Auth Services Status
|
AAA Diagnostics
|
The AAA Diagnostics report
provides details of all network sessions between Cisco ISE and users. If users
cannot access the network, you can review this report to identify trends and
identify whether the issue is isolated to a particular user or indicative of a
more widespread problem.
|
Choose
and select these logging categories:
Policy Diagnostics, Identity Stores Diagnostics, Authentication Flow
Diagnostics, and RADIUS Diagnostics.
|
RADIUS Authentications
|
The RADIUS Authentications
report enables you to review the history of authentication failures and
successes. If users cannot access the network, you can review the details in
this report to identify possible causes.
|
Choose
and select these logging categories:
Passed Authentications and Failed Attempts.
|
RADIUS Errors
|
The RADIUS Errors report
enables you to check for RADIUS Requests Dropped (authentication/accounting
requests discarded from unknown Network Access Device), EAP connection time
outs and unknown NADs.
Note
|
Sometimes ISE will silently drop the Accounting Stop request
of an endpoint if user authentication is in progress. However, ISE starts
acknowledging all accounting requests once the user authentication is
completed.
|
|
Choose
and select Failed Attempts.
|
RADIUS Accounting
|
The RADIUS Accounting report
identifies how long users have been on the network. If users are losing network
access, you can use this report to identify whether Cisco ISE is the cause of
the network connectivity issues.
|
Choose
and select RADIUS Accounting.
|
Authentication Summary
|
The Authentication Summary
report is based on the RADIUS authentications. It enables you to identify the
most common authentications and the reason for any authentication failures. For
example, if one Cisco ISE server is handling significantly more authentications
than others, you might want to reassign users to different Cisco ISE servers to
better balance the load.
Note
|
As the Authentication Summary
report or dashboard collects and displays the latest data corresponding to
failed or passed authentications, the contents of the report appear after a
delay of a few minutes.
|
|
—
|
OCSP Monitoring
|
The OCSP Monitoring Report
specifies the status of the Online Certificate Status Protocol (OCSP) services.
It identifies whether Cisco ISE can successfully contact a certificate server
and provides certificate status auditing. Provides a summary of all the OCSP
certificate validation operations performed by Cisco ISE. It retrieves
information related to the good and revoked primary and secondary certificates
from the OCSP server. Cisco ISE caches the responses and utilizes them for
generating subsequent OCSP Monitoring Reports. In the event the cache is
cleared, it retrieves information from the OCSP server.
|
Choose
and select System Diagnostics.
|
AD Connector Operations
|
The AD Connector Operations
report provides log of operations performed by AD Connector such as Cisco ISE
Server password refresh, Kerberos tickets management, DNS queries, DC
discovery, LDAP, and RPC Connections management, etc.
If some AD failures are
encountered, you can review the details in this report to identify the possible
causes.
|
Choose
and select AD Connector.
|
Identity
Mapping
|
The
Identity Mapping report enables you to monitor the state of WMI connection to
the domain controller and gather statistics related to it (such as amount of
notifications received, amount of user login/logouts per second etc.)
|
Choose
and select Identity Mapping.
|
Deployment Status
|
Administrator Logins
|
The
Administrator Logins report provides information about all GUI-based
administrator login events as well as successful CLI login events.
|
Choose
and select Administrative and Operational
audit.
|
Internal Administrator
Summary
|
The Internal Administrator
Summary report enables you to verify the entitlement of administrator users.
From this report, you can also access the Administrator Logins and Change
Configuration Audit reports, which enables you to view these details for each
administrator.
|
—
|
Change Configuration Audit
|
The Change Configuration
Audit report provides details about configuration changes within a specified
time period. If you need to troubleshoot a feature, this report can help you
determine if a recent configuration change contributed to the problem.
|
Choose
and select Administrative and Operational
audit.
|
Secure Communications Audit
|
The Secure Communications
Audit report provides auditing details about security-related events in Cisco
ISE Admin CLI, which includes authentication failures, possible break-in
attempts, SSH logins, failed passwords, SSH logouts, invalid user accounts, and
so on.
|
—
|
Operations Audit
|
The Operations Audit report
provides details about any operational changes, such as: running backups,
registering a Cisco ISE node, or restarting an application.
|
Choose
and select Administrative and Operational
audit.
|
System Diagnostics
|
The System Diagnostic report
provides details about the status of the Cisco ISE nodes. If a Cisco ISE node
is unable to register, you can review this report to troubleshoot the issue.
This report requires that you
first enable several diagnostic logging categories. Collecting these logs can
negatively impact Cisco ISE performance. So, these categories are not enabled
by default, and you should enable them just long enough to collect the data.
Otherwise, they are automatically disabled after 30 minutes.
|
Choose
and select these logging categories:
Internal Operations Diagnostics, Distributed Management, Administrator
Authentication and Authorization.
|
Health Summary
|
The Health Summary report
provides details similar to the Dashboard. However, the Dashboard only displays
data for the past 24 hours, and you can review more historical data using this
report.
You can evaluate this data to
see consistent patterns in data. For example, you would expect heavier CPU
usage when most employees start their work days. If you see inconsistencies in
these trends, you can identify potential problems.
|
—
|
Network Device Session Status
|
The Network Device Session
Status Summary report enables you to display the switch configuration without
logging into the switch directly.
Cisco ISE accesses these
details using an SNMP query and requires that your network devices are
configured with SNMP v1/v2c.
If a user is experiencing
network issues, this report can help you identify if the issue is related to
the switch configuration rather than with Cisco ISE.
|
—
|
Data Purging Audit
|
The Data Purging Audit
report records when the logging data is purged.
This report reflects two
sources of data purging.
At 4AM daily, Cisco ISE
checks whether there are any logging files that meet the criteria you have set
on the Administration > Maintenance > Data Purging page. If so, the files
are deleted and recorded in this report. Additionally, Cisco ISE continually
maintains a maximum of 80% used storage space for the log files. Every hour,
Cisco ISE verifies this percentage and deletes the oldest data until it reaches
the 80% threshold again. This information is also recorded in this report.
|
—
|
pxGrid
Administrator Audit
|
The pxGrid
Administrator Audit report provides the details of the pxGrid administration
actions such as client registration, client deregistration, client approval,
topic creation, topic deletion, publisher-subscriber addition, and
publisher-subscriber deletion on the PAN.
Every
record has the administrator name who has performed the action on the node.
You can
filter the pxGrid Administrator Audit report based on the administrator and
message criteria.
|
—
|
Misconfigured Supplicants
|
The Misconfigured
Supplicants report provides a list of mis-configured supplicants along with the
statistics due to failed attempts that are performed by a specific supplicant.
If you have taken corrective actions and fix the mis-configured supplicant, the
report displays fixed acknowledgment in the report.
Note
|
RADIUS Suppression should
be enabled to run this report.
|
|
—
|
Misconfigured NAS
|
The Misconfigured NAS
report provides information about NADs with inaccurate accounting frequency
typically when sending accounting information frequently. If you have taken
corrective actions and fix the mis-configured NADs, the report displays fixed
acknowledgment in the report.
Note
|
RADIUS Suppression should
be enabled to run this report.
|
|
—
|
Endpoints and Users
|
Client Provisioning
|
The Client Provisioning
report indicates the client provisioning agents applied to particular
endpoints. You can use this report to verify the policies applied to each
endpoint to verify whether the endpoints have been correctly provisioned.
|
Choose
and select Posture and Client Provisioning
Audit and Posture and Client Provisioning Diagnostics.
|
Current Active Sessions
|
The Current Active Sessions
report enables you to export a report with details about who was currently on
the network within a specified time period.
If a user isn't getting
network access, you can see whether the session is authenticated or terminated
or if there is another problem with the session.
|
—
|
Endpoint Protection
Service
Adaptive Network
ControlAudit
|
The
Endpoint Protection
Service
Adaptive Network
Control Audit report is based on the RADIUS accounting. It displays
historical reporting of all network sessions for each endpoint.
|
Choose
and select Passed Authentications and
RADIUS Accounting.
|
External Mobile Device
Management
|
The External Mobile Device
Management report provides details about integration between Cisco ISE and the
external Mobile Device Management (MDM) server.
You can use this report to
see which endpoints have been provisioned by the MDM server without logging
into the MDM server directly. It also displays information such as registration
and MDM-compliance status.
|
Choose
and select MDM.
|
Posture Detail Assessment
|
The Posture Detail
Assessment report provides details about posture compliancy for a particular
endpoint. If an endpoint previously had network access and then suddenly was
unable to access the network, you can use this report to determine if a posture
violation occurred.
|
Choose
and select Posture and Client Provisioning
Audit and Posture and Client Provisioning Diagnostics.
|
Profiled Endpoint Summary
|
The Profiled Endpoint
Summary report provides profiling details about endpoints that are accessing
the network.
Note
|
For endpoints that do not
register a session time, such as a Cisco IP-Phone, the term Not Applicable is
shown in the Endpoint session time field.
|
|
Choose
and select Profiler.
|
Endpoint Profile Changes
|
The Endpoint Profile Change
report serves two purposes:
-
Compares the profile
changes for a particular endpoint to verify that the latest and most current
profile has been applied.
-
Displays profile changes
initiated by the profiler feed service (which is available with a Cisco ISE
Plus license).
|
—
|
Top Authorizations by
Endpoint
|
The Top Authorization by
Endpoint (MAC address) report displays how many times each endpoint MAC address
was authorized by Cisco ISE to access the network.
|
Passed Authentications,
Failed Attempts
|
Top Authorizations by User
|
The Top Authorization by
User report displays how many times each user was authorized by Cisco ISE to
access the network.
|
Passed Authentications,
Failed Attempts
|
User Change Password Audit
|
The User Change Password
Audit report displays verification about employee's password changes.
|
Administrative and
Operational audit
|
Supplicant Provisioning
|
The Supplicant Provisioning
report provides details about the supplicants provisioned to employee's
personal devices.
|
Posture and Client
Provisioning Audit
|
Registered Endpoints
|
The Registered Endpoints
report displays all personal devices registered by employees.
|
—
|
Endpoints
Purge Activities
|
The
Endpoints Purge Activities report enables the user to review the history of
endpoints purge activities. This report requires that the Profiler logging
category is enabled. It is enabled by default.
|
Choose
and select Profiler.
|
Guest
Access Reports
|
AUP
Acceptance Status
|
The AUP
Acceptance Status report provides details of AUP acceptances from all the Guest
portals.
|
Choose
and select Guest.
|
Sponsor
Login and Audit
|
The
Sponsor Login and Audit report provides details of guest users' login, add,
delete, enable, suspend and update operations and the login activities of the
sponsors at the sponsors portal.
If guest
users are added in bulk, they are visible under the column 'Guest Users.' This
column is hidden by default. On export, these bulk users are also present in
the exported file.
|
Choose
and select Guest.
|
My Devices
Login and Audit
|
The My
Devices Login and Audit report provides details about the login activities and
the operations performed by the users on the devices in My Devices Portal.
|
Choose
and select My Devices.
|
Master
Guest Report
|
The Master Guest Report
combines data from various Guest Access reports and enables you to export data
from different reporting sources. The Master Guest report also provides details
about the websites that guest users are visiting. You can use this report for
security auditing purposes to demonstrate when guest users accessed the network
and what they did on it.
You must also enable HTTP
inspection on the network access device (NAD) used for guest traffic. This
information is sent back to Cisco ISE by the NAD.
To check
when the clients reach the maximum simultaneous sessions limit, from the Admin
portal, choose
Administration > System > Logging > Logging
Categories and do the following:
-
Increase the log level of "Authentication Flow Diagnostics"
logging category from WARN to INFO.
-
Change
LogCollector Target from Available to Selected under the "Logging Category" of
AAA Diagnostics.
|
Choose
and select Passed Authentications.
|
Guest
Accounting
|
The Guest Accounting report
is a subset of the RADIUS Accounting report. All users assigned to the
Activated Guest or Guest identity groups appear in this report.
|
—
|
TrustSec
|
RBACL Drop Summary
|
The RBACL Drop Summary
report is specific to the TrustSec feature, which is available only with an
Advanced Cisco ISE license.
This report also requires
that you configure the network devices to send NetFlow events for dropped
events to Cisco ISE.
If a user violates a
particular policy or access, packets are dropped and indicated in this report.
|
—
|
Top N RBACL Drops By User
|
The Top N RBACL Drops By
User report is specific to the TrustSec feature, which is available only with
an Advanced Cisco ISE license.
This report also requires
that you configure the network devices to send NetFlow events for dropped
events to Cisco ISE.
This report displays policy
violations (based on packet drops) by specific users.
|
—
|