Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1220
Views
10
Helpful
1
Replies

Cisco ISE 3.1 - Recommended alerts for 802.1x and MAB authentication.

Go to solution
qualxarnu
Level 1
Level 1

‎04-07-2022 07:34 AM

Dear Community,

Could you please reccomend which alert messages will be useful in case of 802.1x and MAB authentication and which could be turned on on the Cisco ISE server?
I assume that I should serch some with the RADIUS name, but if all are needed from this group and whether there are some others which chould infomr mainly why particular host cannot authenticate and identify where the host is connected?
I will apreciate for any hints in this topic.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎04-07-2022 02:49 PM - edited ‎04-07-2022 09:32 PM

Hi @qualxarnu 

 

I find it a journey of discovery every time 

 

This is the link from Cisco documentation that lists all the SYSLOG events that ISE can send.

 

So I always do the following in the lab

Use a SYSLOG collector that you like and can use - e.g. Windows tftpd64 - it's easy to install and displays a nice GUI

Configure this collector as a Remote Logging Target in ISE - use UDP/514 to keep it simple.

Then enable ONE ISE Logging event at a time and point that event to your SYSLOG collector - then cause an event (e.g. 802.1X or MAB)

Observe what happens - then disable that event and enable another one.

 

The typical ones I use to monitor success/failure of RADIUS logins is

AAA Audit - Failed Attempts

AAA Audit - Passed Authentications

Accounting - RADIUS Accounting

 

that will give you something to look at.

View solution in original post

1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎04-07-2022 02:49 PM - edited ‎04-07-2022 09:32 PM

Hi @qualxarnu 

 

I find it a journey of discovery every time 

 

This is the link from Cisco documentation that lists all the SYSLOG events that ISE can send.

 

So I always do the following in the lab

Use a SYSLOG collector that you like and can use - e.g. Windows tftpd64 - it's easy to install and displays a nice GUI

Configure this collector as a Remote Logging Target in ISE - use UDP/514 to keep it simple.

Then enable ONE ISE Logging event at a time and point that event to your SYSLOG collector - then cause an event (e.g. 802.1X or MAB)

Observe what happens - then disable that event and enable another one.

 

The typical ones I use to monitor success/failure of RADIUS logins is

AAA Audit - Failed Attempts

AAA Audit - Passed Authentications

Accounting - RADIUS Accounting

 

that will give you something to look at.

Customers Also Viewed These Support Documents