Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
970
Views
10
Helpful
4
Replies

Cannot use Cisco ISE Session Trace tool due an error message

rezaalikhani
Level 3
Level 3

‎04-07-2022 03:50 AM - edited ‎04-07-2022 03:51 AM

Hi all;

Consider the following example:

2.png

When I click on the Run button, the following error message appears:

1.png

 

I am using ISE 2.7 Path 6.

Any ideas?

Thanks

0 Helpful
4 Replies 4

Arne Bier
VIP
VIP

‎04-07-2022 02:32 PM

I don't think this is a generic issue with ISE 2.7 patch 6 - I just did a basic test on the exact same version and patch and it works for me.

Well, I say it "works" but it doesn't pass the test I was expecting. At least I don't get any errors like you're experiencing.

Teh trouble I have with this feature is that I find it hard and cumbersome to put all the correct attributes in - it takes ages and it's error prone. For one, I can't see any option to specify the UDP Source IP address (of the NAS) sending the request. Perhaps I am mistaken, but ISE doesn't process the NAS IP Address attribute - it relies on the source IP address of the UDP packet.

I am wondering why you chose the specific RADIUS attributes to go into your test? Did you take these attributes from a tcpdump? Have you seen those exact attributes in a real RADIUS Access-Request ?

Stab in the dark - perhaps the MAC address should be delimited with ":" instead of "-" ?

 

I have given up trying, even after I took a wireshark capture of an Access-Request (EAP-TLS) ... there are too many Cisco AVPs in there - I don't think those are relevant to the ISE Policy Set processing. The ones that are important in my experience are

Source IP Address of RADIUS packet

User-Name

Calling-Station ID

Service-Type

NAS-Port-Type

0 Helpful

rezaalikhani
Level 3
Level 3

‎04-07-2022 11:53 PM - edited ‎04-07-2022 11:58 PM

I have generated the above output directly from Live Log, as you can see below:

3.png

As you can see, it refers to a log. where is the log to investigate it more for troubleshooting?

Thanks again.

Arne Bier
VIP
VIP
In response to rezaalikhani

‎04-08-2022 01:27 AM

Thanks for that tip - I hadn't realised it was so simple!  However, when I run that against a session that is active (and passed a specific Policy Set), then the feature tells me that the auth wouldn't pass. But it does. I think that is why I gave up on this feature years ago. I just don't get it.

 

As for the logs - you will have to study this document here and take an educated guess at which log the results can be found in. TAC would usually know the answer. The would enable DEBUG level for the relevant component, and then reproduce the "problem scenario". At the end you should always turn the logging level back to the default. ISE write a lot of logs and it could impact your system.

 

I can try various examples from Live Logs but I always get the same result ... and the results are not what happens in reality.

 

trace.png

Arne Bier
VIP
VIP

‎05-08-2022 03:28 PM

@rezaalikhani - did you ever get this working? I have tried in ISE 2.7 (latest patch) and ISE 3.0 latest patch and neither of them produce a working solution. If I had the time I would raise a TAC case to get answers. I doubt this ever worked.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents