cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4195
Views
25
Helpful
6
Replies

ISE Admin Access Logs

I am having a user who is trying to access iSE using an AD account.

The account has the proper groups associated with it and I've verified the ISE configuration. 

 

How do I view logs of attempted login attempts?

 

Thanks,

 

Phill

2 Accepted Solutions

Accepted Solutions

Hi @phillip.vansickle 

 if my understanding is correct, you are having issues with only one User in an AD Group, the other Users have no issue even though they belong to the same AD Group, is that correct?

 On Operations > Reports > Reports > Audit > Administrator Logins, check for Administrator authentication succeeded and Administrator authentication failed on the Event column of this particular User.

 On Administration > Identity Management > External Identity Sources > Active Directory > <select you AD> and on the Connection tab, click the Test User ... check if you are able to retrieve the Groups and Attributes.

 

Hope this helps !!!

 

View solution in original post

thomas
Cisco Employee
Cisco Employee

I cannot tell from your question if this is for an ISE administrative user trying to login to the ISE GUI or a network access user being authenticated with RADIUS.

For an admin user, @Marcelo Morais provided excellent instructions.

For a network access user, view the ISE Operations > RADIUS > LiveLogs. You can even filter by the username then click on the Details icon to see the reasons for the failure.

View solution in original post

6 Replies 6

balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend

Look at the Live Logs, is this only for 1 user or any user not working.

 

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Problem is with a single user who is in the proper active directory groups. 

Everyone else who is in the correct groups logs into ISE with no issues. 

 

This is what I consistently see in the debugs output...

 

Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/server/ntlm/acquirecreds.c:103

Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/client/ntlm/clientipc.c:299

Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/client/ntlm/acquirecreds.c:84

Hi @phillip.vansickle 

 if my understanding is correct, you are having issues with only one User in an AD Group, the other Users have no issue even though they belong to the same AD Group, is that correct?

 On Operations > Reports > Reports > Audit > Administrator Logins, check for Administrator authentication succeeded and Administrator authentication failed on the Event column of this particular User.

 On Administration > Identity Management > External Identity Sources > Active Directory > <select you AD> and on the Connection tab, click the Test User ... check if you are able to retrieve the Groups and Attributes.

 

Hope this helps !!!

 

How to get the logs:

 

Enable Active Directory Debug Logs
Active Directory debug logs are not logged by default. You must enable this option on the Cisco ISE node that has assumed the Policy Service persona in your deployment. Enabling Active Directory debug logs may affect ISE performance.

Procedure
Step 1 Choose Administration > System > Logging > Debug Log Configuration.
Step 2 Click the radio button next to the Cisco ISE Policy Service node from which you want to obtain Active Directory debug information, and click Edit.
Step 3 Click the Active Directory radio button, and click Edit.
Step 4 Choose DEBUG from the drop-down list next to Active Directory. This will include errors, warnings, and verbose logs. To get full logs, choose TRACE.
Step 5 Click Save.
Obtain the Active Directory Log File for Troubleshooting
Download and view the Active Directory debug logs to troubleshoot issues you may have.

Before You Begin
Active Directory debug logging must be enabled.

Procedure
Step 1 Choose Operations > Troubleshoot > Download Logs.
Step 2 Click the node from which you want to obtain the Active Directory debug log file.
Step 3 Click the Debug Logs tab.
Step 4 Scroll down this page to locate the ad_agent.log file. Click this file to download it.

Marcelo Morais
VIP Advisor VIP Advisor
VIP Advisor

Hi @phillip.vansickle ,

 beyond what @balaji.bandi said ... please take a look at:

Operations > Reports > Reports > Audit > Administrator Logins.

 

Hope this helps !!!

 

 

thomas
Cisco Employee
Cisco Employee

I cannot tell from your question if this is for an ISE administrative user trying to login to the ISE GUI or a network access user being authenticated with RADIUS.

For an admin user, @Marcelo Morais provided excellent instructions.

For a network access user, view the ISE Operations > RADIUS > LiveLogs. You can even filter by the username then click on the Details icon to see the reasons for the failure.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers