Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2484
Views
6
Helpful
4
Replies

ISE live logs no MAB events

Go to solution
PERI_Admin
Level 1
Level 1

‎04-29-2020 06:10 AM

We updated our ISE from 2.1 to 2.6. Update went fine but now we don't see any MAB events in RADIUS live logs anymore.

MAB itself is working fine.

 

Does someone have an idea what the problem could be?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to PERI_Admin

‎05-01-2020 09:42 PM

You may "tail" the local logs on PSN by CLI as below and ctrl-C when done.

term len 0
show logging app localStore/iseLocalStore.log tail

By default, Passed Authentications are NOT logged locally. So, we will see Failed Attempts and others. We may enable local logging temporarily at ISE Admin Web UI > Administration > Logging > Logging Categories > Passed Authentications.

Check any collection filters at ISE Admin Web UI > Administration > Logging > Collection Filters.

Also, we may check on the MNT for collector.log and see any obvious errors.

Anything more would need you to engage Cisco TAC to help debugging and analyze.

View solution in original post

4 Replies 4

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-29-2020 10:22 AM

One of the post upgrade tasks is related to regenerating the ISE root CA. It has been known to prevent logs from working. Do you have no radius live logs, or just mab is missing?

"In case of the following events, you must regenarate the root CA chain:

Changing the domain name or hostname of your PAN or PSN.
Restoring a backup on a new deployment.
Promoting the old Primary PAN to new Primary PAN post upgrade.

To regenerate the root CA chain, choose Administration > System > Certificates > Certificate Management > Certificate Signing Request. Click on Generate Certificate Signing Request (CSR). Select the ISE Root CA in the Certificate(s) will be used for drop-down list. Click on Replace ISE root CA Certificate Chain."

Go to solution
PERI_Admin
Level 1
Level 1
In response to Damien Miller

‎04-29-2020 10:43 AM

@Damien Miller wrote:
One of the post upgrade tasks is related to regenerating the ISE root CA. It has been known to prevent logs from working. Do you have no radius live logs, or just mab is missing?

Thanks for your reply. I did all postupgrade tasks including regenerating the ISE root CA.

 

The strange thing is that only mab is missing.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to PERI_Admin

‎05-01-2020 09:42 PM

You may "tail" the local logs on PSN by CLI as below and ctrl-C when done.

term len 0
show logging app localStore/iseLocalStore.log tail

By default, Passed Authentications are NOT logged locally. So, we will see Failed Attempts and others. We may enable local logging temporarily at ISE Admin Web UI > Administration > Logging > Logging Categories > Passed Authentications.

Check any collection filters at ISE Admin Web UI > Administration > Logging > Collection Filters.

Also, we may check on the MNT for collector.log and see any obvious errors.

Anything more would need you to engage Cisco TAC to help debugging and analyze.

Go to solution
PERI_Admin
Level 1
Level 1
In response to hslai

‎05-03-2020 11:23 PM

Thanks for your help. Enabling "Passed Authentications" logging did the job :-))
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents