Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1122
Views
5
Helpful
6
Replies

What to find all failed devices during monitor mode?

Go to solution
getaway51
Level 2
Level 2

‎11-01-2019 01:15 AM

Hi,

I checked in 3 places for failed devices during monitor mode. However most of the time, i found too many logs and not really sure where to look exactly to determine if an endpoint was "deny access" due to default identity grp. So i look manually one by one mac address and cross check in radius logs and context visibility. This took a long time even for a single devices. 

I would like to knw how to quickly and most accurate way to chk the failed devices(which mostly due to def identity grp or other reasons) so tht i can add them into the correct identity grp. 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎11-02-2019 12:20 AM

One option is to instead of failing endpoints, create a catch all policy rule that sends back authorization profile named "FAILED" but instead of sending back ACCESS-REJECT send back simple ACCESS-ACCEPT. This way, you can easily create report based on the authorization profile called 'FAILED'. Caveat is that the live log and ISE report will no longer mark failed authentication with red entry but you can easily filter it by authorization profile name.

View solution in original post

Go to solution
Parag Mahajan
Cisco Employee
Cisco Employee
In response to getaway51

‎11-02-2019 08:36 AM

Export all endpoints in context visibility. Apply filter for authorization rule with name of default rule and network device.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
howon
Cisco Employee
Cisco Employee

‎11-02-2019 12:20 AM

One option is to instead of failing endpoints, create a catch all policy rule that sends back authorization profile named "FAILED" but instead of sending back ACCESS-REJECT send back simple ACCESS-ACCEPT. This way, you can easily create report based on the authorization profile called 'FAILED'. Caveat is that the live log and ISE report will no longer mark failed authentication with red entry but you can easily filter it by authorization profile name.

Go to solution
getaway51
Level 2
Level 2
In response to howon

‎11-02-2019 02:00 AM

Hi,

 

I dont quite understand but is there any other way which already available tht dont need configuring ISE?

After I turn ON monitor mode, I just need to find those failed devices so tht I can add their MAC address in CV identity group. 

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to howon

‎11-02-2019 03:18 AM

Hi,

 

I understood there are too many ISE logs and live sessions every 10sec, is there a way to quickly identify the latest failed devices after configuring "monitor mode" especially for MAB devices?

Where is the best place and method to achieve these?

 

0 Helpful

Go to solution
Parag Mahajan
Cisco Employee
Cisco Employee
In response to getaway51

‎11-02-2019 08:36 AM

Export all endpoints in context visibility. Apply filter for authorization rule with name of default rule and network device.

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Parag Mahajan

‎11-03-2019 12:51 AM

Hi,

 

Context visibility only will show all the latest updated result? Will it include any historical value as well?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to getaway51

‎11-08-2019 09:16 AM

Context visibility is not currently designed to keep historical results. Please run a RADIUS authentication report instead.

0 Helpful
Customers Also Viewed These Support Documents