Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1318
Views
0
Helpful
1
Replies

ISE 2.4 external identity server's connection (up or down)?

Go to solution
ssschunk1
Level 1
Level 1

‎01-07-2020 10:43 AM

I was testing vpn access to ISE, which uses RSA IDR for an external identity server.  My attempts were failing and as I dug into it by the means I know of, there was not indications that the link to the RSA server was a problem... when looking at the tcpdump from ISE, there were two packets only... the request from the ASA and an immediate reject from ISE stating in the reply 'Invalid authenticator' ... searching on this does not yield much... so had to confirm the ASA policies had not been tampered with, then change my external identity server to a different one.... Changing to AD allowed auth to work, so it then had pointed to the RSA link....   I connected with our RSA team and went thru a server secret password change, which resolved the issue.....

 

Is there any logs or API calls or ISE checks that I could use to identify if this link stops working?

using ISE 2.4p10

thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-07-2020 01:18 PM

ISE does not actively monitor RADIUS Token or RSA SecureID servers. It only communicates with them when it receives a client or admin login request that leverages those systems.

If you look at the logging Message Catalog (Administration > System > Logging > Message Catalog) and search the Message Text, however, you will find that there are timeout messages that will be generated in both the Radius-Token and External-RSA-SecurID-Server message classes.

 

Examples:

  • 24616 - RADIUS token identity store received timeout error
  • 24547 - RSA request timeout expired. RSA authentication session cancelled

If you are sending logs to a SIEM, you could maybe create a threshold for the number of the timeout logs seen whithin a specific period of time (to allow for some random timeouts) and trigger an alert if that threshold is exceeded. This would at least give you some proactive indication that there is an issue before users start complaining.

 

Cheers,

Greg

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-07-2020 01:18 PM

ISE does not actively monitor RADIUS Token or RSA SecureID servers. It only communicates with them when it receives a client or admin login request that leverages those systems.

If you look at the logging Message Catalog (Administration > System > Logging > Message Catalog) and search the Message Text, however, you will find that there are timeout messages that will be generated in both the Radius-Token and External-RSA-SecurID-Server message classes.

 

Examples:

  • 24616 - RADIUS token identity store received timeout error
  • 24547 - RSA request timeout expired. RSA authentication session cancelled

If you are sending logs to a SIEM, you could maybe create a threshold for the number of the timeout logs seen whithin a specific period of time (to allow for some random timeouts) and trigger an alert if that threshold is exceeded. This would at least give you some proactive indication that there is an issue before users start complaining.

 

Cheers,

Greg

0 Helpful
Customers Also Viewed These Support Documents