Re: OIDs to monitor ISE active directory

SMD28316 · ‎09-01-2021

I was reviewing the available SNMP OIDs available to monitor ISE: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ISE_admin_guide_24/m_monitoring_and_troubleshooting.html#id_17078

Is it possible to send SNMP traps to monitor the active directory? for example is there a OID to know if the active directory isn't operational /Joined or an OID for AD Connector status (in show app status ise command) ... etc

Marcelo Morais · ‎09-02-2021

Hi @SMD28316 ,

ISE 2.4+ automatically and periodically run the AD Diagnostic Tool (at Administration > Identity Management > External Identity Sources > Active Directory > select the AD, click Advanced Tools > Diagnostic Tool) ... please check if this diagnostic test is what you need.

Note: prior to ISE 2.4, such test are ONLY triggered manually by an ISE Admin User.

Hope this help !!!

Greg Gibbs · ‎09-02-2021

See the following post for the MIBs supported by the SNMP Agent on ISE. These are mainly MIBs supported by the underlying RHEL OS, so there is limited monitoring of the ISE application itself via SNMP.

Monitoring ISE health using SNMP Polling

Customers typically monitor these critical operations via Email and/or Syslog alarms.

Cisco ISE Alarms

SMD28316 · ‎09-03-2021

Ok but which ones can be used to monitor the active directory connections?

Greg Gibbs · ‎09-05-2021

There are a number of Syslog messages related to Active Directory events. You can find them on the Administration > System > Logging > Message Catalog page by filtering on 'AD Connector'

If you sort the alarms by name, those related to AD are towards the top of the list and include references to 'Active Directory' or 'AD' in the name.