Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2457
Views
10
Helpful
5
Replies

AuthZ Policy “Monitor Only” mode

Go to solution
cjkaufman@dmgov.org
Level 1
Level 1

‎02-12-2015 01:30 PM - edited ‎03-10-2019 10:27 PM

I have a question about the AuthZ Policy “Monitor Only” or "Audit" mode.  I want to test a new AuthZ policy by using “Monitor Only” mode, but I am not seeing any indication that my Test device is hitting the rule while in Monitor only mode… It ends up hitting our last default rule which is currently permit any.  If I actually enable the rule, I can see the device hitting the rule and getting denied in the Authentication log window.

 

So I know the rule works, but I want to only monitor the rule for now to see what would get denied, so that we can assess how we want to handle auth for said devices.  According some info I found, I should be seeing an indication in the Auth log window that a rule was matched, if it is Monitor only mode.

 

I am currently running ISE 1.3.0.876.

 

Any help is appreciated

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jj27
Spotlight

‎02-12-2015 02:29 PM

I have had the same experience.  If you look at the AuthZ details for the connection, you will see under Other Attributes a special attribute returned named "RadiusAuthorizationPolicyMatchedMonitorRules," but as far as I know there is no way to run a report on it. Maybe someone else has a suggestion on it.

What I do as a workaround is create a rule matching the conditions and create a special Authorization Profile for the rule that just has ACCESS_ACCEPT (not to break any traffic), then run a RADIUS Authentication report matching that Authorization Profile.

View solution in original post

5 Replies 5

Go to solution
jj27
Spotlight

‎02-12-2015 02:29 PM

I have had the same experience.  If you look at the AuthZ details for the connection, you will see under Other Attributes a special attribute returned named "RadiusAuthorizationPolicyMatchedMonitorRules," but as far as I know there is no way to run a report on it. Maybe someone else has a suggestion on it.

What I do as a workaround is create a rule matching the conditions and create a special Authorization Profile for the rule that just has ACCESS_ACCEPT (not to break any traffic), then run a RADIUS Authentication report matching that Authorization Profile.

Go to solution
cjkaufman@dmgov.org
Level 1
Level 1
In response to jj27

‎02-13-2015 12:15 PM

Thanks.   I see that in the session details now.  That is quite a cumbersome way to use the Audit option.  It would be nice if they could highlight the session a difference color to show that it matched the Audited rule.

0 Helpful

Go to solution
mmisonne
Level 2
Level 2
In response to jj27

‎04-14-2020 05:50 AM

Hello

I tried with Cisco ISE 2.6 to add   a tacacs authorization  rule in "monitor" mode.

I placed this rule at the top.

But I never see the  attribute "RadiusAuthorizationPolicyMatchedMonitorRules" in the live logs  AuthZ detail  (under "other attributes").

Alltthough, I know that rule matches , because , when I change the status (from monitor to Enable), this rule matches.

 

Michel Misonne

 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to mmisonne

‎04-14-2020 04:52 PM

A TACACS+ session is never going to match the RADIUS attribute "RadiusAuthorizationPolicyMatchedMonitorRules"

I did some testing with a Device Admin AuthZ Policy rule set to Monitor status and do not find any attributes in either the Authentication or Authorization detailed reports that indicate a matched monitor rule.

 

Unlike RADIUS that combines Authentication and Authorization, TACACS+ separates those two functions. I suspect the ability to set a Device Admin AuthZ Policy rule to Monitor status was never a fully realised feature. I even set the 'runtime-AAA' log to debug level and checked the 'ise-psc.log' and 'prrt-server.log' files, but did not see any indication of my Monitor rule.

 

I suspect this is something that maybe never made it into the design spec for the ISE TACACS+ feature, so it's probably working as designed. If you would like to request and enhancement around this, see the following post.

How to Submit an ISE Feature or Enhancement Request

Go to solution
mmisonne
Level 2
Level 2
In response to Greg Gibbs

‎04-14-2020 11:59 PM

You are right !
I tried the same test (Admin access on a vWLC) using Radius, not Tacacs, and I can now see the attribute "RadiusAuthorizationPolicyMatchedMonitorRule" , when the monitoring rule matches.

Michel Misonne

0 Helpful
Top