Solved: Disregard, I see Jatin

__Beth__ · ‎01-13-2016

Hello,

We have a Brocade Load Balancer (ADX 1000) that is using ISE 1.2.0.899 Patch 1,2,7,12,13 as the radius server. When logging into the device via the web interface, it blows up the ISE live authentication logs. I do not see this behavior when accessing the device via ssh. I would appreciate any assistance in resolving this issue.

Thank you in advance for your time.

Jatin Katyal · ‎01-14-2016

Looks like you've some kind of probing configured on Brocade and that blowing up ISE live authentication section. I would suggest you to configure collection filter for the identity that is your username so that we can suppress it. How to configure collection filter on ISE 1.2

- Jatin

~Jatin

View solution in original post

Marvin Rhoads · ‎01-13-2016

Is your system set to "suppress successful repeated authentications"? If not, then try that.

References:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_auth_pol.html#pgfId-1337791

http://wifinigel.blogspot.com/2014/10/ises-evil-default.html

FWIW, this behavior is much improved on later versions of ISE - your 1.2 version is getting very old by now.

__Beth__ · ‎01-14-2016

Thank you for your comment. We are currently set to suppress repeated authentications. I am currently looking at upgrading ISE. My thoughts are to go to 1.3 and then 2.0, but being it will involve at least one other group, it probably won't happen for a few weeks. If you have any other recommendations, I would love to hear them. ISE is something that has been self taught and it's quite the beast. :)

Ryan Coombs · ‎01-14-2016

Beth,

You need to filter the authentications coming from the Brocade.

Go to Administration > Logging > Collection Filters

Choose Username and the value will be the username. Type should be "Filter Passed" for an unlimited time.

Hope this helps.

Ryan

Ryan Coombs · ‎01-14-2016

Disregard, I see Jatin already fixed you up.

__Beth__ · ‎01-14-2016

Thank you though. I apprecicate the effort.

Jatin Katyal · ‎01-14-2016

I would ask, if these live authentications logs coming from a specific endpoint / user?

-Jatin

~Jatin

__Beth__ · ‎01-14-2016

It's coming from a Brocade ADX 1000. It only seems to happen when logged in via the web. Not when I ssh.

- Note this is a new device and the only one we have on line at the moment.

Jatin Katyal · ‎01-14-2016

Can you please attach the complete screen shot of live authentication page.

- Jatin

~Jatin

__Beth__ · ‎01-14-2016

The identity is my user name. This happens the entire time I am logged in via the web interface.

Jatin Katyal · ‎01-14-2016

Looks like you've some kind of probing configured on Brocade and that blowing up ISE live authentication section. I would suggest you to configure collection filter for the identity that is your username so that we can suppress it. How to configure collection filter on ISE 1.2

- Jatin

~Jatin

View solution in original post

__Beth__ · ‎01-14-2016

Thank you! I have supressed it by the NAS IP address so it is no longer blowing up ISE. I really appreciate your help.

Jatin Katyal · ‎01-14-2016

No worries Bud. Have a wonderful day !!!

~Jatin

Radius authentions with ISE - Live Authenications blown up with entries