Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3555
Views
10
Helpful
3
Replies

ISE Radius Live Log Issue

Go to solution
FY13
Level 1
Level 1

‎06-04-2021 01:33 AM

We have an ISE deployment running 2.7 patch 3, and there seems to be some sort of mismatch (I'm guessing) between the MnT nodes, but I'm not 100% sure on that. On some occasions, the Radius Live Log shows all the info you'd expect, like so:

 

ISE_LOG_ALL.png

 

But then, suddenly, it will show something like this:

 

ISE_LOG_AUTH_ONLY.png

Only "Authorize Only" methods will be shown.

And it stays like this for 10 minutes or so before changing back to showing all expected info again.

 

Any ideas how to explain this?

Thanks

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-08-2021 06:33 AM

This points potentially some issue with the ISE M&T db. Please check the performance data of the MnT node(s) and engage Cisco TAC as needed.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
thomas
Cisco Employee
Cisco Employee

‎06-05-2021 03:37 PM

The only difference here appears to be the SessionInfo status icons instead of the Pass/Fail/Session icons.

  • Auth Passed (Green check): ISE returned RADIUS ACCESS-ACCEPT as result of the policy for a successful WebAuth, CoA, or PAC provisioning.
  • Auth Failed (Red X): Returned a RADIUS ACCESS-REJECT as result of policy rule, authentication failure, suppression settings, unknown NAD, etc.
  • Session (Blue i): ISE received RADIUS Accounting Start after the Auth Passed. A log line will also be updated upon receiving an interim accounting update.

ISE refreshes your LiveLogs every 10 seconds according to your screen and after a while - "some occasions" as you say - you have a see Pass/Fails rather than only Session updates.

This is probably due to re-authentication intervals and RADIUS interim updates in your endpoint sessions.

Click on the session details icon to see what is happening or filter on a specific endpoint to see it's series of authentication events.

0 Helpful

Go to solution
FY13
Level 1
Level 1
In response to thomas

‎06-07-2021 12:45 AM

Thanks for replying Thomas. So I tried what you said, filtering on one endpoint, but the result is still the same. It first shows just the Session Info, then 10 minutes later, the Auth Passed records suddenly appear as well.

ISE_LOG_AUTH_ONLY_FILTERED.png

ISE_LOG_ALL_FILTERED.png

Go to solution
hslai
Cisco Employee
Cisco Employee

‎06-08-2021 06:33 AM

This points potentially some issue with the ISE M&T db. Please check the performance data of the MnT node(s) and engage Cisco TAC as needed.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents