Okay this will be a little venting of a post, but want to ask about a few issues in reporting on ISE authentication activity. In our best practices we have the following:
- Every rule in ISE has a unique authorization profile created.
- Every authorization profile is well named and self documenting using the following standards:
- SSID_<SSID Name>_<Auth Protocol>_<Description>, i.e. SSID_Employee_PEAP_Domain_Computer
- Wired_MAB_Descption, i.e. Wired_MAB_Printer
- Wired_Dot1x_<Auth Protocol>_<Description>, i.e. Wired_Dot1x_PEAP_Domain_Computer
- VPN_<tunnel group/use case>_<Description>, i.e. VPN_Employee_IT_Admins
With this naming convention, we can hide the Authentication Policy and Authorization Policy in the Live Log window as they are irrelevant. The Authorization Profile column tells the user exactly what happened. The Authorization Profile is the result applied to the user and what is important. The rule name is irrelevant, although we name them accordingly.
In ISE 2.1, I identified a bug (CSCvb46991) in the Context Visibility screen where the Authorization Profile column was putting the rule name in by mistake. It seems like the solution for that bug was to get rid of the Authorization Profile column all together. So instead of fixing the issue, the ability to filter on our well name results isn't an option on the Context Visibility screen.
In the RADIUS authentication reports, you can add the "AZN Policy" (this is a 1.0 name I think... why hasn't this been updated), but you can't filter on that column. Makes no sense why you can't filter on any of the columns.
Any reasons we can't use Authorization Profiles as filtering conditions in Context Visibility and Reports? It looks silly to customers when they have well named results and they can't use them on all screens when in my mind there is no difficult technical reason behind it.
