cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
322
Views
0
Helpful
3
Replies

Can someone confirm my ISE 3.2 observation?

hemmerling
Level 1
Level 1

It would appear that when using ISE 3.2 in HA with two ISE servers that if you are using the second server as a Device Admin as well that you will not be able to see those TACACS live logs.

They don't seem to forward TACACS live logs from the secondary TACACS ISE server to the primary ISE server, and since there are no menus on the secondary to view live logs, only to promote it to PAN, insert certs and set the time, that you simply can't see any live TACACS logs of the devices using the secondary ISE server as a TACACS authenticator, failures or successes.


Is this common knowledge?  I spent a long time trying to figure out why I wasn't seeing logs only to come to this conclusion.

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

If you deploying distributed deployment depends what roles each node have it.

one of the node act as Primary that where you see all the live logs, not all device in the distributed deployment.

refer below guide for more information and roles :

https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/install_guide/b_ise_installationGuide32/b_ise_InstallationGuide32_chapter_1.html#concept_jnm_frd_tsb

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

hemmerling
Level 1
Level 1

2 servers, both do Device Admin (TACACS)

Both in the same HA deployment.

Anything that authenticates with the "not primary server" does not show up in the only live log you can see, the one running from the primary.
In other words you can not see live logs for any TACACS authentications that aren't happening on the primary server. 
Is it supposed to be this way? If so, Cisco needs to put a banner in that live log that says "You cannot see TACACS authentications from any other server in this log."

I have little idea what happened here

there is different 
authc and authz use one ISE not both 

MHM
Account can use both and hence you can see log in both ISE 
the account with server group work if the ISE support broadcast 

Review Cisco Networking for a $25 gift card