Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7378
Views
25
Helpful
6
Replies

ISE Admin Access Logs

Go to solution
phillip.vansickle
Level 1
Level 1

‎03-03-2021 09:36 AM

I am having a user who is trying to access iSE using an AD account.

The account has the proper groups associated with it and I've verified the ISE configuration. 

 

How do I view logs of attempted login attempts?

 

Thanks,

 

Phill

1 person had this problem
2 Accepted Solutions

Accepted Solutions

Go to solution
Marcelo Morais
VIP
VIP
In response to phillip.vansickle

‎03-04-2021 04:54 AM

Hi @phillip.vansickle 

 if my understanding is correct, you are having issues with only one User in an AD Group, the other Users have no issue even though they belong to the same AD Group, is that correct?

 On Operations > Reports > Reports > Audit > Administrator Logins, check for Administrator authentication succeeded and Administrator authentication failed on the Event column of this particular User.

 On Administration > Identity Management > External Identity Sources > Active Directory > <select you AD> and on the Connection tab, click the Test User ... check if you are able to retrieve the Groups and Attributes.

 

Hope this helps !!!

 

View solution in original post

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-13-2021 10:46 AM

I cannot tell from your question if this is for an ISE administrative user trying to login to the ISE GUI or a network access user being authenticated with RADIUS.

For an admin user, @Marcelo Morais provided excellent instructions.

For a network access user, view the ISE Operations > RADIUS > LiveLogs. You can even filter by the username then click on the Details icon to see the reasons for the failure.

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-03-2021 10:39 AM

Look at the Live Logs, is this only for 1 user or any user not working.

 

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
phillip.vansickle
Level 1
Level 1
In response to balaji.bandi

‎03-03-2021 04:18 PM

Problem is with a single user who is in the proper active directory groups. 

Everyone else who is in the correct groups logs into ISE with no issues. 

 

This is what I consistently see in the debugs output...

 

Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/server/ntlm/acquirecreds.c:103

Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/client/ntlm/clientipc.c:299

Error code: 40506 (symbol: LW_ERROR_NO_CRED),lsass/client/ntlm/acquirecreds.c:84

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to phillip.vansickle

‎03-04-2021 04:54 AM

Hi @phillip.vansickle 

 if my understanding is correct, you are having issues with only one User in an AD Group, the other Users have no issue even though they belong to the same AD Group, is that correct?

 On Operations > Reports > Reports > Audit > Administrator Logins, check for Administrator authentication succeeded and Administrator authentication failed on the Event column of this particular User.

 On Administration > Identity Management > External Identity Sources > Active Directory > <select you AD> and on the Connection tab, click the Test User ... check if you are able to retrieve the Groups and Attributes.

 

Hope this helps !!!

 

0 Helpful

Go to solution
phillip.vansickle
Level 1
Level 1

‎03-03-2021 04:14 PM - edited ‎03-03-2021 04:24 PM

How to get the logs:

 

Enable Active Directory Debug Logs
Active Directory debug logs are not logged by default. You must enable this option on the Cisco ISE node that has assumed the Policy Service persona in your deployment. Enabling Active Directory debug logs may affect ISE performance.

Procedure
Step 1 Choose Administration > System > Logging > Debug Log Configuration.
Step 2 Click the radio button next to the Cisco ISE Policy Service node from which you want to obtain Active Directory debug information, and click Edit.
Step 3 Click the Active Directory radio button, and click Edit.
Step 4 Choose DEBUG from the drop-down list next to Active Directory. This will include errors, warnings, and verbose logs. To get full logs, choose TRACE.
Step 5 Click Save.
Obtain the Active Directory Log File for Troubleshooting
Download and view the Active Directory debug logs to troubleshoot issues you may have.

Before You Begin
Active Directory debug logging must be enabled.

Procedure
Step 1 Choose Operations > Troubleshoot > Download Logs.
Step 2 Click the node from which you want to obtain the Active Directory debug log file.
Step 3 Click the Debug Logs tab.
Step 4 Scroll down this page to locate the ad_agent.log file. Click this file to download it.

Go to solution
Marcelo Morais
VIP
VIP

‎03-03-2021 04:17 PM

Hi @phillip.vansickle ,

 beyond what @balaji.bandi said ... please take a look at:

Operations > Reports > Reports > Audit > Administrator Logins.

 

Hope this helps !!!

 

 

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-13-2021 10:46 AM

I cannot tell from your question if this is for an ISE administrative user trying to login to the ISE GUI or a network access user being authenticated with RADIUS.

For an admin user, @Marcelo Morais provided excellent instructions.

For a network access user, view the ISE Operations > RADIUS > LiveLogs. You can even filter by the username then click on the Details icon to see the reasons for the failure.

Customers Also Viewed These Support Documents