cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2295
Views
4
Helpful
4
Replies
migoetz
Cisco Employee

Monitoring Authentication with ACS/ISE & Syslog Analysis with Splunk

Hello ISE (and ACS) Expert,

My customer needs advice especially with regards to monitoring everything around authentication. Currently in migration phase from ACS to ISE - therefore all questions are more for ISE in mind, but also still relevant for ACS...

  1. Do you have more details about which traps are available to monitor ISE (and ACS) via SNMP? Hints and best practices are also highly welcome.
  2. Syslog analysis with Splunk:
    1. is there documentation available about the Syslog events?
    2. Can you share best practice about integration of Splunk with ISE?
    3. Hints and examples on the source types in Splunk?
  3. Testing TACACS+ and Radius Authentication:
    1. customer would like to test via NAGIOS/ICINGA if authentication with internal/external users works fine with ISE (ACS).
    2. Are there sample scripts the customer could adapt and use?

Any hints in this area are highly welcome!

Thanks for your time,

Michael

1 ACCEPTED SOLUTION

Accepted Solutions
kthiruve
Cisco Employee

For SNMP. please use following community link that describes all OIDs

Re: Monitoring ISE health using SNMP Polling

For logging, please take a look at Logging video in ISE operations that describes different logging aspects.

ISE Operations

Arne has provided some nice pointers on tools available to use.

-Krishnan

View solution in original post

4 REPLIES 4
Arne Bier
VIP Advisor

Regarding SNMP traps, ISE is configured to send a grand total of 1 SNMP trap! :-)  Have a look at my posting on this

ISE SNMP Trap - dskThresholdLimit - what is the OID? - and beware, the logic is back to front, and also contains a small bug.

I am using this trap to inform our PRTG server in the event that the ISE disk subsystem reaches 80% capacity.  This is a more efficient mechanism than polling the node every 5 minutes to check disk space.  Sadly, the SNMP trap list doesn't look anything like an IOS device where you can generate traps on all sorts of events.  If you run ISE on a hardware appliance then I guess you can send traps from CIMC for fans/power/disk issues etc.

I have recently integrated with Splunk as well.  I enabled EVERYTHING.  Yes, as reckless as that may sound, it wasn't so bad after all.  In a 24 hour period I generate 5MB of data.  Ok, my system is not that busy,  and we're only doing Sponsored Guest and TACACS.  I have not found any Splunk or Cisco documentation that helps in this regard.  The only way I have found out what does what, is by enabling each Logging category one by one and doing tcpdump.  Not advisable on a very busy production system, but it gives some insights.  As time goes on we might reduce the logging categories.  The Splunk guy advised to enable everything to see what comes in, and then cut back what we don't want to see.  The Splunk dashboard with the Cisco ISE plugin is looking prettier now.  I have to say, on face value the ISE dashboard gives almost the same information.  The value add from Splunk is the correlation with all other devices in the ecosystem.

On item 3 you can automate authentication tests with tools like radtest from FreeRadius Utils.  Not sure how that relates to the tools you mentioned, but in principle, radtest is just a unix command that can be executed and it will return either a result code that you can check for, or if not, then parse the result to see whether the auth worked.  I happen to also have a short document on that testing procedure ... Rapid prototyping ISE Policies without any real networking hardware

Thank you for taking the time to respond, Arne! Really helpful.

kthiruve
Cisco Employee

For SNMP. please use following community link that describes all OIDs

Re: Monitoring ISE health using SNMP Polling

For logging, please take a look at Logging video in ISE operations that describes different logging aspects.

ISE Operations

Arne has provided some nice pointers on tools available to use.

-Krishnan

View solution in original post

Krishnan, thanks a lot for the links. Customer and me really appreciate the hints!

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel