Solved: ISE Policy Set in Monitor Only Status

Fadi_Tahan.ao · ‎08-07-2017

Greeting All,

I have created a new policy set, and I placed it in Monitor Only Status. When I look at the Radius Live logs, I do not see any trace that this policy is being processed. If anyone can shed some light on the monitor mode process and how it is supposed to work, it would be greatly appreciated.

Thanks!

FMT

Jason Kunst · ‎08-07-2017

Can you explain a little more what you're trying to accomplish? It looks like you're trying to see what is hitting your Wireless Access Points? If that's the case what type of WAPs are they? Are they autonomous? If not then the RADIUS auths come from the WLC and i am pretty sure this wouldn't work for you.

View solution in original post

Jason Kunst · ‎12-07-2018

Please work through tAC

View solution in original post

Jason Kunst · ‎08-07-2017

Can you explain a little more what you're trying to accomplish? It looks like you're trying to see what is hitting your Wireless Access Points? If that's the case what type of WAPs are they? Are they autonomous? If not then the RADIUS auths come from the WLC and i am pretty sure this wouldn't work for you.

Fadi_Tahan.ao · ‎08-08-2017

First, thanks for the response. Here is what I am trying to accomplish: I am moving away from having all the ISE rules under the default policy. I broke the rules down into policy sets. I want to monitor the Radius traffic as it gets processed by the new set of policy sets before I turn these policies on. I though that setting a policy set in Monitor Status would do just that.

Jason Kunst · ‎08-08-2017

You are showing an authentication policy set. It looks like you are keying off a list of Wireless Aps? Is that what you want to do? Can you explain in more detail?

You might want to contact tac and step through exactly you want to do so you can discuss in real time with them.

Fadi_Tahan.ao · ‎08-09-2017

to simplify things a bit, the wireless policy set (which has an authentication and an authorization part) has the eye status, which means it is in monitor mode. It is at the top, which means it get hit first in the processing order. Form the Cisco documentation:

"Monitor Only—This policy condition will be evaluated, but the result will not be enforced. You can view the results of this policy condition in the Live Log authentication page. In this, see the detailed report which will have the monitored step and attribute. For example, you may want to add a new policy condition, but are not sure if the condition would provide you with the correct results. In this situation, you can create the policy condition in monitored mode to view the results and then enable it if you are satisfied with the results."

Cisco Identity Services Engine Administrator Guide, Release 2.0 - Policy User Interface Reference [Cisco Identity Servi…

I do not see any of this information in live log as stated. I hope this helps clarify things.

Thanks,

FMT

mmisonne · ‎12-06-2018

Hello

I have this pb too. With an ISE2.2.

M Misonne

paul · ‎12-06-2018

The monitor setting in ISE has never really worked. You don't see anything in the logs so what really is the point of it. You can build out the policy sets the way you want and then enable them one at a time to watch for any issues. If you have major issues you can simply disable the policy set and fall back to the default.

For wireless, you could set your RADIUS called station ID on the WLC to AP name:SSID then test the policy set at a given site first. Create a policy set condition that says "If RADIUS Called Station ID contains Site1 and RADIUS Called Station ID contains SSID name". Then only that site would be affected. Once you know it works remove the Site1 restriction.

mmisonne · ‎12-06-2018

Thanks a lot for your answer.

if the monitor setting in ISE has never really worked, I do not see the reason, why cisco leave this possibilitry on the menu !

Jason Kunst · ‎12-07-2018

Please work through tAC