Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
778
Views
5
Helpful
3
Replies

ISE - proactive with fault management help

Go to solution
mellwang
Cisco Employee
Cisco Employee

‎10-22-2018 07:10 AM

all,

  

I have a healthcare system installing DNAC/SDA (AS and Partner)  in a new tower.   ISE-DNAC integration caused an outage with wireless users.   Customer would like to be proactive with fault management so they can detect, isolate , and correct any potential ISE-DNAC integration issues and avoid future outages.   Are there any Syslog messages, traps, MiBs, etc,  that can be monitored for early detection ?    Even though ISE and DNAC integration is in early stages, there has to be some thresholds or messages that can be monitored for early detection.  

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aravind Ravichandran
Level 3
Level 3
In response to mellwang

‎10-22-2018 10:39 AM

Hi,

Under Administrator >System>Settings>Alarm settings>Alarm configuration. You can configure Excessive Failed RADIUS Authentication Attempts alert where you can mention 'n' number of failed attempts in '15-60number of minutes. Also you can mention the Network device IP (WLC IP).

 

-Aravind

-Aravind

View solution in original post

3 Replies 3

Go to solution
Aravind Ravichandran
Level 3
Level 3

‎10-22-2018 10:05 AM

Hello,

First of all, if DNAC and ISE integration breaks, it has nothing to cause outage related to AAA.

DNA-C and ISE is integrated via pxGrid through trust based on certificate and password.

ISE will share the context and SGTs via pxgrid and DNA-c will do ERS API to add network devices in ISE and configures east-west segmentation policies.

If pxGrid service is down, you will get alert as process down alert(can get via syslog/email) & exciting things will work as it is. As Network device and ISE will communicate each other for any authentication request/to download any CTS environment data.

 

-Aravind

-Aravind
0 Helpful

Go to solution
mellwang
Cisco Employee
Cisco Employee
In response to Aravind Ravichandran

‎10-22-2018 10:21 AM

The integration with ISE and DNA Center dynamically updated a certificate within ISE which then prevented wireless users from Authenticating.   It was bug CSCvk74989 and the SR is 685316245.   

 

The customer has implemented a manual work around for now but would like to be proactive to prevent another outage.  All they are asking is how and what can they manage.   

0 Helpful

Go to solution
Aravind Ravichandran
Level 3
Level 3
In response to mellwang

‎10-22-2018 10:39 AM

Hi,

Under Administrator >System>Settings>Alarm settings>Alarm configuration. You can configure Excessive Failed RADIUS Authentication Attempts alert where you can mention 'n' number of failed attempts in '15-60number of minutes. Also you can mention the Network device IP (WLC IP).

 

-Aravind

-Aravind
Customers Also Viewed These Support Documents