Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2034
Views
2
Helpful
5
Replies

ISE Live Log Discrepancies vs RADIUS Auth Reports

Go to solution
paul
Level 10
Level 10

‎10-12-2017 06:34 AM

In the Live Logs I see the following with all the Dot1x failures for a particular MAC address:

ISE Live Log.jpg

When I run a RADIUS authentication report for the same MAC address I don't see the failures:

ISE Report.jpg

The only failure you see in the report is a dynamic authorization failure.  Why am I not getting an accurate reporting of what happened for this MAC address?  This is in ISE 2.3.  This may have always been the case as I usually deal with Live Logs only when troubleshooting issues.

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to paul

‎10-12-2017 07:43 AM

Check RADIUS Errors and Misconfigured Supplicants reports under Diagnostics. IIRC we keep them separate as they got purged more often (5 days or so).

View solution in original post

5 Replies 5

Go to solution
gbekmezi-DD
Level 5
Level 5

‎10-12-2017 06:50 AM

Weird. Actually nothing correlates between the report and the livelog. Even the successful auth isn’t the one in your livelog but the report time range should have included it.

Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to gbekmezi-DD

‎10-12-2017 06:55 AM

The success is there in the live logs.  Blue records don't get reported in the RADIUS reports only green/red.  So once a day you will see a green record for a MAC in the reports even if it has a 100 report blue records.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to gbekmezi-DD

‎10-12-2017 07:24 AM

Okay I think I had a revelation on what I am seeing. The failures in the Live Log are EAP abandoned sessions so “technically” while the process is failing in the authentication step it is not really failing authentication because it never gets to doing true authentication. So maybe only true authentication failures qualify for the RADIUS authentication report.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to paul

‎10-12-2017 07:43 AM

Check RADIUS Errors and Misconfigured Supplicants reports under Diagnostics. IIRC we keep them separate as they got purged more often (5 days or so).

Go to solution
paul
Level 10
Level 10
In response to hslai

‎10-12-2017 07:51 AM

Yep they show up perfectly in the RADIUS Errors report. Thanks Hsing!

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful
Customers Also Viewed These Support Documents