https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540957#M526772 <HTML><HEAD></HEAD><BODY><P>Okay this will be a little venting of a post, but want to ask about a few issues in reporting on ISE authentication activity.&nbsp; In our best practices we have the following:</P><P></P><OL><LI>Every rule in ISE has a unique authorization profile created.</LI><LI>Every authorization profile is well named and self documenting using the following standards:<OL><LI>SSID_&lt;SSID Name&gt;_&lt;Auth Protocol&gt;_&lt;Description&gt;, i.e. SSID_Employee_PEAP_Domain_Computer</LI><LI>Wired_MAB_Descption, i.e. Wired_MAB_Printer</LI><LI>Wired_Dot1x_&lt;Auth Protocol&gt;_&lt;Description&gt;, i.e. Wired_Dot1x_PEAP_Domain_Computer</LI><LI>VPN_&lt;tunnel group/use case&gt;_&lt;Description&gt;, i.e. VPN_Employee_IT_Admins</LI></OL></LI></OL><P></P><P>With this naming convention, we can hide the Authentication Policy and Authorization Policy in the Live Log window as they are irrelevant.&nbsp; The Authorization Profile column tells the user exactly what happened.&nbsp; The Authorization Profile is the result applied to the user and what is important.&nbsp; The rule name is irrelevant, although we name them accordingly.</P><P></P><P>In ISE 2.1, I identified a bug (CSCvb46991) in the Context Visibility screen where the Authorization Profile column was putting the rule name in by mistake.&nbsp; It seems like the solution for that bug was to get rid of the Authorization Profile column all together.&nbsp; So instead of fixing the issue, the ability to filter on our well name results isn't an option on the Context Visibility screen.</P><P></P><P>In the RADIUS authentication reports, you can add the "AZN Policy" (this is a 1.0 name I think... why hasn't this been updated), but you can't filter on that column.&nbsp; Makes no sense why you can't filter on any of the columns.</P><P></P><P>Any reasons we can't use Authorization Profiles as filtering conditions in Context Visibility and Reports?&nbsp; It looks silly to customers when they have well named results and they can't use them on all screens when in my mind there is no difficult technical reason behind it.</P></BODY></HTML> Mon, 11 Sep 2017 17:50:02 GMT paul 2017-09-11T17:50:02Z https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540957#M526772 <HTML><HEAD></HEAD><BODY><P>Okay this will be a little venting of a post, but want to ask about a few issues in reporting on ISE authentication activity.&nbsp; In our best practices we have the following:</P><P></P><OL><LI>Every rule in ISE has a unique authorization profile created.</LI><LI>Every authorization profile is well named and self documenting using the following standards:<OL><LI>SSID_&lt;SSID Name&gt;_&lt;Auth Protocol&gt;_&lt;Description&gt;, i.e. SSID_Employee_PEAP_Domain_Computer</LI><LI>Wired_MAB_Descption, i.e. Wired_MAB_Printer</LI><LI>Wired_Dot1x_&lt;Auth Protocol&gt;_&lt;Description&gt;, i.e. Wired_Dot1x_PEAP_Domain_Computer</LI><LI>VPN_&lt;tunnel group/use case&gt;_&lt;Description&gt;, i.e. VPN_Employee_IT_Admins</LI></OL></LI></OL><P></P><P>With this naming convention, we can hide the Authentication Policy and Authorization Policy in the Live Log window as they are irrelevant.&nbsp; The Authorization Profile column tells the user exactly what happened.&nbsp; The Authorization Profile is the result applied to the user and what is important.&nbsp; The rule name is irrelevant, although we name them accordingly.</P><P></P><P>In ISE 2.1, I identified a bug (CSCvb46991) in the Context Visibility screen where the Authorization Profile column was putting the rule name in by mistake.&nbsp; It seems like the solution for that bug was to get rid of the Authorization Profile column all together.&nbsp; So instead of fixing the issue, the ability to filter on our well name results isn't an option on the Context Visibility screen.</P><P></P><P>In the RADIUS authentication reports, you can add the "AZN Policy" (this is a 1.0 name I think... why hasn't this been updated), but you can't filter on that column.&nbsp; Makes no sense why you can't filter on any of the columns.</P><P></P><P>Any reasons we can't use Authorization Profiles as filtering conditions in Context Visibility and Reports?&nbsp; It looks silly to customers when they have well named results and they can't use them on all screens when in my mind there is no difficult technical reason behind it.</P></BODY></HTML> Mon, 11 Sep 2017 17:50:02 GMT https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540957#M526772 paul 2017-09-11T17:50:02Z https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540958#M526773 <HTML><HEAD></HEAD><BODY><P>Yes, it is odd that AuthZ Profile removed, but you can add it back by creating a new view with the Authentication attributes set and adding the SelectedAuthorizationProfiles attribute.&nbsp; I will copy PM on visibility on this post.</P><P></P><P><IMG alt="" class="image-1 jive-image" src="https://community.cisco.com/legacyfs/online/fusion/111171_pastedImage_0.png" style="max-width: 1200px; max-height: 900px;" /></P></BODY></HTML> Mon, 11 Sep 2017 19:06:28 GMT https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540958#M526773 Craig Hyps 2017-09-11T19:06:28Z https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540959#M526775 <HTML><HEAD></HEAD><BODY><P>Ahh thanks for that tip Craig. Never thought about creating a new view. If the AZN Policy column was searchable in reports then we would be back in business.</P><P></P><P>Paul Haferman</P><P>Office- 920.996.3011</P><P>Cell- 920.284.9250</P></BODY></HTML> Mon, 11 Sep 2017 19:11:56 GMT https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540959#M526775 paul 2017-09-11T19:11:56Z https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540960#M526777 <HTML><HEAD></HEAD><BODY><P>Did you mean AZN profiles instead of AZN policy as the latter implies Authorization rule and can already be filtered?</P><P><IMG alt="Screen Shot 2017-09-12 at 16.56.51.png" class="image-1 jive-image" height="270" src="/legacyfs/online/fusion/111219_Screen Shot 2017-09-12 at 16.56.51.png" style="height: 269.87px; width: 496px;" width="496" /></P></BODY></HTML> Tue, 12 Sep 2017 17:14:39 GMT https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540960#M526777 hslai 2017-09-12T17:14:39Z https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540961#M526778 <HTML><HEAD></HEAD><BODY><P>Authorization rule is the rule name not the applied Authorization Policy. I should be able to filter on the policy but can't</P><P></P><P>Sent from my iPhone</P></BODY></HTML> Tue, 12 Sep 2017 17:19:20 GMT https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540961#M526778 paul 2017-09-12T17:19:20Z https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540962#M526779 <HTML><HEAD></HEAD><BODY><P>I forwarded your request to enable filtering on authorization profiles to our internal teams. My guess is that any additional filters come with a cost of indexing.</P></BODY></HTML> Wed, 13 Sep 2017 02:48:26 GMT https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540962#M526779 hslai 2017-09-13T02:48:26Z https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540963#M526780 <HTML><HEAD></HEAD><BODY><P>CSCvf95756 opened on the request to allow filtering on Authorization Profiles.</P><P></P><P></P><P>As part of CSCvb46991, we found in ISE 2.1</P><P>that the column "Authorization Profile" displaying "Authorization Policy (rule name)" and</P><P>that the column "SelectedAuthorizationProfiles" mapping to "Authorization Profiles".</P><P></P><P>The fix corrected the column/field names:</P><P>Authorization Policy --&gt; Authentication Policy (rule name)</P><P>Authorization Profile --&gt; Authorization Policy (rule name)</P></BODY></HTML> Thu, 14 Sep 2017 05:31:09 GMT https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540963#M526780 hslai 2017-09-14T05:31:09Z https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540964#M526781 <HTML><HEAD></HEAD><BODY><P>Thanks.</P><P></P><P>So the Context Visibility-&gt;Endpoints is functioning as design and we can’t add in authorization profile without building a custom view?</P><P></P><P>If they can allow is to filter in the reports though that will be very nice. Most times we are looking at data in live logs or the reports.</P><P></P><P>Paul Haferman</P><P>Office- 920.996.3011</P><P>Cell- 920.284.9250</P></BODY></HTML> Thu, 14 Sep 2017 05:36:47 GMT https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540964#M526781 paul 2017-09-14T05:36:47Z https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540965#M526782 <HTML><HEAD></HEAD><BODY><P>That is correct or at least for now, regarding the built-in views have fix sets of fields.</P></BODY></HTML> Thu, 14 Sep 2017 06:06:20 GMT https://community.cisco.com/t5/network-access-control/authorization-profile-reporting/m-p/3540965#M526782 hslai 2017-09-14T06:06:20Z