cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

681
Views
0
Helpful
12
Replies
__Beth__
Beginner

Radius authentions with ISE - Live Authenications blown up with entries

Hello,

We have a Brocade Load Balancer (ADX 1000) that is using ISE 1.2.0.899 Patch 1,2,7,12,13 as the radius server.  When logging into the device via the web interface, it blows up the ISE live authentication logs. I do not see this behavior when accessing the device via ssh. I would appreciate any assistance in resolving this issue.

   

Thank you in advance for your time.

1 ACCEPTED SOLUTION

Accepted Solutions

Looks like you've some kind of probing configured on Brocade and that blowing up ISE live authentication section. I would suggest you to configure collection filter for the identity that is your username so that we can suppress it.  How to configure collection filter on ISE 1.2

- Jatin

~Jatin

View solution in original post

12 REPLIES 12
Marvin Rhoads
Hall of Fame Guru

Is your system set to "suppress successful repeated authentications"? If not, then try that.

References: 

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_auth_pol.html#pgfId-1337791

http://wifinigel.blogspot.com/2014/10/ises-evil-default.html

FWIW, this behavior is much improved on later versions of ISE - your 1.2 version is getting very old by now.

Thank you for your comment.  We are currently set to suppress repeated authentications.  I am currently looking at upgrading ISE.  My thoughts are to go to 1.3 and then 2.0, but being it will involve at least one other group, it probably won't happen for a few weeks.  If you have any other recommendations, I would love to hear them.  ISE is something that has been self taught and it's quite the beast. :)  

Beth,

You need to filter the authentications coming from the Brocade.

Go to Administration > Logging > Collection Filters

Choose Username and the value will be the username.  Type should be "Filter Passed" for an unlimited time.

Hope this helps.

Ryan

Disregard, I see Jatin already fixed you up.

Thank you though.  I apprecicate the effort. 

Jatin Katyal
Cisco Employee

I would ask, if these live authentications logs coming from a specific endpoint / user?

-Jatin

~Jatin

It's coming from a Brocade ADX 1000.  It only seems to happen when logged in via the web.  Not when I ssh.

- Note this is a new device and the only one we have on line at the moment.

Can you please attach the complete screen shot of live authentication page.

- Jatin

~Jatin

The identity is my user name.  This happens the entire time I am logged in via the web interface. 

Looks like you've some kind of probing configured on Brocade and that blowing up ISE live authentication section. I would suggest you to configure collection filter for the identity that is your username so that we can suppress it.  How to configure collection filter on ISE 1.2

- Jatin

~Jatin

View solution in original post

Thank you!  I have supressed it by the NAS IP address so it is no longer blowing up ISE.  I really appreciate your help.

No worries Bud. Have a wonderful day !!!

~Jatin
Content for Community-Ad