This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Hello,
We have a Brocade Load Balancer (ADX 1000) that is using ISE 1.2.0.899 Patch 1,2,7,12,13 as the radius server. When logging into the device via the web interface, it blows up the ISE live authentication logs. I do not see this behavior when accessing the device via ssh. I would appreciate any assistance in resolving this issue.
Thank you in advance for your time.
Solved! Go to Solution.
Looks like you've some kind of probing configured on Brocade and that blowing up ISE live authentication section. I would suggest you to configure collection filter for the identity that is your username so that we can suppress it. How to configure collection filter on ISE 1.2
- Jatin
Is your system set to "suppress successful repeated authentications"? If not, then try that.
References:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_auth_pol.html#pgfId-1337791
http://wifinigel.blogspot.com/2014/10/ises-evil-default.html
FWIW, this behavior is much improved on later versions of ISE - your 1.2 version is getting very old by now.
Thank you for your comment. We are currently set to suppress repeated authentications. I am currently looking at upgrading ISE. My thoughts are to go to 1.3 and then 2.0, but being it will involve at least one other group, it probably won't happen for a few weeks. If you have any other recommendations, I would love to hear them. ISE is something that has been self taught and it's quite the beast. :)
Beth,
You need to filter the authentications coming from the Brocade.
Go to Administration > Logging > Collection Filters
Choose Username and the value will be the username. Type should be "Filter Passed" for an unlimited time.
Hope this helps.
Ryan
Disregard, I see Jatin already fixed you up.
Thank you though. I apprecicate the effort.
I would ask, if these live authentications logs coming from a specific endpoint / user?
-Jatin
It's coming from a Brocade ADX 1000. It only seems to happen when logged in via the web. Not when I ssh.
- Note this is a new device and the only one we have on line at the moment.
Can you please attach the complete screen shot of live authentication page.
- Jatin
The identity is my user name. This happens the entire time I am logged in via the web interface.
Looks like you've some kind of probing configured on Brocade and that blowing up ISE live authentication section. I would suggest you to configure collection filter for the identity that is your username so that we can suppress it. How to configure collection filter on ISE 1.2
- Jatin
Thank you! I have supressed it by the NAS IP address so it is no longer blowing up ISE. I really appreciate your help.
No worries Bud. Have a wonderful day !!!