Solved: ISE 2.7 Monitor Mode 802.1x Wired - Reports

ItsaBug · ‎10-04-2021

We are looking at trying to implement 802.1x wired with ISE in Monitor Mode as a first step.

I have setup the switch side and ISE with AD as we are using wireless authentication through ISE.

I can see devices authenticate through ISE.

Are there reports that can be generated to see devices that are not setup for Authentication (failed) but are specific to 802.1x wired? Thinking users without a supplicant setup or printers/cameras/aps etc...

Please forgive me if this is a ridiculous question, I'm not totally familiar with ISE.

Thank-you in Advance

ComputerRick · ‎10-05-2021

First, if you don't have MAB configured, then ISE will not have visibility into those ports that come active but fail to respond to EAPoL start messages, so ISE will not have reporting capability.

I would configure a syslog that the switch can report to when a port comes up but fails to authenticate or respond. You could then use the syslog to look for EAPoL timeouts and narrow it down that way. I would not use ISE to do the functions that you're looking for here. Someone else may have a working method or workaround, but again, probably a lot more work to get what you need.

That being said, if you have MAB configured, we can see the MAB failures, but it's difficult to associate MAB failures with dot1x EAPoL lack of response. You could filter the Live Logs by failed auth and a MAB policy set, which would give you an idea, but it'll still lead you to the switches.

Please mark the solution and if this is helpful, I hope that it is.

View solution in original post

ComputerRick · ‎10-04-2021

I would suggest viewing the Live Logs and filtering based on the Wired policy set and failures.
Otherwise, you'll want to check the switches themselves using the "show auth sessions" command.

You're asking a lot here, so I'm just trying to provide a direction.

ItsaBug · ‎10-05-2021

Thank-you, and I realize I was very broad, and I appreciate you answering me.

I have been using the show auth sessions on the switch but I am trying to think beyond our little PoC, if that makes sense?

If we pick a building or dept to implement to see how many drops will have users/devices etc not on our domain or without a dot1x supplicant, what reports can I generate daily to see this information. I don't want to log into X amount of switches and run this command...Likely could run a script to grab this info I guess.

Your suggestion of Live Logs and filtering based on the Wired Policy was helpful.

I also created a Report in Work Centers>Network Access and filtered for my Policy Set (column hidden by default).

This seems to show me all the Pass/Fail and MAC/Identity and most importantly port/switch information.

Would there be any documentation aside from this document in terms of implementation and how to track things in Monitor mode?

ISE Secure Wired Access Prescriptive Deployment Guide - Cisco Community

Thank-you very much

ComputerRick · ‎10-05-2021

First, if you don't have MAB configured, then ISE will not have visibility into those ports that come active but fail to respond to EAPoL start messages, so ISE will not have reporting capability.

I would configure a syslog that the switch can report to when a port comes up but fails to authenticate or respond. You could then use the syslog to look for EAPoL timeouts and narrow it down that way. I would not use ISE to do the functions that you're looking for here. Someone else may have a working method or workaround, but again, probably a lot more work to get what you need.

That being said, if you have MAB configured, we can see the MAB failures, but it's difficult to associate MAB failures with dot1x EAPoL lack of response. You could filter the Live Logs by failed auth and a MAB policy set, which would give you an idea, but it'll still lead you to the switches.

Please mark the solution and if this is helpful, I hope that it is.