P> <P>we get a failed authentication log in ISE (two failed authentications for each ravpn session authentication).</P> <P>&nbsp;</P> <P>Are you aware of a way / filter that could allow us to permanently filter out and hide the 'false negative' failed authentications so that we can only keep the authorization related session logs /data?</P> <P>&nbsp;</P> <P>Many thanks</P> <P>&nbsp;</P> <P>Istvan</P> Thu, 26 Jul 2018 15:30:48 GMT https://community.cisco.com/t5/network-access-control/ise-2-2-permanently-hide-false-negatives-in-ise-live-logs-logs/m-p/3675482#M495921 Istvan Matyasovszki 2018-07-26T15:30:48Z https://community.cisco.com/t5/network-access-control/ise-2-2-permanently-hide-false-negatives-in-ise-live-logs-logs/m-p/3675740#M495922 <P>Please explain why you are getting two failed auths for each session. The authentication usually continue with authorization. You might want to try a collection&nbsp;filter.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2018-07-26 at 12.41.36 PM.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/15468iFAFDF7E48BEB896A/image-size/large?v=v2&amp;px=999" role="button" title="Screen Shot 2018-07-26 at 12.41.36 PM.png" alt="Screen Shot 2018-07-26 at 12.41.36 PM.png" /></span></P> Thu, 26 Jul 2018 19:46:09 GMT https://community.cisco.com/t5/network-access-control/ise-2-2-permanently-hide-false-negatives-in-ise-live-logs-logs/m-p/3675740#M495922 hslai 2018-07-26T19:46:09Z https://community.cisco.com/t5/network-access-control/ise-2-2-permanently-hide-false-negatives-in-ise-live-logs-logs/m-p/3676108#M495924 <P>Hi,&nbsp;</P> <P>&nbsp;</P> <P>Thank you, I will try the suggestion.</P> <P>&nbsp;</P> <P>I am getting two failed authentications for each RAVPN session due to the following:</P> <P>&nbsp;</P> <P>- ASA is configured to use a SAML IdP for authentication and ISE for authorization</P> <P>-&nbsp;SAML : authentication is a two factor one in the solution I am working on, i.e. first session is a user and pass based authentication, then if this succeeds an SMS is sent to the user with an access code, once the access code has been entered the second session completes and the user is fully authenticated.</P> <P>- RADIUS : For each of the two authentication sessions mentioned above&nbsp;in the context of&nbsp;SAML, the ASA will send a RADIUS Access-Request to the ISE and will get an Access-Reject from ISE, which is normal, hence the reason i was referring to these as false negatives. Same RADIUS sessions will be used for authorization, specifically the second one will be the one which will&nbsp;send sufficient attributes to ISE (<SPAN>Cisco&nbsp;</SPAN><EM>AnyConnect</EM><SPAN>&nbsp;Identity Extensions (</SPAN><EM>ACIDex</EM><SPAN>)).</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thank you</SPAN></P> <P><SPAN>Istvan</SPAN></P> Fri, 27 Jul 2018 10:08:22 GMT https://community.cisco.com/t5/network-access-control/ise-2-2-permanently-hide-false-negatives-in-ise-live-logs-logs/m-p/3676108#M495924 Istvan Matyasovszki 2018-07-27T10:08:22Z