08-07-2017 11:01 AM
Greeting All,
I have created a new policy set, and I placed it in Monitor Only Status. When I look at the Radius Live logs, I do not see any trace that this policy is being processed. If anyone can shed some light on the monitor mode process and how it is supposed to work, it would be greatly appreciated.
Thanks!
FMT
Solved! Go to Solution.
08-07-2017 02:34 PM
Can you explain a little more what you're trying to accomplish? It looks like you're trying to see what is hitting your Wireless Access Points? If that's the case what type of WAPs are they? Are they autonomous? If not then the RADIUS auths come from the WLC and i am pretty sure this wouldn't work for you.
12-07-2018 10:15 AM
08-07-2017 02:34 PM
Can you explain a little more what you're trying to accomplish? It looks like you're trying to see what is hitting your Wireless Access Points? If that's the case what type of WAPs are they? Are they autonomous? If not then the RADIUS auths come from the WLC and i am pretty sure this wouldn't work for you.
08-08-2017 08:05 AM
First, thanks for the response. Here is what I am trying to accomplish: I am moving away from having all the ISE rules under the default policy. I broke the rules down into policy sets. I want to monitor the Radius traffic as it gets processed by the new set of policy sets before I turn these policies on. I though that setting a policy set in Monitor Status would do just that.
08-08-2017 12:46 PM
You are showing an authentication policy set. It looks like you are keying off a list of Wireless Aps? Is that what you want to do? Can you explain in more detail?
You might want to contact tac and step through exactly you want to do so you can discuss in real time with them.
08-09-2017 06:47 AM
to simplify things a bit, the wireless policy set (which has an authentication and an authorization part) has the eye status, which means it is in monitor mode. It is at the top, which means it get hit first in the processing order. Form the Cisco documentation:
"Monitor Only—This policy condition will be evaluated, but the result will not be enforced. You can view the results of this policy condition in the Live Log authentication page. In this, see the detailed report which will have the monitored step and attribute. For example, you may want to add a new policy condition, but are not sure if the condition would provide you with the correct results. In this situation, you can create the policy condition in monitored mode to view the results and then enable it if you are satisfied with the results."
I do not see any of this information in live log as stated. I hope this helps clarify things.
Thanks,
FMT
12-06-2018 10:40 AM
Hello
I have this pb too. With an ISE2.2.
M Misonne
12-06-2018 11:47 AM
The monitor setting in ISE has never really worked. You don't see anything in the logs so what really is the point of it. You can build out the policy sets the way you want and then enable them one at a time to watch for any issues. If you have major issues you can simply disable the policy set and fall back to the default.
For wireless, you could set your RADIUS called station ID on the WLC to AP name:SSID then test the policy set at a given site first. Create a policy set condition that says "If RADIUS Called Station ID contains Site1 and RADIUS Called Station ID contains SSID name". Then only that site would be affected. Once you know it works remove the Site1 restriction.
12-06-2018 11:53 PM
Thanks a lot for your answer.
if the monitor setting in ISE has never really worked, I do not see the reason, why cisco leave this possibilitry on the menu !
12-07-2018 10:15 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide