Solved: Context visibilty status is disconnected (grey) also showing IP Address

getaway51 · ‎07-07-2020

Hi,

1)Can i make a conclusion that ep Status disconnected (grey) shows tht they were connected in the past meaning these ep has PASSED AUTHENTICATION? Therefore I shldn't worry abt these ep?

2)Status is BLANK means ep nvr connected before?

3)Normally status->disconnected also showing IP Address

What is means when status->disconnected but NOT showing IP Address?

pavagupt · ‎07-08-2020

1)Can i make a conclusion that ep Status disconnected (grey) shows tht they were connected in the past meaning these ep has PASSED AUTHENTICATION? Therefore I shldn't worry abt these ep?

<reply> yes. endpoint status disconnected means, endpoint was connected to network in the past and they got disconnected i.e. they might have got accounting stop or inactive for a longer period of time.

2.Status is BLANK means ep nvr connected before?

<reply> endpoints are learned through profiling probes but haven't gone through authentication at all.

3)Normally status->disconnected also showing IP Address

What is means when status->disconnected but NOT showing IP Address?

<reply> ISE learns IP address of an endpoint through RADIUS accouting.

this might have been the possibility. If endpoint is connected to network but ISE wasn't informed about IP address through RADIUS- accouting -- > ISE shows that the endpoint is active but with no IP address -- > if the same endpoint got disconnected (RADIUS accounting stop) then it will show in disconnected state in context visibility .. of course with no IP address as ISE wasn't informed about the IP address of endpoint through RADIUS.

View solution in original post

pavagupt · ‎07-08-2020

1)Can i make a conclusion that ep Status disconnected (grey) shows tht they were connected in the past meaning these ep has PASSED AUTHENTICATION? Therefore I shldn't worry abt these ep?

<reply> yes. endpoint status disconnected means, endpoint was connected to network in the past and they got disconnected i.e. they might have got accounting stop or inactive for a longer period of time.

2.Status is BLANK means ep nvr connected before?

<reply> endpoints are learned through profiling probes but haven't gone through authentication at all.

3)Normally status->disconnected also showing IP Address

What is means when status->disconnected but NOT showing IP Address?

<reply> ISE learns IP address of an endpoint through RADIUS accouting.

this might have been the possibility. If endpoint is connected to network but ISE wasn't informed about IP address through RADIUS- accouting -- > ISE shows that the endpoint is active but with no IP address -- > if the same endpoint got disconnected (RADIUS accounting stop) then it will show in disconnected state in context visibility .. of course with no IP address as ISE wasn't informed about the IP address of endpoint through RADIUS.

getaway51 · ‎07-09-2020

In switches, when i do show authentication brief, i noticed UZ (Status: Unauthorized, Domain: UNKNOWN) for 48992s. Does this happen (Status: Unauthorized, Domain: UNKNOWN) if someone logout from the domain but leaves the computer ON? I am confused if this is a failed machine or not.

pavagupt · ‎07-09-2020

have you configured computer authentications ? haven't you configured MAB authentication on switchport ?

usually when user is logged off from computer, without MAB enabled on switchport, switchport always looks for dot1x authentication. without enabling computer authentication (achieved through eap-chaining), switchport is expected to be unauthorized state when user is logged off or in inactive state based on the configuration.

getaway51 · ‎07-10-2020

1)How do i check if the port is enabled for "eap-chaining" you mentioned?

The reason I asked was because I saw the port was in Status disconnected-Grey and port was in UZ.

So as mentioned previously, when Status disconnected-Grey it means authentication was successful in the past.

Therefore I suspect like you said, user logout out , then Status disconnected and port was in UZ.

2)Just another confirmation, since Status disconnected-Grey means authentication was successful in the past, therefore I dont need to worry about its authentication in the future, am i correct?

Greg Gibbs · ‎07-12-2020

1) There is no separate port setting for EAP Chaining. It is enabled by ISE policy and the AnyConnect NAM supplicant. See How To: Deploy EAP Chaining with AnyConnect NAM and ISE for more information.

2) It means that ISE has seen a RADIUS session in the past for that endpoint (MAC address). It does not necessarily mean the previous authentication/authorisation was successful. You should confirm the previous session results from either the ISE reports or any external logging source you might be using for historical logging.

getaway51 · ‎07-16-2020

Hi,

It means that ISE has seen a RADIUS session in the past for that endpoint (MAC address). It does not necessarily mean the previous authentication/authorisation was successful.

Frm statement above, do you meant that a RADIUS session could be a FAIL one? is tht the reason why you saying "It does not necessarily mean the previous authentication/authorisation was successful. "? fyi I wont find any info in the Radius logs. It only display lots of failed MAB sessions and last 24hours.

Greg Gibbs · ‎07-16-2020

"Frm statement above, do you meant that a RADIUS session could be a FAIL one?"

Yes, ISE will still learn the MAC address for a failed AuthC/AuthZ and that MAC will be seen in Context Visibility.

The Live Logs will only show session information for the past 24 hours. For any information older than that, you would need to use the ISE Reports (Operations > Reports). Relevant reports would be the RADIUS Authentications and RADIUS Accounting reports.