topic Re: I have the same pb in Network Access Control

AuthZ Policy “Monitor Only” mode

cjkaufman@dmgov.org — Mon, 11 Mar 2019 05:27:00 GMT

I have a question about the AuthZ Policy “Monitor Only” or "Audit" mode. I want to test a new AuthZ policy by using “Monitor Only” mode, but I am not seeing any indication that my Test device is hitting the rule while in Monitor only mode… It ends up hitting our last default rule which is currently permit any. If I actually enable the rule, I can see the device hitting the rule and getting denied in the Authentication log window.

So I know the rule works, but I want to only monitor the rule for now to see what would get denied, so that we can assess how we want to handle auth for said devices. According some info I found, I should be seeing an indication in the Auth log window that a rule was matched, if it is Monitor only mode.

I am currently running ISE 1.3.0.876.

Any help is appreciated

I have had the same

jj27 — Thu, 12 Feb 2015 22:29:18 GMT

I have had the same experience. If you look at the AuthZ details for the connection, you will see under Other Attributes a special attribute returned named "RadiusAuthorizationPolicyMatchedMonitorRules," but as far as I know there is no way to run a report on it. Maybe someone else has a suggestion on it.

What I do as a workaround is create a rule matching the conditions and create a special Authorization Profile for the rule that just has ACCESS_ACCEPT (not to break any traffic), then run a RADIUS Authentication report matching that Authorization Profile.

Thanks. I see that in the

cjkaufman@dmgov.org — Fri, 13 Feb 2015 20:15:12 GMT

Thanks. I see that in the session details now. That is quite a cumbersome way to use the Audit option. It would be nice if they could highlight the session a difference color to show that it matched the Audited rule.

Re: I have the same pb

mmisonne — Tue, 14 Apr 2020 12:50:01 GMT

Hello

I tried with Cisco ISE 2.6 to add a tacacs authorization rule in "monitor" mode.

I placed this rule at the top.

But I never see the attribute "RadiusAuthorizationPolicyMatchedMonitorRules" in the live logs AuthZ detail (under "other attributes").

Alltthough, I know that rule matches , because , when I change the status (from monitor to Enable), this rule matches.

Michel Misonne

Re: I have the same pb

Greg Gibbs — Tue, 14 Apr 2020 23:52:21 GMT

A TACACS+ session is never going to match the RADIUS attribute "RadiusAuthorizationPolicyMatchedMonitorRules"

I did some testing with a Device Admin AuthZ Policy rule set to Monitor status and do not find any attributes in either the Authentication or Authorization detailed reports that indicate a matched monitor rule.

Unlike RADIUS that combines Authentication and Authorization, TACACS+ separates those two functions. I suspect the ability to set a Device Admin AuthZ Policy rule to Monitor status was never a fully realised feature. I even set the 'runtime-AAA' log to debug level and checked the 'ise-psc.log' and 'prrt-server.log' files, but did not see any indication of my Monitor rule.

I suspect this is something that maybe never made it into the design spec for the ISE TACACS+ feature, so it's probably working as designed. If you would like to request and enhancement around this, see the following post.

How to Submit an ISE Feature or Enhancement Request

Re: I have the same pb

mmisonne — Wed, 15 Apr 2020 06:59:25 GMT

You are right !
I tried the same test (Admin access on a vWLC) using Radius, not Tacacs, and I can now see the attribute "RadiusAuthorizationPolicyMatchedMonitorRule" , when the monitoring rule matches.

Michel Misonne