Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1391
Views
0
Helpful
0
Replies

Is it possible to generate an ISE report or alert on missing CTS environment downloads and/or expired PACs?

Hael
Level 1
Level 1

‎10-15-2020 08:56 AM

Ideally I'd like some sort of alert if a defined Network Device suddenly stops retrieving CTS environment data / policy. But I'd settle for being able to schedule a report to send out on expired PACs as a start. I know you can manually go to Administration > Network Devices and enable the PAC Expiration column and sort them to view (or export the list), but was hoping for something more automated that can be sent out.

 

We have had some devices where the PAC expired and did not auto renew correctly, some where a switch got upgraded and lost the CTS credentials* (caveat with some IOS-XE version jumps), as well as some that just got missed being defined (credentials) or didn't get added to a TrustSec matrix for policy enforcement. End result of all of those is that the switch may not be enforcing the SGACLs that we intended it to be. Just looking for a more graceful way of catching that.

 

*The version jump loss of CTS credential is a bit insidious in that ISE is going to show the exp date of the PAC that was issued to the device previously, but the device isn't using that PAC any more. We have had a couple that have ran then unenforced until that PAC showed expired and someone manually investigated it.  

 

Appreciate any thoughts or suggestions. Thanks!

 

1 person had this problem
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents