Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
0
Helpful
0
Replies

ISE Reauthentication and Reporting

mark373737
Level 1
Level 1

‎03-08-2016 01:11 PM - edited ‎03-10-2019 11:33 PM

Hi All,

Recently upgraded to ISE 2.0 ahead of migrating a wired network from Monitor Mode to Secure Mode.

I have configured two "stages" on ISE, with a policy set attached to each. So I have a very loose Monitor Mode policy set and a Secure Mode policy set. The latter has a Default Policy of Deny Access. So the migration plan is to move each switch stack from current Monitor stage to Secure stage, then see what legitimate devices have only matched the Default Policy and resolve each one to a discrete higher  policy before I finally remove "authentication open" from the switch-ports.

My problem is this. I moved the first 3850 Switch Stack to the new Secure Mode Policy set and wired laptops etc are joining the correct ISE policies as expected. However all my Cisco AP's and devices that are not mobile have not re-authenticated to the new policies. To get them to join the new Secure Policy set I have to shut/no shut their interface.

I expected them to re-authenticate without needing to do that? And that brings me onto my second point. I have not set a re-authentication timer in the switch configuration or in the ISE policy. So I expected it should re-authenticate as per the switch default every 3600 seconds. However I don't think it is doing that, Indeed I think that devices that are constantly attached to a switch-port have NEVER re-authenticated since they were first connected.

The details from the "show authentication sessions interface x/x detail" NEVER change and my session timeout is N/A

Session timeout: N/A
Common Session ID: 0A5402010000BEB5987EDC6C
Acct Session ID: 0x000167F3
Handle: 0xC2000C92
Current Policy: POLICY_Gi1/0/4

On ISE, I cannot use the LiveLog since upgrade (the clock symbol just spins for hours) so I am using post-event reporting and that seems to confirm that authentication is only happening once...when something is connected to the switch-port and never again.

So my three questions are:

1.How do I get my end devices migrated to the new Secure Policy set. Do I really need to bounce all my interface ports?

2. Is re-authentication enabled by default on a 3850 or do you need to explicitly set it?

3. Why does Live Log not work in ISE 2.0 (10,000 hosts on 8 ISE node deployment with 4 x PSN's, 2 x PAN's 2 x MnT)? OK in my lab but nothing in live deployment.

Thanks in advance

Mark

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents