Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

216
Views
10
Helpful
6
Replies
Aleksandr Serov
Aleksandr Serov Beginner
Beginner
‎06-13-2019 10:17 PM
‎06-13-2019 10:17 PM

How to add more AD attributes to the live logs

Hello,

Please suggest how to add more AD attributes to the radius live logs. We use ISE 2.3 for 802.1x authentication thru ActiveDirectory. Earlier I saw a lot of AD attributes in the live logs, for example "memberOf" fields, and they helped a lot to tune policy sets. But then something happened and now logs show only short set of attributes. 

 

Is there any documentation on how to get and use all available attributes from ActiveDirectory?

 

Thank you in advance

 

0 Helpful
Reply
2 ACCEPTED SOLUTIONS

Accepted Solutions
yalbikaw
yalbikaw Cisco Employee
Cisco Employee
‎06-16-2019 11:40 AM
‎06-16-2019 11:40 AM

Re: How to add more AD attributes to the live logs

Hello Aleksandr, 

 

now the attributes are retrieved from AD, what i can advice you to do is the below:

 

go to administration > external identity source > active directory 

click on the join point, there is section called attributes, 

click on it then select retrieve  attributes from active directory.

put any user and click on retrieve it will collect all the available attributes, add what you need then you can use it in policy set.

 

 

 

 

View solution in original post

Reply
Highlighted
yalbikaw
yalbikaw Cisco Employee
Cisco Employee
‎06-17-2019 05:20 AM
‎06-17-2019 05:20 AM

Re: How to add more AD attributes to the live logs

did you use them in condition ? or you just want to see them on logs ? we dont usually control the logs only collection filter but part of the report we dont,

 

in case of difficulties on this matter as suggested tac case will be good, however if you want to see what we retrieve for specific user.

 

go to AD tap and test the user there for lookup there will attribute section it will contain everything

 

View solution in original post

Reply
6 REPLIES 6
ldanny
ldanny Cisco Employee
Cisco Employee
‎06-16-2019 02:02 AM
‎06-16-2019 02:02 AM

Re: How to add more AD attributes to the live logs

What Authentication method are you using?

Can you send a snap shot of the attributes you are seeing and name or show the attributes you are not seeing.

0 Helpful
Reply
Aleksandr Serov
Aleksandr Serov Beginner
Beginner
‎06-17-2019 01:10 AM
‎06-17-2019 01:10 AM

Re: How to add more AD attributes to the live logs

Hello @ldanny Thank you for response.

We use dot1x Authentication method. I want to see "memberOf" attribute in the Radios Live Logs but it is absent here.

 

ise1.pngise2.png

0 Helpful
Reply
yalbikaw
yalbikaw Cisco Employee
Cisco Employee
‎06-16-2019 11:40 AM
‎06-16-2019 11:40 AM

Re: How to add more AD attributes to the live logs

Hello Aleksandr, 

 

now the attributes are retrieved from AD, what i can advice you to do is the below:

 

go to administration > external identity source > active directory 

click on the join point, there is section called attributes, 

click on it then select retrieve  attributes from active directory.

put any user and click on retrieve it will collect all the available attributes, add what you need then you can use it in policy set.

 

 

 

 

View solution in original post

Reply
Aleksandr Serov
Aleksandr Serov Beginner
Beginner
‎06-17-2019 01:16 AM
‎06-17-2019 01:16 AM

Re: How to add more AD attributes to the live logs

Hello @yalbikaw Thank you for response and valuable information. I did not know how to manage attributes. 

I selected all attributes I want to see in the logs but they still not included in the live log.

ise0.png

0 Helpful
Reply
ldanny
ldanny Cisco Employee
Cisco Employee
‎06-17-2019 02:40 AM
‎06-17-2019 02:40 AM

Re: How to add more AD attributes to the live logs

If your not seeing the attribute after adding it from AD I suggest you contact TAC for further troubleshooting

 

 

0 Helpful
Reply
Highlighted
yalbikaw
yalbikaw Cisco Employee
Cisco Employee
‎06-17-2019 05:20 AM
‎06-17-2019 05:20 AM

Re: How to add more AD attributes to the live logs

did you use them in condition ? or you just want to see them on logs ? we dont usually control the logs only collection filter but part of the report we dont,

 

in case of difficulties on this matter as suggested tac case will be good, however if you want to see what we retrieve for specific user.

 

go to AD tap and test the user there for lookup there will attribute section it will contain everything

 

View solution in original post

Reply
Latest Contents
The year in cyber threats: A look back at the tools and tact...
Created by Kelli Glass on 12-13-2019 03:37 PM
0
0
0
0
How would your organization perform against the cyberattacks of 2019? Protect your organization in 2020 by learning about the biggest cyberthreats of the year. Read the latest Cisco Cybersecurity Report 
#CiscoChat Live: 2019 Cyber Threats of the Year
Created by Kelli Glass on 12-13-2019 03:19 PM
0
0
0
0
Join us live on Tuesday, December 17 at 9 am PT (and on demand after) to learn about the cyber threats of 2019 and how to defend your organization in the future.   Some cybercriminals have specific organizations in mind when they’re planning an attac... view more
#CiscoChat Live: 2019 Cyber Threats of the Year
Created by Kelli Glass on 12-13-2019 03:17 PM
0
0
0
0
Join us live on Tuesday, December 17 at 9 am PT (and on demand after) to learn about the cyber threats of 2019 and how to defend your organization in the future. Some cybercriminals have specific organizations in mind when they’re planning an attack. We l... view more
Stealthwatch Enterprise - what capabilities does it provide ...
Created by ben.greenbaum on 12-12-2019 11:27 AM
0
0
0
0
Threat Response integrates with Cisco Stealthwatch Enterprise (SWE) to provide Visibility into network threats. By adding an SWE module to Threat Response, investigators will be able to search for network flows to or from IP addresses that have been reco... view more
Monitoring Failover status (ASA Cluster, Active/Standby) by ...
Created by Oleg Volkov on 12-12-2019 02:26 AM
0
0
0
0
Hi.Want to know Failover cluster status? If You have PRTG do it in 5 min.Download my sensor.Deploy REST API to Your ASA,sAdd my sensor to PRTG and set parameters:In PRTG device settings add linux user and password (ASA user, which have read permissions)-u... view more
CreatePlease to create content
Discussion
Blog
Document
Video