cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1602
Views
0
Helpful
5
Replies

ISE Certificate Days to Expiry log

slevesqu
Cisco Employee
Cisco Employee

Hi,

 

Customer is trying to figure out a way to create a report of the MIC certificates in their Cisco IP Phones and their date of expiration to plan for the implementation of LSC.

 

Since we can use the "Days to Expiry" attribute in an AuthZ policy and it provides the quantity of days to expiry, it means that the expiration date is extracted and logged somewhere I guess. In which log can I find this information?

 

Thanks

 

 

2 Accepted Solutions

Accepted Solutions

Surendra
Cisco Employee
Cisco Employee
ISE does not store those attributes anywhere and the conditions are run in a Just In Time(JIT) fashion where they are evaluated at the runtime and a decision is taken based on the values returned. They are logged at TRACE level on the logs that reside on the ISE which are written locally. So in short, there is no way you can pull those attributes from ISE.

View solution in original post

Not that easy the CUCM is managed by a 3rd party which makes it challenging to deploy LSCs in the short term

View solution in original post

5 Replies 5

Surendra
Cisco Employee
Cisco Employee
ISE does not store those attributes anywhere and the conditions are run in a Just In Time(JIT) fashion where they are evaluated at the runtime and a decision is taken based on the values returned. They are logged at TRACE level on the logs that reside on the ISE which are written locally. So in short, there is no way you can pull those attributes from ISE.

100% clear thank you sir!

One alternative in this case, would be to write a duplicate policy for authenticating your phones on top of the existing policy but name this policy something like 'Phone-Auth-expires-less-than-100' and add the expire attribute as something that must be matched. You can then easily report on the devices that match this policy instead of your already existing policy.

Nadav
Rising star
Rising star

I imagine ISE calculates the expiry date by deducting the expiration date of the cert from the current date. All X.509 certs have validity attributes. 

 

BTW why wait for the MICs to expire? Why risk having phones not register some day in the future when you can just install your LSCs during a maintenance window?  

Not that easy the CUCM is managed by a 3rd party which makes it challenging to deploy LSCs in the short term

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers