Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3974
Views
2
Helpful
4
Replies

packet capture for single endpoint on cisco ise 3.2.

Go to solution
MD SHAHNAWAZ
Level 1
Level 1

‎02-25-2024 11:33 PM

Hello Folks,

i am trying to set a capture on cisco ise 3.2 to understand the flow of EAP-TLS under Operation>Troubleshoot>Diagnostic tool>Tcp DUMP, but problem is ISE is not capturing the logs for single endpoint.

Option which i am selecting are

Hostname > ISEPSN

network interface> 0

filter> endpoint IP address (ip host 10.x.x.x)

is there any way to capture endpoints traffic or any way to capture the traffic using policy set?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-26-2024 01:18 PM

ISE learns the endpoint IP address from RADIUS Accounting that is sent from the switch by the Device Sensor. This is in the payload of the RADIUS Accounting packet, and what you are filtering on using tcpdump is only the IP header itself. That header will only including the source (switch) and destination (ISE PSN) of the RADIUS traffic itself.

If you want to look at the flow for a single endpoint, you would need to capture all RADIUS traffic for the PSN (ip host <psn ip> and port 1812) then try to filter on the Calling-Station-ID for the MAC address of that endpoint.
https://osqa-ask.wireshark.org/questions/47935/radiuscalling_station_id-filter/

 

View solution in original post

Go to solution
Arne Bier
VIP
VIP

‎02-26-2024 01:43 PM

You can also do an EndPoint Debug (Operations > Troubleshoot > Diagnostic Tools > General Tools > EndPoint Debug)

The resultant text file is not easy to read, but that at least tells you what ISE is busy doing with that one endpoint. I tend to not use that text file much because I can't understand it. But I like the certificate capture feature - ISE will capture the client certificate for that endpoint - you can download it and analyse it - great feature! If there is an issue with the endpoint cert (e.g. Subject Name missing data, or whatever), you can prove it with that capture.

tcpdump is still your friend for the RADIUS to-and-fro. Just use Wireshark filters to fish out the endpoint of interest (using Calling-Station-ID as your search key)

View solution in original post

4 Replies 4

Go to solution
ahollifield
VIP
VIP

‎02-26-2024 07:30 AM

Do you have the expected PSN selected?  Do you see any traffic in the pcap?  You cannot filter based on Policy Set in tcp dump as TCP dump occurs much lower in the OS before the RADIUS traffic is processed. 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎02-26-2024 01:18 PM

ISE learns the endpoint IP address from RADIUS Accounting that is sent from the switch by the Device Sensor. This is in the payload of the RADIUS Accounting packet, and what you are filtering on using tcpdump is only the IP header itself. That header will only including the source (switch) and destination (ISE PSN) of the RADIUS traffic itself.

If you want to look at the flow for a single endpoint, you would need to capture all RADIUS traffic for the PSN (ip host <psn ip> and port 1812) then try to filter on the Calling-Station-ID for the MAC address of that endpoint.
https://osqa-ask.wireshark.org/questions/47935/radiuscalling_station_id-filter/

 

Go to solution
Arne Bier
VIP
VIP

‎02-26-2024 01:43 PM

You can also do an EndPoint Debug (Operations > Troubleshoot > Diagnostic Tools > General Tools > EndPoint Debug)

The resultant text file is not easy to read, but that at least tells you what ISE is busy doing with that one endpoint. I tend to not use that text file much because I can't understand it. But I like the certificate capture feature - ISE will capture the client certificate for that endpoint - you can download it and analyse it - great feature! If there is an issue with the endpoint cert (e.g. Subject Name missing data, or whatever), you can prove it with that capture.

tcpdump is still your friend for the RADIUS to-and-fro. Just use Wireshark filters to fish out the endpoint of interest (using Calling-Station-ID as your search key)

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-04-2024 01:05 PM

ISE has a wireshark/tcpdump packet capture utility builtin as you noted. This tool knows nothing about ISE or policy sets. Capture and filter your traffic by the endpoint MAC address since RADIUS and EAP-TLS happen before the endpoint has an IP address. Watch this part of our webinar for how to do it:

 RADIUS Simulation with ISE 2023-05-04

11:34 Demo: RADIUS Packet Capture (TCPDump) on ISE for RADIUS Authentication and Accounting Start+Stop
14:30 Demo: RADIUS Packet Capture in WireShark

0 Helpful
Customers Also Viewed These Support Documents