cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

931
Views
0
Helpful
2
Replies
Bransomar
Beginner

Cisco ISE - Is it possible to suppress logs in monitor by failure reason code?

I have a situation where a bunch of users passwords expired in AD.  There are several machines that users are logged into with their old passwords, which is causing authentication failures (failure reason code 24408).  These log messages are occurring frequently, about 1-2 minutes for each machine, and with 10+ machines in this situation, it is flooding my Auth message log.

 

Is there a way to suppress logs in the Auth monitor by failure reason code for a certain duration, similar to what you can to with the RADIUS anomalous client suppression?

thx

 

2 REPLIES 2
Jatin Katyal
Cisco Employee

Not with the failure code however you can create collection filter on ISE based on

– User Name

– MAC Address

– Policy Set Name

– NAS IP Address

– Device IP Address

You can read more about it here.

 

Regards,

Jatin

 

~Jatin

I looked at that feature, but that doesn't help me any based on my problem described above.  Is there a solution to help with this?  Can the ISE team add the functionality to filter by failure code?

Content for Community-Ad