Re: NAC_ISE

syam · ‎11-26-2024

I finish to install a ISE but it is not run well

i notice that licence premium are not decrement when i had some devices and users

Also the dashboard is not active, no activities.

Somebody can help me ? i have the tech support file also

Arne Bier · ‎11-26-2024

ISE licensing is highly reliant on RADIUS Accounting working on the NAD devices. Ensure that RADIUS Start/Interim/Stop requests are being sent by the NAD and received by ISE.

Patch your ISE to the latest patch level.

If you have Queue Link Errors then regenerate the ISE Root CA certificate.

syam · ‎11-27-2024

Hi

I notice that catalyst received configuration from ISE.

But i can not see devices and users in the dashboard

VM licence decrement but premium licences none

See below tech support file

Arne Bier · ‎11-27-2024

An ISE show tech-support doesn't tell you anything about how RADIUS is configured in ISE. Tech-support has low level information about the operating system and installed applications.

What I did notice from the show tech-support is that you have not patched this ISE 3.3 node - please patch to latest 3.3 patch version and then let us know.

You should be sending screenshots from the ISE graphical user interface.

Catalyst devices don't receive configuration from ISE - NAD devices send RADIUS requests to ISE, and ISE replies.

There have been occasions where unpatched ISE versions don't perform very basic tasks.

syam · ‎11-28-2024

Hi

I downloaded ISE3.3 patch (ise-patchbundle-3.3.0.430-Patch4-24102504.SPA.x86_64.tar.gz) so to upload to ISE node.

See below screenshot file

Arne Bier · ‎11-28-2024

OK - have you applied the patch?

I would suspect that the Monitoring persona is not working - you could try a couple of things:

log into the CLI of the nodes that run the Monitoring persona and issue the command

show application status ise

Also, if there are Queue Link Errors, then Re-generate the ISE Internal CA certificate - do it regardless. Unless you are doing BYOD, this can't hurt.

And then authenticate a few devices and see if you see stuff on Dashboard.

If that doesn't work, then you might want to Reset the Context Visibility Database too. It requires a precise order of execution

syam · ‎11-29-2024

Hi

the patch is applied and certificat re-generate but i dont notce a good change.

Licences, Dashboard are the statut.

I want to know if licences premium are used by devices and users utilisaation?

we have these warning: ISE authentication inactivity and ID Map. authentication inactivity

See below ise application status

Arne Bier · ‎12-01-2024

I can't open RTF files - screenshots are better. it sounds like you have no RADIUS accounting coming into your ISE nodes.

syam · ‎12-02-2024

Ok i see.

So licence premium can not slow down i understand.

But how can i have radius accounting in the node please?

and i need to know if all services are done? (see screenshot)

thomas · ‎12-02-2024

Please see our ISE Deployment Guide for Catalyst Switches which has our best practice switchport configuration

syam · ‎12-03-2024

Hi all

Thanks for the deploiement guide .

Now i have log by the network device (catalyst 9200 with command : test aaa group radius test pasword new-code)

Therefor no change for licences, and dashboard

see screenshot attached

Arne Bier · ‎12-03-2024

Can you please paste images into these chats, because I can't open PDFs from a public forum (nor would I want to).

If you are not getting Live Logs, then the most basic next step is to verify whether your ISE node (PSN) is receiving RADIUS requests from the network device. Start a tcpdump on the node that you are sending RADIUS requests to, then run the
"test aaa" command on the network device. Download the .pcap and filter in Wireshark (Wireshark filter is simply radius)

If you can see Access-Request, with an associated Access-Accept (or Access-Reject) then you have some valuable information about connectivity. Sometimes ISE won't display Live Logs, if the Access-Request is malformed in some way. Have a look at the details of the Access-Request.

And please paste images into these chats (once you pasted them in, click on them, and click on the 'large' icon to expand the image)

syam · ‎12-04-2024

Hi

See screenshots below

Arne Bier · ‎12-05-2024

It appears that the Live Logs are working. I don't have a definite answer as to why your Dashboard looks so empty. I noticed there as a DNS resolution failure in your Alarms. Is your ISE node able to perform DNS correctly on the CLI? And the ISE FQDN must exist in DNS - both the A record and the PTR record. I'd be surprised if that is causing the Dashboard to fail, but look into that anyway - you don't want to see DNS failures in ISE. ISE will not work well.

Dashboard issue might be related to the browser? Are you running any blockers, or Extensions that might prevent the rendering of the web content? Tried different browsers?

If you have already Regenerated the ISE Root CA Certificate (which is the thing that fixes Queue Link Errors) then the last thing I would try (before going to TAC!) is to Reset the ISE Context Visibility. You won't lose any data. But you must follow the steps exactly. Context Visibility is a duplicate/different database that takes data from the master Oracle DB and uses it to create the GUI data.

syam · ‎12-06-2024

Hi see below result after appling patch and reset/syc ISE Context Visibility.

despite adding endpoint & devices