ISE context visibility

ArmandXhafa3045 · ‎04-14-2020

Hi,

We have set up a Cisco ISE 2.6 patch and we started to do the configuration. One of the thing we have see these times is that some of network devices are not shown in the Context Visibility and some are shown. We are using Radius for the Administration of the devices and the authentication process works. Anyone has had the same problem ?

Regards

Armand

Mohammed al Baqari · ‎04-14-2020

Hi, starting by verifying the accounting config on the NAD devices and
interim accounting is enabled. Also, make sure that accounting messages are
received by ISE.

I am assuming that your NAD devices are added to ISE already.

**** please remember to rate useful posts

ArmandXhafa3045 · ‎04-14-2020

Hi Mohammed,

Thank you for replying. Here are the command for accounting i have used:

aaa authentication login default group ISE-AAA local
aaa authentication dot1x default group ISE-AAA local
aaa authorization exec default local if-authenticated
aaa authorization network auth-list group ISE-AAA local
aaa authorization auth-proxy default group ISE-AAA local
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group ISE-AAA
aaa accounting network default start-stop group ISE-AAA
aaa accounting system default start-stop group ISE-AAA

ip device tracking

!
radius-server attribute 6 on-for-login-auth
radius-server attribute 6 support-multiple
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 15200A080D3F386879616663
radius-server deadtime 10
radius-server vsa send accounting
radius-server vsa send authentication

But it doesn't work. May have to add something else ?

Anurag Sharma · ‎04-15-2020

Hi @ArmandXhafa3045 ,

I would suggest you add accounting exec command as well, since you are doing Device Administration as well:

aaa accounting exec default start-stop group SERVER-GROUP

Secondly, I would compare the device which is showing in CV (Context Visibility) and the one not showing.

Check things like:

Are any endpoints connecting to the working and not connecting to the non-working ones?

Does the non-working device ever show up in CV?

Does the previously visible device no longer show up in CV?

Are there any configuration discrepancies between the working and non-working ones?

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

armandi10 · ‎04-15-2020

Hi Anurag,

It seems that after I added an endpoint (PC with MAB) to the switch that doesn't appear to the CV and the command suggested by you , now the switch is shown to the CV. But what about the routers ? I cannot configure a endpoint to a port of a router ?

Anurag Sharma · ‎04-15-2020

@armandi10

Good to know.

Routers won't show up there because you can't connect an endpoint to a router. You can only manage a router (device administration).

You have to understand that CV is not a place for checking the devices configured in ISE. It's just a place (talking about NADs) to show which devices have endpoints connected etc. By endpoints, we mean dot1x and MAB users.

You can check the complete list of devices under Administration -> Network Devices. To get an activity report on a device, you can refer to the different Reports under Operations.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.