topic ISE Admin Access Logs in Network Access Control

ISE Admin Access Logs

phillip.vansickle — Wed, 03 Mar 2021 17:36:07 GMT

I am having a user who is trying to access iSE using an AD account.

The account has the proper groups associated with it and I've verified the ISE configuration.

How do I view logs of attempted login attempts?

Thanks,

Phill

Re: ISE Admin Access Logs

balaji.bandi — Wed, 03 Mar 2021 18:39:19 GMT

Look at the Live Logs, is this only for 1 user or any user not working.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

Re: ISE Admin Access Logs

phillip.vansickle — Thu, 04 Mar 2021 00:24:32 GMT

How to get the logs:

Enable Active Directory Debug Logs
Active Directory debug logs are not logged by default. You must enable this option on the Cisco ISE node that has assumed the Policy Service persona in your deployment. Enabling Active Directory debug logs may affect ISE performance.

Procedure
Step 1 Choose Administration > System > Logging > Debug Log Configuration.
Step 2 Click the radio button next to the Cisco ISE Policy Service node from which you want to obtain Active Directory debug information, and click Edit.
Step 3 Click the Active Directory radio button, and click Edit.
Step 4 Choose DEBUG from the drop-down list next to Active Directory. This will include errors, warnings, and verbose logs. To get full logs, choose TRACE.
Step 5 Click Save.
Obtain the Active Directory Log File for Troubleshooting
Download and view the Active Directory debug logs to troubleshoot issues you may have.

Before You Begin
Active Directory debug logging must be enabled.

Procedure
Step 1 Choose Operations > Troubleshoot > Download Logs.
Step 2 Click the node from which you want to obtain the Active Directory debug log file.
Step 3 Click the Debug Logs tab.
Step 4 Scroll down this page to locate the ad_agent.log file. Click this file to download it.

Re: ISE Admin Access Logs

Marcelo Morais — Thu, 04 Mar 2021 00:17:12 GMT

Hi @phillip.vansickle ,

beyond what @balaji.bandi said ... please take a look at:

Operations > Reports > Reports > Audit > Administrator Logins.

Hope this helps !!!

Re: ISE Admin Access Logs

phillip.vansickle — Thu, 04 Mar 2021 00:18:34 GMT

Problem is with a single user who is in the proper active directory groups.

Everyone else who is in the correct groups logs into ISE with no issues.

This is what I consistently see in the debugs output...

Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/server/ntlm/acquirecreds.c:103

Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/client/ntlm/clientipc.c:299

Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/client/ntlm/acquirecreds.c:84

Re: ISE Admin Access Logs

Marcelo Morais — Thu, 04 Mar 2021 12:54:55 GMT

Hi @phillip.vansickle

if my understanding is correct, you are having issues with only one User in an AD Group, the other Users have no issue even though they belong to the same AD Group, is that correct?

On Operations > Reports > Reports > Audit > Administrator Logins, check for Administrator authentication succeeded and Administrator authentication failed on the Event column of this particular User.

On Administration > Identity Management > External Identity Sources > Active Directory > <select you AD> and on the Connection tab, click the Test User ... check if you are able to retrieve the Groups and Attributes.

Hope this helps !!!

Re: ISE Admin Access Logs

thomas — Sat, 13 Mar 2021 18:46:15 GMT

I cannot tell from your question if this is for an ISE administrative user trying to login to the ISE GUI or a network access user being authenticated with RADIUS.

For an admin user, @Marcelo Morais provided excellent instructions.

For a network access user, view the ISE Operations > RADIUS > LiveLogs. You can even filter by the username then click on the Details icon to see the reasons for the failure.