Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2070
Views
0
Helpful
5
Replies

ISE Certificate Days to Expiry log

Go to solution
slevesqu
Cisco Employee
Cisco Employee

‎11-14-2018 07:17 AM

Hi,

 

Customer is trying to figure out a way to create a report of the MIC certificates in their Cisco IP Phones and their date of expiration to plan for the implementation of LSC.

 

Since we can use the "Days to Expiry" attribute in an AuthZ policy and it provides the quantity of days to expiry, it means that the expiration date is extracted and logged somewhere I guess. In which log can I find this information?

 

Thanks

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎11-14-2018 07:39 AM

ISE does not store those attributes anywhere and the conditions are run in a Just In Time(JIT) fashion where they are evaluated at the runtime and a decision is taken based on the values returned. They are logged at TRACE level on the logs that reside on the ISE which are written locally. So in short, there is no way you can pull those attributes from ISE.

View solution in original post

0 Helpful

Go to solution
slevesqu
Cisco Employee
Cisco Employee
In response to Nadav

‎12-06-2018 07:06 AM

Not that easy the CUCM is managed by a 3rd party which makes it challenging to deploy LSCs in the short term

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎11-14-2018 07:39 AM

ISE does not store those attributes anywhere and the conditions are run in a Just In Time(JIT) fashion where they are evaluated at the runtime and a decision is taken based on the values returned. They are logged at TRACE level on the logs that reside on the ISE which are written locally. So in short, there is no way you can pull those attributes from ISE.
0 Helpful

Go to solution
slevesqu
Cisco Employee
Cisco Employee
In response to Surendra

‎11-15-2018 12:55 PM

100% clear thank you sir!

0 Helpful

Go to solution
gnegronida
Level 1
Level 1
In response to Surendra

‎08-17-2020 09:36 AM

One alternative in this case, would be to write a duplicate policy for authenticating your phones on top of the existing policy but name this policy something like 'Phone-Auth-expires-less-than-100' and add the expire attribute as something that must be matched. You can then easily report on the devices that match this policy instead of your already existing policy.

0 Helpful

Go to solution
Nadav
Level 7
Level 7

‎11-16-2018 10:57 AM

I imagine ISE calculates the expiry date by deducting the expiration date of the cert from the current date. All X.509 certs have validity attributes. 

 

BTW why wait for the MICs to expire? Why risk having phones not register some day in the future when you can just install your LSCs during a maintenance window?  

0 Helpful

Go to solution
slevesqu
Cisco Employee
Cisco Employee
In response to Nadav

‎12-06-2018 07:06 AM

Not that easy the CUCM is managed by a 3rd party which makes it challenging to deploy LSCs in the short term

0 Helpful
Customers Also Viewed These Support Documents