topic Re: Cisco ISE logs in Network Access Control

Cisco ISE logs

pipkin231 — Fri, 21 Feb 2020 18:55:07 GMT

Hi all,

I have ISE logs in GPG format. Is there anyway i can read the file ? I am trying to troubleshoot wireless issue . The mobile devices suddenly disconnect from wifi.

Re: Cisco ISE logs

M. Wisely — Thu, 03 May 2018 10:48:00 GMT

So when you went to download the logs you either selected Public Key Encryption or Shared Key Encryption. If you selected the latter you can decrypt the file with the key you provided but if you selected the former only Cisco can decrypt it.

Re: Cisco ISE logs

ajc — Thu, 03 May 2018 13:02:13 GMT

Usually Wireless disconnections has nothing to do with ISE because the WLC is the one that determines the session timeout and some others timers. First thing I would check is the idle/session timeout configured on the WLC (global setup) or the SSID session timeout. Another reason could be roaming. If you are using 802.1x there is no way you can avoid that disconnection no matter you have session resume enabled (this topic was discussed extensively with Cisco and it is a normal behavior on PEAP / EPA-TLS) BUT available on WLC version 8.3+, fast transition for Apple Devices only can help you with the roaming disconnection behavior.

Have you seen on ISE many 5440 error codes?.

In addition to that, using wildcard cert on ISE helps a little bit with the roaming issue.

Re: Cisco ISE logs

ajc — Thu, 03 May 2018 13:03:39 GMT

take a look here as well

https://clnv.s3.amazonaws.com/2015/usa/pdf/BRKSEC-3697.pdf

Slides 42-47

Re: Cisco ISE logs

Arne Bier — Thu, 03 May 2018 23:04:39 GMT

That's it - only Cisco hold the private key to decrypt the file that was encrypted with the public key. BUT - if you encrypted the files with a shared key, then decrypting the file is a doddle.

Windows: Install GpgEx (open source)

Unix: gpg -v --batch --yes --passphrase Encryption123 -d Mylogs.tar.gpg > Mylogs.tar

The encrypted file is Mylogs.tar.gpg and the shared key is Encryption123

The result is redirected to a file called Mylogs.tar - then use the regular tools like

tar tvf Mylogs.tar to view contents of the tar bundle

tar xvf Mylogs.tar to extract contents

I use this all the time to drive myself crazy about the junk that Cisco puts into ISE Config backups. In my case the file is 500MB (compressed) and when uncomressed I have 8GB of debug logs. If Cisco were to stop spamming the backup file with junk, it should be in the order of 10MB in my case.