cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1584
Views
2
Helpful
7
Replies

ISE-PIC 3.1 not detecting user logoffs

Scott123
Level 1
Level 1

I want ISE-PIC 3.1 to detect user log off events so that Web Security Agent (WSA) removes the session from its ISE username-to-IP mappings.

I have ISE-PIC 3.1.0.518 Patch 3 with Active Directory Agent deployed to AD servers and integrated with WSA 14.5.1-016 successfully (username-to-IP mapping are transmitted from ISE-PIC to WSA). The agents detect user logon events but do not detect logoff events, so that if a user logs off a PC WSA still thinks the session is active because of its 6 hour session timeout.

If a user logs off and I go to ISE-PIC Live Sessions, I can select the user > show actions > check current user, endpoint probe detects the user session is not active and the session dissapears from Live Sessions and ISE-PIC tells WSA that the session has ended and it is removed from WSA ISE user mappings.  

How can I get ISE-PIC or the AD agent to detect logoff events, or failing that set the ISE-PIC endpoint probe to run more frequently than the default 4 hour interval?   

Note: I have set ISE-PIC > Providers > AD joint point > Advanced Settings > User session aging time to 1 hour (lowest it can go), so at least logged out user session are removed from ISE-PIC every hour but they still remain on WSA until the 6 hour session timeout expires.

Also, does the endpoint probe just query Active Directory?

Thanks in advance.

 

 

 

 

 

4 Accepted Solutions

Accepted Solutions

srigovi2
Cisco Employee
Cisco Employee

To address the issue of ISE-PIC not detecting logoff events and to configure the endpoint probe interval, you can follow these steps:

1 . Log in to the Cisco ISE-PIC administration interface.

2 . Navigate to "Administration > System > Settings > Authentication and Policy Sources".

3 . Select the Active Directory (AD) joint point that is integrated with your AD servers.

4 . Under the "Advanced Settings" section, locate the "User session aging time" parameter. This parameter determines how long ISE-PIC keeps user sessions active after a logoff event. Set it to the desired value, such as 1 hour as you mentioned.

5 .Save the configuration.

Regarding the endpoint probe frequency, the default interval is 4 hours. However, you can modify this interval to a shorter duration to detect logoff events more frequently. Please note that modifying the endpoint probe frequency may impact system performance, so consider the implications before making any changes.

To modify the endpoint probe interval:

1 . Navigate to "Administration > System > Settings > Diagnostic Settings".

2 . Locate the "Endpoint Probe Configuration" section.

3 . Modify the "Probe Interval" parameter to the desired duration, such as every hour or as frequently as needed.

4 . Save the configuration.

By adjusting the "User session aging time" and endpoint probe interval, you can improve the detection of logoff events in ISE-PIC and ensure that the mappings are removed from WSA in a timely manner.

Regarding your question about the endpoint probe, it queries the Active Directory to gather information about user sessions, including logon and logoff events. It helps keep track of user activity and update the session status in ISE-PIC.

Remember to test these configurations in a controlled environment before applying them to your production deployment.

View solution in original post

hslai
Cisco Employee
Cisco Employee

@Scott123 The endpoint probe queries the endpoints directly as the info at AD domain controller is not reliable on log-off events.

View solution in original post

hslai
Cisco Employee
Cisco Employee

@Scott123

The interval is not configurable but fixed at 4 hours.

Endpoint Probe shows,

... When the Endpoint probe recognizes that a user has connected, if 4 hours have passed since the last time the session was updated for the specific endpoint, it checks whether that user is still logged in ...

 

 

View solution in original post

hslai
Cisco Employee
Cisco Employee

@Scott123

The WSA questions are best to go to Cisco Community / Technology and Support / Security / Web Security 

It has this old thread How long does ironport wsa cache ad credentials at a workstation? Some info there might still apply but I am not sure.

View solution in original post

7 Replies 7

srigovi2
Cisco Employee
Cisco Employee

To address the issue of ISE-PIC not detecting logoff events and to configure the endpoint probe interval, you can follow these steps:

1 . Log in to the Cisco ISE-PIC administration interface.

2 . Navigate to "Administration > System > Settings > Authentication and Policy Sources".

3 . Select the Active Directory (AD) joint point that is integrated with your AD servers.

4 . Under the "Advanced Settings" section, locate the "User session aging time" parameter. This parameter determines how long ISE-PIC keeps user sessions active after a logoff event. Set it to the desired value, such as 1 hour as you mentioned.

5 .Save the configuration.

Regarding the endpoint probe frequency, the default interval is 4 hours. However, you can modify this interval to a shorter duration to detect logoff events more frequently. Please note that modifying the endpoint probe frequency may impact system performance, so consider the implications before making any changes.

To modify the endpoint probe interval:

1 . Navigate to "Administration > System > Settings > Diagnostic Settings".

2 . Locate the "Endpoint Probe Configuration" section.

3 . Modify the "Probe Interval" parameter to the desired duration, such as every hour or as frequently as needed.

4 . Save the configuration.

By adjusting the "User session aging time" and endpoint probe interval, you can improve the detection of logoff events in ISE-PIC and ensure that the mappings are removed from WSA in a timely manner.

Regarding your question about the endpoint probe, it queries the Active Directory to gather information about user sessions, including logon and logoff events. It helps keep track of user activity and update the session status in ISE-PIC.

Remember to test these configurations in a controlled environment before applying them to your production deployment.

Thank you, however Cisco ISE-PIC web GUI does not have a "Administration > System > Settings > Diagnostic Settings" section. Are you referring to the full ISE product? 

Is there a way to configure the Endpoint probe interval from the CLI if it cannot be set in the web interface? My version of ISE-PIC IS 3.1.0.518 patch 3.

I was able to configure "User session aging time" to 1 hour in "Providers > Active Directory > join point > Advanced Settings"

 

hslai
Cisco Employee
Cisco Employee

@Scott123 The endpoint probe queries the endpoints directly as the info at AD domain controller is not reliable on log-off events.

Thank you. Do you know if it is possible to change the frequency of the endpoint probe? srigovi2's instructions donot work because the ISE-PIC web GUI does not have a "Administration > System > Settings > Diagnostic Settings" section. 

Is there a way to configure the Endpoint probe interval from the CLI if it cannot be set in the web interface? My version of ISE-PIC IS 3.1.0.518 patch 3.

I was able to configure "User session aging time" to 1 hour in "Providers > Active Directory > join point > Advanced Settings"

hslai
Cisco Employee
Cisco Employee

@Scott123

The interval is not configurable but fixed at 4 hours.

Endpoint Probe shows,

... When the Endpoint probe recognizes that a user has connected, if 4 hours have passed since the last time the session was updated for the specific endpoint, it checks whether that user is still logged in ...

 

 

Scott123
Level 1
Level 1

Thanks hslai.

Is it possible to change the TTL on username-to-IP mappings on the Web Security Appliance (software version 14.5.1-016)? If so I can change it to match the session timeout I have set on ISE-PIC.

By default username-to-IP mappings received from ISE-PIC have a TTL of 21600 seconds (6 hours), whereas since I have changed the session timeout on ISE-PIC to 1 hour a mapping will stay alive on WSA for up to 5 hours after it has been removed from ISE-PIC live sessions.

 

hslai
Cisco Employee
Cisco Employee

@Scott123

The WSA questions are best to go to Cisco Community / Technology and Support / Security / Web Security 

It has this old thread How long does ironport wsa cache ad credentials at a workstation? Some info there might still apply but I am not sure.