topic Re: ISE reporting questions in Network Access Control

ISE reporting questions

jonbrown — Wed, 06 Sep 2017 01:12:39 GMT

Greetings, customer is looking for the following information from ISE, working with the partner we came up with the text in red. Can you confirm we've vetted out all the possibilities? There may be other software (like Prime or a syslog server) which gives them information, but they want it from ISE so they can react.

ISE configuration is removed from a network switch port that was ISE enabled previously–
- ISE cannot provide any report/alert of this event. Is this on the roadmap?
A computer has plugged into a port not configured for ISE -
- ISE cannot provide any report/alert of this event.
A non-corporate asset has been plugged into an ISE port.
- Can be done but may give you false positives. (Customer has devices that don't support certificates.) I believe we could create a rule to check if the device is part of an AD group?
A generated monthly report of all ports that do not have ISE enabled.
- Can be done in real time by ISE, could run an operations report for device status. Would show ports without an ISE configuration as NA. see attachment. I think this requires SNMP for ISE to query the switch ports for this. Can this report be automated to run monthly?

Thanks!

Re: ISE reporting questions

Nidhi — Wed, 06 Sep 2017 07:53:40 GMT

Hi Jb,

Please see the answers inline ( blue) for the response I received from the team on this query .

ISE configuration is removed from a network switch port that was ISE enabled previously–
- ISE cannot provide any report/alert of this event. Is this on the roadmap?

There are no such reports for this event. But we can go to troubleshooting page and check the configuration for the network switch.

Please check with the PM team about the roadmap for this,

A computer has plugged into a port not configured for ISE -
- ISE cannot provide any report/alert of this event.

True, ISE cannot provide any report for this.

A non-corporate asset has been plugged into an ISE port.
- Can be done but may give you false positives. (Customer has devices that don't support certificates.) I believe we could create a rule to check if the device is part of an AD group?

BYOD flow is there. And we do have couple of reports in BYOD section in the reports.

A generated monthly report of all ports that do not have ISE enabled.
- Can be done in real time by ISE, could run an operations report for device status. Would show ports without an ISE configuration as NA. see attachment. I think this requires SNMP for ISE to query the switch ports for this. Can this report be automated to run monthly?

For this particular report we don’t have option to schedule it.

Thanks,

Nidhi

Re: ISE reporting questions

hslai — Thu, 07 Sep 2017 15:23:54 GMT

Please keep in mind that ISE is not to use for configuring or auditing of the configurations on network devices. You should seek other tools, such as PI, DNA-C, or ISE Deployment Assistant (IDA) to do that.

Re: ISE reporting questions

jonbrown — Fri, 08 Sep 2017 04:32:50 GMT

Thank you!