Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9224
Views
5
Helpful
4
Replies

CISCO ISE Radius live logs

ibrkic001
Level 1
Level 1

‎02-08-2021 01:34 AM

Hello,

 

i have setup Radius 802.1x authentication for wireless users( secure network) on Cisco ISE. Wireless clients are connected and  i see them on ISE like active endpoints.

The problem is , i can not see in RADIUS live logs for success connections. There was just on beginning and now we have no logs when clients get connection.

We have logs for failed authentication ( wrong password..)

 

What could be a problem?

 

best regards

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎02-08-2021 02:25 AM

here the log config -  ( we need to know what is the configuration configured in if Wired switch port side, Wireless controller side).

 

ISE has local logging although it disabled by default for Passed Authentications. We may go to ISE Admin Web UI > Administration > System > Logging > Logging Categories. Select Passed Authentications and put a check mark on [ V ] Local Logging.

 

https://ciscocustomer.lookbookhq.com/iseguidedjourney/ISE-troubleshooting

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/212594-debugs-to-troubleshoot-on-ise.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎02-08-2021 02:36 AM

Hi,

Can you make sure that you don't have anything in the filtering tabs in
live logs? Also, when you say its working, it means that guys are
successfully authenticated, isn't it? You can verify that from NAM agent.
Make sure that you don't have open mode ISE and its not working but still
allowing users.

***** please remember to rate useful posts
0 Helpful

Damien Miller
VIP Alumni
VIP Alumni

‎02-08-2021 08:23 PM

By default, ISE suppresses repeated passed authentication attempts in the live logs. So if you are still seeing live logs, which it sounds like you are, and not just seeing a message for "no data found" when you visit the live logs page, then this is the most likely culprit. If nothing changes between authentication attempts, then it's treated as a repeated attempt. 

I circled three items for you, the repeat counter on the live session "72" in this case, the bullseye which can be hovered over to open the menu you see, and the "bypass suppression filtering for 1 hour" message. Selecting this will show you all passed and failed authentication attempts for an endpoint without suppression filtering. 

bypass.png

ibrkic001
Level 1
Level 1

‎02-08-2021 11:31 PM

Thanks everyone for suggestions.

Problem was in settings for Radius protocols , Client suppression for failed attempts was enabled. After disable it, i can see authentications logs and sessions in Radius live logs.

We left Client suppressions for successful attempts enabled, and we see repeated session.

 

0 Helpful
Customers Also Viewed These Support Documents