Cisco ISE Reports

Cisco Identity Services Engine (ISE) reports are used with monitoring and troubleshooting features to analyze trends, and, monitor system performance and network activities from a central location.

Cisco ISE collects logs and configuration data from your network. It then aggregates the data into reports for you to view and analyze. Cisco ISE provides a standard set of predefined reports that you can use and customize to fit your needs.

Cisco ISE reports are pre-configured and grouped into categories with information related to authentication, session traffic, device administration, configuration, administration, and troubleshooting.

Report Filters

There are two types of reports, single-section and multi-section. Single-section reports contain a single grid (Radius Authentications report) and multi-section reports contain many grids (Authentications Summary report) and represent data in the form of charts and tables. The Filter drop-down menu in the single-section reports contains the Quick Filter and Advanced Filter. In the multi-section reports, you can specify only advanced filters.

Multi-section reports may contain one or more mandatory advanced filters that require your input. For example, when you click the Health Summary report (Operations > Reports > Diagnostics page), it displays two mandatory advanced filters—Server and Time Range. You must specify the operator command, server name, required values for both these filters, and click Go to generate the report. You can add new advanced filters by clicking the Plus (+) symbol. You can export multi-section reports only in the PDF format. You cannot schedule Cisco ISE multi-section reports to run and re-run at specific time or time intervals.


Note

When you click a report, data for the current date is generated by default. However, some multi-section reports require mandatory input from the user apart from the time range.

By default, the Quick Filter is displayed as the first row in single-section reports. The fields may contain a drop-down list from which you can select the search criteria or may be a text box.

An Advanced Filter contains an outer criteria that contains one or more inner criteria. The outer criteria is used to specify if the search should meet All or Any specified inner criteria. The inner criteria contains one or more conditions that is used to specify the Category (Endpoint ID, Identity Group) Method (operator commands, such as Contains, Does Not Contain), and Time Range for the condition.

When using the Quick Filter, you can choose a date or time from the Logged At drop-down list to generate reports for a data set logged in the last 30 days or less. If you want to generate a report for a date or time prior to 30 days, use the Advanced Filter to set the required time frame in the From and To fields of the Custom option from the drop-down list.

Create the Quick Filter Criteria

The section describes how to create a quick filter criteria. You can create quick filter criteria for only single-section reports.

Procedure

Step 1

Choose Operations > Reports and click the required report.

Step 2

From the Settings drop-down list, choose the required fields.

Step 3

In the required field, you can choose from the drop-down list or type the specific characters to filter data. The search uses the Contains operator command. For example, to filter by text that begins with “K”, enter K or to filter text that has “geo” anywhere in the text, enter geo. You can also use asterisks (*), for example, the regex starting with *abc and ending with *def.

The quick filter uses the following conditions: contains, starts with, ends with, starts with or ends with, and multiple values with OR operator.

Step 4

Press Enter.

Create the Advanced Filter Criteria

The section describes how to create an advanced filter criteria. You can create advanced filters for single- and multi-section reports. The Filter drop-down menu in the single-section reports contains the Quick Filter and Advanced Filter. In the multi-section reports, you can specify only advanced filters.

Procedure

Step 1

Choose Operations > Reports and click the required report.

Step 2

In the Filters section, from the Match drop-down list, choose one of the options.

  1. Choose All to match all specified conditions.

  2. Choose Any to match any one specified condition.

Step 3

From the Time Range drop-down list, choose the required category.

Step 4

From the Operator Commands drop-down list, choose the required command. For example, you can filter text that begins with a specific character (use Begin With), or specific characters anywhere in the text (use Contains). Or, you can choose the Logged Time and corresponding Custom option and specify the From and To date and time from the calendar to filter data.

Step 5

From the Time Range drop-down list, choose the required option.

Step 6

Click Go.

You can save a filtered report and retrieve it from the Filter drop-down list for future reference.

Run and View Reports

This section describes how to run, view, and navigate reports using Reports View. When you click a report, by default, data for the last seven days is generated. Each report displays 500 rows of data per page. You can specify time increments over which to display data in a report.

Procedure

Step 1

Choose Operations > Reports > ISE Reports.

You can also navigate to the Reports link under each work center to view the set of reports specific to that work center.

Step 2

Click a report from the report categories available.

Step 3

Select one or more filters to run a report. Each report has different filters available, of which some are mandatory and some are optional.

Step 4

Enter an appropriate value for the filters.

Step 5

Click Go.

Reports Navigation

You can get detailed information from the reports output. For example, if you have generated a report for a period of five months, the graph and table will list the aggregate data for the report in a scale of months.

You can click a particular value from the table to see another report related to this particular field. For example, an authentication summary report will display the failed count for the user or user group. When you click the failed count, an authentication summary report is opened for that particular failed count.

Export Reports

You can only export the PDF file format of the following reports:

  • Authentication Summary

  • Health Summary

  • RBACL Drop Summary


    Note
    Flows for RBACL dropped packets are available only with the Cisco Catalyst 6500 series switches.

  • Guest Sponsor summary

  • End point Profile Changes

  • Network Device Session Status

Procedure

Step 1

Run a report, as described in the Running and Viewing Reports section.

Step 2

Click Export To in the top-right corner of the report summary page.

Step 3

Choose one of the following options:

  • Repository (CSV): To export the report in CSV file format to a repository

  • Local (CSV): To export the report in CSV file format to a local disk

  • Local (PDF): To export the report in pdf file format to a local disk

Note

 

  • When you select the local CSV or pdf option, only the first 500 records are exported. You can use the Repository CSV option to export all the records.

  • When you export the multi-section reports using the local pdf option, only the first 100 rows are exported for each section.

My Reports

You can add preconfigured system reports and personally filtered reports to the My Reports section. Reports saved to the My Reports section retain the filters applied to them.

Procedure

Step 1

On the Reports window (Operations > Reports), click the report that you require from the Reports drop-down menu displayed on the left.

Step 2

(Optional) When the selected report opens, add required filters to customize the report.

Step 3

Click the Add to My Reports button at the top right-hand corner of the window.

Step 4

The Save to My Reports dialog box opens. The name and description of the report is auto populated. You can edit these fields if needed.

Step 5

(Optional) The selected reports are saved with the applicable filters, thus, retaining their customization.

Step 6

Click Save to save the report. A dialog box saying that the report has been successfully saved will be displayed.

Step 7

The selected report will now appear in the My Reports drop-down list for easy access.

You can remove a report added to the My Reports section by clicking the Remove From My Reports button at the top right-hand corner of the window. Click OK in the Alert dialog box that appears and the report will be removed from your My Reports section.

Scheduling Cisco ISE Reports

You can schedule Cisco ISE reports to run and re-run at specific time or time intervals. You can also apply appropriate filters to your report of choice. You can schedule for reports to run on Cisco ISE with hourly, daily, weekly, monthly, and yearly frequency. It can also be a one-time report scheduling job. You can choose the start dates and end dates of the reports and choose the days of the week when you want to schedule the reports. You get to decide the time when the scheduled report would run.

You can also send and receive email notifications for the reports generated. These email notifications will tell you if the scheduled report has run successfully and will also contain details of the repository, time of scheduled report, and so on.

When scheduling reports with Hourly frequency, you can have the report run over multiple days, but the timeframe cannot spread across two days.

For example, when scheduling an hourly report from May 4, 2019, to May 8, 2019, you can set the time interval as between 6:00 a.m. and 11:00 p.m. each day, but not between 6:00 p.m. of one day and 11:00 a.m. of the next. Cisco ISE displays an error message that the time range is invalid in the latter case.

You cannot schedule the following reports:

  • Authentication Summary

  • Health Summary

  • RBACL Drop Summary


    Note
    Flows for RBACL dropped packets are available only with the Cisco Catalyst 6500 Series Switches.

  • Guest Sponsor summary

  • Endpoint Profile Changes

  • Network Device Session Status

Procedure

Step 1

On the Reports window (Operations > Reports), select the report that you want to schedule from the Reports drop-down menu displayed on the left.

Step 2

(Optional) When the selected report opens, apply the filters that you want to be applicable to the report.

Step 3

Click the Schedule button at the top right-hand corner of the window..

Step 4

The Save as Schedule dialog box opens.

Step 5

Fill in the details such as name, description, email, date, and time of the schedule job.

Step 6

From the Repository drop-down list, choose the external repository that would save the scheduled report. For more information, see “Table 1. Supportability Matrix for External Repositories” under the Backup and Restore Repositories section of the Cisco ISE Administrator Guide.

Step 7

From the Frequency drop-down list, choose the frequency of the schedule as required. For example, if you only need data of the last 12 hours, select the Last 12 hours data field while scheduling the report.

Step 8

Select a Start Date and End Date as required and click Save.

Step 9

All the selected filters will automatically apply to the report while scheduling it.

Step 10

You can see the created schedule and applied filters in the Scheduled Reports section at the bottom of the window.

You can also edit and delete scheduled reports as needed. Choose the scheduled report of your choice from the Scheduled Reports drop-down list (Operations > Reports > Scheduled Reports). Click Edit Schedule to make changes to your scheduled reports and click Save. Click Delete Schedule to delete your scheduled report.

Use Case: Scheduled Reports

To get the previous day’s data at 12 AM on the current day, schedule the report following this procedure:

Procedure

Step 1

On the Reports window (Operations > Reports), select the report that you want to schedule from the Reports drop-down menu displayed on the left.

Step 2

(Optional) When the selected report opens, apply the filters that you want to be applicable to the report.

Step 3

In this scenario, to get the data from the previous day, select the Logged at field and apply the Yesterday filter. This will return the previous day’s data whenever the scheduled report runs. If you only need data of the last 12 hours, select the Last 12 hours datafield in the Save as Schedule dialog box while scheduling the report.

Step 4

Click the Schedule button at the top right-hand corner of the window.

Step 5

The Save as Schedule dialog box opens.

Step 6

Fill in the details such as name, description, email, date, and time of the schedule job.

Step 7

From the Repository drop-down list, choose the external repository that would save the scheduled report. For more information, see “Table 1. Supportability Matrix for External Repositories” under the Backup and Restore Repositories section of the Cisco ISE Administrator Guide.

Step 8

From the Frequency drop-down list, choose the frequency of the schedule as required. For example, if you only need data of the last 12 hours, select the Last 12 hours data field while scheduling the report.

Step 9

Select a Start Date and End Date as required and click Save.

Step 10

All the selected filters will automatically apply to the report while scheduling it.

Step 11

You can see the created schedule and applied filters in the Scheduled Reports section at the bottom of the window.


Note

  • Most scheduled reports are exported in .csv format. However, the scheduled reports for Radius Authentication, Radius Accounting, TACACS Authentication, TACACS Accounting, and Operations Audit are exported in a .zip folder containing .csv files.

  • If an external administrator (for example: Active Directory Administrator) creates a scheduled report without filling the email-id field, no email notifications will be sent.

  • An internal or external Cisco ISE user should be deleted only after deleting the scheduled reports created by that particular user to ensure that there are no active schedules running after the user is removed.

  • You can save or schedule (with filters) Cisco ISE reports only from the PAN.

  • A scheduled report job runs on both Primary MnT and Secondary MnT nodes. If the Primary MnT is down, the Secondary MnT executes the scheduled report job. In such a scenario, the Secondary MnT first pings the Primary MnT. Only if the ping fails, the Secondary MnT runs the scheduled export job.

  • Cisco ISE 3.1 Patch 1 onwards, the date format in exported reports has changed from YYYY-MM-DD to DD-MM-YY. The time format has changed from hh:mm:ss.sss to hh:mm:ss.sss AM/PM (24 hour format to 12 hour format).

Cisco ISE Active RADIUS Sessions

Cisco ISE provides a dynamic Change of Authorization (CoA) feature for the Live Sessions that allows you to dynamically control active RADIUS sessions. You can send reauthenticate or disconnect requests to a Network Access Device (NAD) to perform the following tasks:

  • Troubleshoot issues related to authentication—You can use the Session reauthentication option to follow up with an attempt to reauthenticate again. However, you must not use this option to restrict access. To restrict access, use the shutdown option.

  • Block a problematic host—You can use the Session termination with port shutdown option to block an infected host that sends a lot of traffic over the network. However, the RADIUS protocol does not currently support a method for re-enabling a port that has been shut down.

  • Force endpoints to reacquire IP addresses—You can use the Session termination with port bounce option for endpoints that do not have a supplicant or client to generate a DHCP request after a VLAN change.

  • Push an updated authorization policy to an endpoint—You can use the Session reauthentication option to enforce an updated policy configuration, such as a change in the authorization policy on existing sessions based on the discretion of the administrator. For example, if posture validation is enabled, when an endpoint gains access initially, it is usually quarantined. After the identity and posture of the endpoint are known, it is possible to send the Session reauthentication command to the endpoint for the endpoint to acquire the actual authorization policy based on its posture.

For CoA commands to be understood by the device, it is important that you configure the options appropriately.

For CoA to work properly, you must configure the shared secret of each device that requires a dynamic change of authorization. Cisco ISE uses the shared secret configuration to request access from the device and issue CoA commands to it.


Note

In this release of Cisco ISE, the maximum number of active authenticated endpoint sessions that can be displayed is limited to 100,000.

Change Authorization for RADIUS Sessions

Some Network Access Devices on your network may not send an Accounting Stop or Accounting Off packet after a reload. As a result, you might find two sessions in the Session Directory reports, one which has expired.

To dynamically change the authorization of an active RADIUS session or disconnect an active RADIUS session, be sure to choose the most recent session.

Procedure

Step 1

Choose Operations > RADIUS Livelog.

Step 2

Switch the view to Show Live Session.

Step 3

Click the CoA link for the RADIUS session that you want to issue CoA and choose one of the following options:

  • SAnet Session Query—Use this to query information about sessions from SAnet supported devices.

  • Session reauthentication—Reauthenticate session. If you select this option for a session established on an ASA device supporting COA, this will invoke a Session Policy Push CoA.

  • Session reauthentication with last—Use the last successful authentication method for this session.

  • Session reauthentication with rerun—Run through the configured authentication method from the beginning.

    Note

     

    Session reauthentication with last and Session reauthentication with rerun options are not currently supported in Cisco IOS software.

  • Session termination—Just end the session. The switch reauthenticates the client in a different session.

  • Session termination with port bounce—Terminate the session and restart the port.

  • Session termination with port shutdown—Terminate the session and shutdown the port.

Step 4

Click Run to issue CoA with the selected reauthenticate or terminate option.

If your CoA fails, it could be one of the following reasons:

  • Device does not support CoA.

  • Changes have occurred to the identity or authorization policy.

  • There is a shared secret mismatch.

Available Reports

The following table lists the preconfigured reports, grouped according to their category. Descriptions of the report functionality and logging category are also provided.

To generate syslogs for a logging category, set its Log Severity Level to Info:

  • Choose Administration > System > Logging > Logging Categories.

  • Click the logging category for which syslogs must be generated.

  • From the Log Severity Level drop-down list, choose Info.

  • Click Save.

Report Name

Description

Logging Category

Audit

Adaptive Network Control Audit

The Adaptive Network Control Audit report is based on RADIUS accounting. It displays historical reporting of all the network sessions for each endpoint.

Choose Administration > System > Logging > Logging Categories and select Passed Authentications and RADIUS Accounting.

Administrator Logins

The Administrator Logins report provides information about all the GUI-based administrator login events as well as successful CLI login events.

Choose Administration > System > Logging > Logging Categories, and click Administrative and Operational Audit.

Change Configuration Audit

The Change Configuration Audit report provides details about configuration changes within a specified time period. If you need to troubleshoot a feature, this report can help you determine if a recent configuration change contributed to the problem.

Choose Administration > System > Logging > Logging Categories, and click Administrative and Operational Audit.

Data Purging Audit

The Data Purging Audit report records when the logging data is purged.

This report reflects two sources of data purging.

At 4 a.m. daily, Cisco ISE checks whether there are any logging files that meet the criteria you have set on the Administration > Maintenance > Data Purging window. If yes, the files are deleted and recorded in this report. Additionally, Cisco ISE continually maintains a maximum of 80 percent used storage space (threshold) for the log files. Every hour, Cisco ISE verifies this percentage and deletes the oldest data until this threshold is reached again. This information is also recorded in this report.

If there is high disk space utilization, an alert message stating ISE Monitor node(s) is about to exceed the maximum amount allocated is displayed at 80 percent of the threshold, that is 60 percent of total disk space. Subsequently, an alert message stating ISE Monitor node(s) has exceeded the maximum amount allocated is displayed at 90 percent of the threshold, that is 70 percent of the total disk space.

Endpoints Purge Activities

The Endpoints Purge Activities report enables a user to review the history of endpoints purge activities. This report requires that the Profiler logging category is enabled. (Note that this category is enabled by default.)

Choose Administration > System > Logging > Logging Categories and select Profiler.

Internal Administrator Summary

The Internal Administrator Summary report enables you to verify the entitlement of administrator users. From this report, you can also access the Administrator Logins and Change Configuration Audit reports, which enables you to view these details for each administrator.

Operations Audit

The Operations Audit report provides details about any operational changes, such as, running backups, registering a Cisco ISE node, or restarting an application.

Choose Administration > System > Logging > Logging Categories and select Administrative and Operational audit.

pxGrid Administrator Audit

The pxGrid Administrator Audit report provides details of the pxGrid administration actions, such as client registration, client deregistration, client approval, topic creation, topic deletion, publisher-subscriber addition, and publisher-subscriber deletion on the Primary PAN.

Every record has the name of the administrator who has performed the action on the node.

You can filter the pxGrid Administrator Audit report based on the administrator and message criteria.

Secure Communications Audit

The Secure Communications Audit report provides auditing details about security-related events in Cisco ISE Admin CLI, which includes authentication failures, possible break-in attempts, SSH logins, failed passwords, SSH logouts, invalid user accounts, and so on.

User Change Password Audit

The User Change Password Audit report displays verification about employees' password changes.

Device Administration

TACACS Authentication Summary

The TACACS Authentication Summary report provides details about the most common authentications, and the reason for authentication failures.

TACACS Accounting

The TACACS Accounting report provides accounting details for a device session. It displays information related to the generated and logged time of the users and devices.

Choose Administration > System > Logging > Logging Categories, and click TACACS Accounting.

Top N Authentication by Failure Reason

The Top N Authentication by Failure Reason report displays the total number of authentications by failure reason for a specific period, based on the selected parameters.

Top N Authentication by Network Device

The Top N Authentication by Network Device report displays the number of passed and failed authentications by network device name for a specific period, based on the selected parameters.

Top N Authentication by User

The Top N Authentication by User report displays the number of passed and failed authentications by the user name for the specific period based on the selected parameters.

Diagnostics

AAA Diagnostics

The AAA Diagnostics report provides details of all the network sessions between Cisco ISE and users. If users cannot access the network, you can review this report to identify trends and identify whether the issue is isolated to a particular user or indicative of a more widespread problem.

Note

 
Sometimes ISE will silently drop the Accounting Stop request of an endpoint if user authentication is in progress. However, ISE starts acknowledging all the accounting requests after user authentication is completed.

Choose Administration > System > Logging > Logging Categories, and select the following logging categories: Policy Diagnostics, Identity Stores Diagnostics, Authentication Flow Diagnostics, and RADIUS Diagnostics.

AD Connector Operations

The AD Connector Operations report provides log of operations performed by the AD Connector, such as Cisco ISE Server password refresh, Kerberos tickets management, DNS queries, DC discovery, LDAP, RPC Connections management, and so on.

If some AD failures are encountered, you can review the details in this report to identify the possible causes.

Choose Administration > System > Logging > Logging Categories, and select AD Connector.

Endpoint Profile Changes

The Top Authorization by Endpoint (MAC address) report displays how many times each endpoint MAC address was authorized by Cisco ISE to access the network.

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Logging > Logging Categories, and select Passed Authentications and Failed Attempts.

Health Summary

The Health Summary report provides details similar to the Dashboard. However, the Dashboard only displays data for the past 24 hours. Also, you can review more historical data using this report.

You can evaluate this data to see consistent patterns in data. For example, you would expect heavier CPU usage when most employees start their work days. If you see inconsistencies in these trends, you can identify potential problems.

The CPU Usage table lists the percentage of CPU usage for the different Cisco ISE functions. The output of the show cpu usage CLI command is presented in this table and you can correlate these values with the issues in your deployment to identify possible causes.

ISE Counters

The ISE Counters report lists the threshold values for various attributes. The values for these different attributes are collected at different intervals and the data is presented in a tabular format; one at 5-minute interval and another after 5 minutes.

You can evaluate this data to see the trend, and if you find values that are higher than the threshold, you can correlate this information with the issues in your deployment to identify possible causes.

By default, Cisco ISE collects the values for these attributes. You can choose to disable this data collection from the Cisco ISE CLI using the application configure ise command. Choose option 14 to enable or disable counter attribute collection.

Key Performance Metrics

The Key Performance Metrics report provides statistical information about the number of endpoints that connect to your deployment and the amount of RADIUS requests that are processed by each of the PSNs on an hourly basis. This report lists the average load on the server, average latency per request, and the average transactions per second.

Misconfigured NAS

The Misconfigured NAS report provides information about NADs with inaccurate accounting frequency, typically when sending accounting information frequently. If you have taken corrective actions and fix the misconfigured NADs, the report displays fixed acknowledgment in the report.

Note

 
RADIUS Suppression should be enabled to run this report.

Misconfigured Supplicants

The Misconfigured Supplicants report provides a list of misconfigured supplicants along with the statistics because of failed attempts that are performed by a specific supplicant. If you have taken corrective actions and fix the misconfigured supplicant, the report displays fixed acknowledgment in the report.

Note

 
RADIUS Suppression should be enabled to run this report.

Network Device Session Status

The Network Device Session Status Summary report enables you to display switch configuration without logging in to the switch directly.

Cisco ISE accesses these details using an SNMP query and requires that your network devices are configured with SNMP v1 or v2c.

If a user is experiencing network issues, this report can help you identify if the issue is related to switch configuration or with Cisco ISE.

OCSP Monitoring

The OCSP Monitoring Report specifies the status of the Online Certificate Status Protocol (OCSP) services. It identifies whether Cisco ISE can successfully contact a certificate server, and provides certificate status auditing. It also provides a summary of all the OCSP certificate-validation operations performed by Cisco ISE. It retrieves information related to the good and revoked primary and secondary certificates from the OCSP server. Cisco ISE caches the responses and utilizes them for generating subsequent OCSP Monitoring Reports. In the event the cache is cleared, it retrieves information from the OCSP server.

Choose Administration > System > Logging > Logging Categories, and select System Diagnostics.

RADIUS Errors

The RADIUS Errors report enables you to check for RADIUS Requests Dropped (authentication or accounting requests that are discarded from unknown Network Access Device), EAP connection time outs, and unknown NADs.

Note

 

You can view the report only for the past 5 days.

Choose Administration > System > Logging > Logging Categories, and select Failed Attempts.

System Diagnostics

The System Diagnostic report provides details about the status of the Cisco ISE nodes. If a Cisco ISE node is unable to register, you can review this report to troubleshoot the issue.

This report requires that you first enable several diagnostic logging categories. Collecting these logs can negatively impact Cisco ISE performance. So, these categories are not enabled by default, and you should enable them just long enough to collect the data. Otherwise, they are automatically disabled after 30 minutes.

Choose Administration > System > Logging > Logging Categories, and select the following logging categories: Internal Operations Diagnostics, Distributed Management, and Administrator Authentication and Authorization.

Endpoints and Users

Authentication Summary

The Authentication Summary report is based on the RADIUS authentications. It enables you to identify the most common authentications and the reason for authentication failures, if any. For example, if one Cisco ISE server is handling significantly more authentications than others, you might want to reassign users to different Cisco ISE servers to better balance the load.

Note

 
Because the Authentication Summary report or dashboard collects and displays the latest data corresponding to failed or passed authentications, the contents of the report appear after a delay of a few minutes.

Client Provisioning

The Client Provisioning report indicates the client provisioning agents applied to particular endpoints. You can use this report to verify the policies applied to each endpoint, and in turn, use this to verify whether the endpoints have been correctly provisioned.

Note

 
The MAC address of an endpoint is not displayed in the Endpoint ID column if the endpoint does not connect with ISE (no session is established), or if a Network Address Translation (NAT) address is used for the session.

Choose Administration > System > Logging > Logging Categories, and select Posture and Client Provisioning Audit and Posture and Client Provisioning Diagnostics.

Current Active Sessions

The Current Active Sessions report enables you to export a report with details about who is on the network within a specified time period.

If a user isn't getting network access, you can see whether the session is authenticated or terminated, or if there is another problem with the session.

External Mobile Device Management

The External Mobile Device Management report provides details about integration between Cisco ISE and the external Mobile Device Management (MDM) server.

You can use this report to see which endpoints have been provisioned by the MDM server without logging into the MDM server directly. It also displays information such as registration and MDM-compliance status.

Choose Administration > System > Logging > Logging Categories and select MDM.

Passive ID

The Passive ID report enables you to monitor the state of WMI connection to the domain controller and gather statistics related to it (such as amount of notifications received, amount of user login/logouts per second etc.)

Note

 

Sessions authenticated by this method do not have authentication details in the report.

Choose Administration > System > Logging > Logging Categories and select Identity Mapping.

Manual Certificate Provisioning

The Manual Certificate Provisioning report lists all the certificates that are provisioned manually via the certificate provisioning portal.

Posture Assessment by Condition

The Posture Assessment by Condition report enables you to view records based on the posture policy condition configured in ISE to validate that the most up-to-date security settings or applications are available on client machines.

Posture Assessment by Endpoint

The Posture Assessment by Endpoint report provides detailed information, such as the time, status, and PRA Action, of an endpoint. You can click Details to view further information of an endpoint.

Note

 
The Posture Assessment by Endpoint report does not provide posture policy details of applications and hardware attributes of an endpoint. You can view this information only in the Context Visibility page.

Profiled Endpoints Summary

The Profiled Endpoints Summary report provides profiling details about endpoints that are accessing the network.

Note

 
For endpoints that do not register a session time, such as a Cisco IP-Phone, the term Not Applicable is shown in the Endpoint session time field.

Choose Administration > System > Logging > Logging Categories and select Profiler.

RADIUS Accounting

The RADIUS Accounting report identifies how long users have been on the network. If users are losing network access, you can use this report to identify whether Cisco ISE is the cause of the network connectivity issues.

Note

 

Radius accounting interim updates are included in the RADIUS Accounting report if the interim updates contain information about the changes to the IPv4 or IPv6 addresses for the given sessions.

Choose Administration > System > Logging > Logging Categories and select RADIUS Accounting.

In the Cisco ISE GUI, click the Menu icon () and choose Administration > System > Logging > Logging Categories and select RADIUS Accounting.

RADIUS Authentications

The RADIUS Authentications report enables you to review the history of authentication failures and successes. If users cannot access the network, you can review the details in this report to identify possible causes.

Choose Administration > System > Logging > Logging Categories and select these logging categories: Passed Authentications and Failed Attempts.

Registered Endpoints

The Registered Endpoints report displays all personal devices registered by employees.

Rejected Endpoints

The Rejected Endpoints report lists all rejected or released personal devices that are registered by employees. The data for this report will be available only when you install the Plus license.

Supplicant Provisioning

The Supplicant Provisioning report provides details about the supplicants provisioned to employee's personal devices.

Posture and Client Provisioning Audit

Top Authorizations by Endpoint

The Top Authorization by Endpoint (MAC address) report displays how many times each endpoint MAC address was authorized by Cisco ISE to access the network.

Passed Authentications, Failed Attempts

Top Authorizations by User

The Top Authorization by User report displays how many times each user was authorized by Cisco ISE to access the network.

Passed Authentications, Failed Attempts

Top N Authentication by Access Service

The Top N Authentication by Access Service report displays the number of passed and failed authentications by the access service type for the specific period based on the selected parameters.

Top N Authentication by Failure Reason

The Top N Authentication by Failure Reason report displays the total number of authentications by failure reason for the specific period based on the selected parameters.

Top N Authentication by Network Device

The Top N Authentication by Network Device report displays the number of passed and failed authentications by the network device name for the specific period based on the selected parameters.

Top N Authentication by User

The Top N Authentication by User report displays the number of passed and failed authentications by the user name for the specific period based on the selected parameters.

Guest

AUP Acceptance Status

The AUP Acceptance Status report provides details of AUP acceptances from all the Guest portals.

Choose Administration > System > Logging > Logging Categories and select Guest.

Guest Accounting

The Guest Accounting report is a subset of the RADIUS Accounting report. All users assigned to the Activated Guest or Guest identity groups appear in this report.

Master Guest Report

The Master Guest Report combines data from various Guest Access reports and enables you to export data from different reporting sources. The Master Guest report also provides details about the websites that guest users are visiting. You can use this report for security auditing purposes to demonstrate when guest users accessed the network and what they did on it.

You must also enable HTTP inspection on the network access device (NAD) used for guest traffic. This information is sent back to Cisco ISE by the NAD.

To check when the clients reach the maximum simultaneous sessions limit, from the Admin portal, choose Administration > System > Logging > Logging Categories and do the following:

  1. Increase the log level of "Authentication Flow Diagnostics" logging category from WARN to INFO.

  2. Change LogCollector Target from Available to Selected under the "Logging Category" of AAA Diagnostics.

Choose Administration > System > Logging > Logging Categories and select Passed Authentications.

My Devices Login and Audit

The My Devices Login and Audit report provides details about the login activities and the operations performed by the users on the devices in My Devices Portal.

Choose Administration > System > Logging > Logging Categories and select My Devices.

Sponsor Login and Audit

The Sponsor Login and Audit report provides details of guest users' login, add, delete, enable, suspend and update operations and the login activities of the sponsors at the sponsors portal.

If guest users are added in bulk, they are visible under the column 'Guest Users.' This column is hidden by default. On export, these bulk users are also present in the exported file.

Choose Administration > System > Logging > Logging Categories and select Guest.

SXP

SXP Binding

The SXP Binding report provides information about the IP-SGT bindings that are exchanged over SXP connection.

SXP Connection

You can use this report to monitor the status of an SXP connection and gather information related to it, such as peer IP, SXP node IP, VPN name, SXP mode, and so on.

Trustsec

RBACL Drop Summary

The RBACL Drop Summary report is specific to the TrustSec feature, which is available only with an Advanced Cisco ISE license.

This report also requires that you configure the network devices to send NetFlow events for dropped events to Cisco ISE.

If a user violates a particular policy or access, packets are dropped and indicated in this report.

Note

 
Flows for RBACL dropped packets are available only with the Cisco Catalyst 6500 series switches.

Top N RBACL Drops By User

The Top N RBACL Drops By User report is specific to the TrustSec feature, which is available only with an Advanced Cisco ISE license.

This report also requires that you configure the network devices to send NetFlow events for dropped events to Cisco ISE.

This report displays policy violations (based on packet drops) by specific users.

Note

 
Flows for RBACL dropped packets are available only with the Cisco Catalyst 6500 series switches.

TrustSec ACI

This report lists the SGTs and SXP mappings that are synchronized with the IEPGs, EEPGs, endpoints, and subnet configuration of APIC. These details are displayed only if the TrustSec APIC integration feature is enabled.

TrustSec Deployment Verification

You can use this report to verify whether the latest TrustSec policies are deployed on all network devices or if there are any discrepancies between the policies configured in Cisco ISE and the network devices.

Click the Details icon to view the results of the verification process. You can view the following details:

  • When the verification process started and completed

  • Whether the latest TrustSec policies are successfully deployed on the network devices. You can also view the names and IP addresses of the network devices on which the latest TrustSec policies are deployed.

  • Whether if there are any discrepancies between the policies configured in Cisco ISE and the network devices. It displays the device name, IP address, and the corresponding error message for each policy difference.

You can view the TrustSec Deployment Verification alarms in the Alarms dashlet (under Work Centers > TrustSec > Dashboard and Home > Summary).

Note

 

  • The time taken for reporting depends on the number of network devices and TrustSec groups in your deployment.

  • The error message length in the TrustSec Deployment Verification report is currently limited to 480 characters. Error messages with more than 480 characters will be truncated and only the first 480 characters will be displayed in the report.

Trustsec Policy Download

This report lists the requests sent by the network devices for policy (SGT/SGACL) download and the details sent by ISE. If the Workflow mode is enabled, the requests can be filtered for production or staging matrix.

To view this report, you must do the following:

  1. Choose Administration > System > Logging > Logging Categories.

  2. Choose AAA Diagnostics > RADIUS Diagnostics.

  3. Set the Log Severity Level to DEBUG for RADIUS Diagnostics.

Threat Centric NAC Service

Adapter Status

The Adapter Status report displays the status of the threat and vulnerability adapters.

COA Events

When a vulnerability event is received for an endpoint, Cisco ISE triggers CoA for that endpoint. The CoA Events report displays the status of these CoA events. It also displays the old and new authorization rules and the profile details for these endpoints.

Threat Events

The Threat Events report provides a list of all the threat events that Cisco ISE receives from the various adapters that you have configured.

Vulnerability Assessment

The Vulnerability Assessment report provides information about the assessments that are happening for your endpoints. You can view this report to check if the assessment is happening based on the configured policy.

RADIUS Live Logs

The following table describes the fields in the Live logs window that displays the recent RADIUS authentications. The navigation path for this page is: Operations > RADIUS > Live Logs. Note that you can view the RADIUS live logs only in the Primary PAN.

Table 1. RADIUS Live Logs

Field Name

Description

Time

Shows the time at which the log was received by the monitoring and troubleshooting collection agent. This column is required and cannot be deselected.

Status

Shows if the authentication succeeded or failed. This column is mandatory and cannot be deselected. Green is used to represent passed authentications. Red is used to represent failed authentications.

Details

Clicking the icon under the Details column opens the Authentication Detail Report in a new browser window. This report offers information about authentication and related attributes, and authentication flow.

Clicking the icon under the Details column opens the Accounting Detail report if an accounting event is processed for that session. If the session is in authenticated state, Authentication Detail report is displayed when you click the icon under the Details column.

The Response Time in the Authentication Detail report is the total time taken by Cisco ISE to process the authentication flow. For example, if authentication consists of three roundtrip messages that took 300 ms for the initial message, 150 ms for the next message, and 100 ms for the last, Response Time is 300 + 150 + 100 = 550 ms.

Note

 

You cannot view the details for endpoints that are active for more than 48 hours. You will see a window with the following message when you click the Details icon for endpoints that are active for more than 48 hours: No Data available for this record. Either the data is purged or authentication for this session record happened a week ago. Or if this is an 'PassiveID' or 'PassiveID Visibility' session, it will not have authentication details on ISE but only the session.

Repeat Count

Shows the number of time the authentication requests were repeated in the last 24 hours, without any change in the context of identity, network devices, and authorization.

Identity

Shows the logged in username that is associated with the authentication.

If the username is not present in any ID Store, it is displayed as INVALID. If the authentication fails due to any other reason, it is displayed as USERNAME.

Note

 

This is applicable only for users, and not for MAC addresses.

To aid in debugging, you can force Cisco ISE to display invalid usernames. Check the Disclose Invalid Usernames check box under Administration > System > Settings > Protocols > RADIUS > Suppression & Reports > Authentication Details. This option is disabled automatically after 30 minutes.

Endpoint ID

Shows the unique identifier for an endpoint, usually a MAC or IP address.

Endpoint Profile

Shows the type of endpoint that is profiled, for example, profiled to be an iPhone, Android, MacBook, Xbox, and so on.

Authentication Policy

Shows the name of the policy selected for specific authentication.

Authorization Policy

Shows the name of the policy selected for specific authorization.

Authorization Profiles

Shows the authorization profile that was used for authentication.

IP Address

Shows the IP address of the endpoint device.

Network Device

Shows the IP address of the Network Access Device.

Device Port

Shows the port number at which the endpoint is connected.

Identity Group

Shows the identity group that is assigned to the user or endpoint, for which the log was generated.

Posture Status

Shows the status of posture validation and details on the authentication.

Server

Indicates the policy service from which the log was generated.

MDM Server Name

Shows the name of the MDM server.

Event

Shows the event status.

Failure Reason

Shows the detailed reason for failure, if the authentication failed.

Auth Method

Shows the authentication method that is used by the RADIUS protocol, such as Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAPv2), IEE 802.1x or dot1x, and so on.

Authentication Protocol

Shows the authentication protocol used, such as Protected Extensible Authentication Protocol (PEAP), Extensible Authentication Protocol (EAP), and so on.

Security Group

Shows the group that is identified by the authentication log.

Session ID

Shows the session ID.


Note

In the RADIUS Live Logs and TACACS+ Live Logs window, a Queried PIP entry appears for the first attribute of each policy authorization rule. If all the attributes within the authorization rule are related to a dictionary that was already queried for previous rules, no additional Queried PIP entry appears.

You can do the following in the RADIUS Live Logs window:

  • Export the data in CSV or PDF format.

  • Show or hide the columns based on your requirements.

  • Filter the data using the quick or custom filter. You can also save your filters for later use.

  • Rearrange the columns and adjust the width of the columns.

  • Sort the column values.


Note

All the user customizations are stored as user preferences.

Authentication Latency

Authentication Latency is the average response time of the RADIUS authentication process from the time authetication process is initiated. You can view the Cisco ISE authentication latency from Dashboard > System Summary dashlet.

You can select the following authentication latency timeframe from the drop-down list:

  • 60 mins: This option gives you the authentication latency for the authentication that was initiated in last 60 mins.

  • 12 hrs: This option gives you the authentication latency for the authentication process that was initiated in last 24 hrs.

The response time that is displayed is in millisecond (ms). You can also view a detailed report of authentication latency under Operations > RADIUS > Live Logs. Click on the latest log to view the authentication latency.

RADIUS Live Sessions

The following table describes the fields in the RADIUS Live Sessions window, which displays live authentications. The navigation path for this page is: Operations > RADIUS > Live Sessions. You can view the RADIUS live sessions only in the Primary PAN.

Table 2. RADIUS Live Sessions

Field Name

Description

Initiated

Shows the timestamp when the session was initiated.

Updated

Shows the timestamp when the session was last updated because of a change.

Account Session Time

Shows the time span (in seconds) of a user's session.

Session Status

Shows the current status of an endpoint device.

Action

Click the Actions icon to reauthenticate an active RADIUS session or disconnect an active RADIUS session.

Repeat Count

Shows the number of times a user or endpoint is reauthenticated.

Endpoint ID

Shows the unique identifier for an endpoint, usually a MAC or IP address.

Identity

Shows the username of an endpoint device.

IP Address

Shows the IP address of an endpoint device.

Audit Session ID

Shows a unique session identifier.

Account Session ID

Shows a unique ID provided by a network device.

Endpoint Profile

Shows the endpoint profile for a device.

Posture Status

Shows the status of posture validation and details of the authentication.

Security Group

Shows the group that is identified by the authentication log.

Server

Indicates the Policy Service node from which the log was generated.

Auth Method

Shows the authentication method that is used by the RADIUS protocol, such as Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), IEE 802.1x or dot1x, and so on.

Authentication Protocol

Shows the authentication protocol used, such as Protected Extensible Authentication Protocol (PEAP), Extensible Authentication Protocol (EAP), and so on.

Authentication Policy

Shows the name of the policy selected for specific authentication.

Authorization Policy

Shows the name of the policy selected for specific authorization.

Authorization Profiles

Shows an authorization profile that was used for authentication.

NAS IP Address

Shows the IP address of a network device.

Device Port

Shows the connected port to a network device.

PRA Action

Shows the periodic reassessment action taken on a client after it is successfully postured for compliance on your network.

ANC Status

Adaptive Network Control status of a device as Quarantine, Unquarantine, or Shutdown.

WLC Roam

Shows the boolean (Y/N) used to track if an endpoint has been handed off during roaming, from one Wireless Lan Controller (WLC) to another. It has the value of cisco-av-pair=nas-update =Y or N.

Note

 

Cisco ISE relies on the nas-update=true attribute from WLC to identify whether the session is in roaming state. When the original WLC sends an accounting stop attribute with nas-update=true, the session is not deleted in ISE to avoid reauthentication. If roaming fails, ISE clears the session after five days of inactivity.

Packets In

Shows the number of packets received.

Packets Out

Shows the number of packets sent.

Bytes In

Shows the number of bytes received.

Bytes Out

Shows the number of bytes sent.

Session Source

Indicates whether it is a RADIUS session or a Passive ID session.

User Domain Name

Shows the registered DNS name of a user.

Host Domain Name

Shows the registered DNS name of a host.

User NetBIOS Name

Shows the NetBIOS name of a user.

Host NetBIOS Name

Shows the NetBIOS name of a host.

License Type

Shows the type of license used, Base, Plus, Apex, or Plus and Apex.

License Details

Shows the license details.

Provider

Endpoint events are learned from different syslog sources. These syslog sources are referred to as providers.

  • Windows Management Instrumentation (WMI): WMI is a Windows service that provides a common interface and object model to access management information about operating system, devices, applications, and services.

  • Agent: A program that runs on a client on behalf of the client or another program.

  • Syslog: A logging server to which a client sends event messages.

  • REST: A client is authenticated through a terminal server. The TS Agent ID, Source Port Start, Source Port End, and Source First Port values are displayed for this syslog source.

  • Span: Network information is discovered using span probes.

  • DHCP: DHCP event.

  • Endpoint

Note

 

When two events from different providers are learned or obtained from an endpoint session, the providers are displayed as comma-separated values in the Live Sessions window.

MAC Address

Shows the MAC address of a client.

Endpoint Check Time

Shows the time at which an endpoint was last checked by the endpoint probe.

Endpoint Check Result

Shows the result of an endpoint probe. The possible values are:

  • Unreachable

  • User Logout

  • Active User

Source Port Start

(Values are displayed only for the REST provider) Shows the first port number in a port range.

Source Port End

(Values are displayed only for the REST provider) Shows the last port number in a port range.

Source First Port

(Values are displayed only for the REST provider) Shows the first port allocated by the Terminal Server Agent.

A Terminal Server refers to a server or network device that allows multiple endpoints to connect to it without a modem or network interface and facilities the connection of the multiple endpoints to a LAN network. The multiple endpoints appear to have the same IP address, and therefore, it is difficult to identify the IP address of a specific user. Consequently, to identify a specific user, a Terminal Server Agent is installed in the server, which allocates a port range to each user. This helps create an IP address-port user mapping.

TS Agent ID

(Values are displayed only for the REST provider) Shows the unique identity of the Terminal Server Agent that is installed on an endpoint.

AD User Resolved Identities

(Values are displayed only for AD user) Shows the potential accounts that matched.

AD User Resolved DNs

(Values are displayed only for AD user) Shows the Distinguished Name of AD user, for example, CN=chris,CN=Users,DC=R1,DC=com

TACACS Live Logs

The following table describes the fields in the TACACS Live Logs window that displays the TACACS+ AAA details. The navigation path for this page is: Operations > TACACS > Live Logs. You can view the TACACS live logs only in the Primary PAN.

Table 3. TACACS Live Logs

Field Name

Usage Guidelines

Generated Time

Shows the syslog generation time based on when a particular event was triggered.

Logged Time

Shows the time when the syslog was processed and stored by the Monitoring node. This column is mandatory and cannot be deselected.

Status

Shows if the authentication succeeded or failed. This column is required and cannot be deselected. Green is used to represent passed authentications. Red is used to represent failed authentications.

Details

Brings up a report when you click the magnifying glass icon, allowing you to drill down and view more detailed information about the selected authentication scenario. This column is required and cannot be deselected.

Session Key

Shows the session keys (found in the EAP success or EAP failure messages) returned by ISE to the network device.

Username

Shows the user name of the device administrator. This column is required and cannot be deselected.

Type

Consists of two Types—Authentication and Authorization. Shows names of users who have passed or failed authentication, authorization, or both. This column is mandatory and cannot be deselected.

Authentication Policy

Shows the name of the policy selected for specific authentication.

Authorization Policy

Shows the name of the policy selected for specific authorization.

ISE Node

Shows the name of the ISE node through which the access request is processed.

Network Device Name

Shows the names of network devices.

Network Device IP

Shows the IP addresses of network devices whose access requests are processed.

Network Device Groups

Shows the name of corresponding network device groups to which a network device belongs.

Device Type

Shows the device type policy that is used to process access requests from different network devices.

Location

Shows the location-based policy that is used to process access requests from network devices.

Device Port

Shows the device port number through which the access request is made.

Failure Reason

Shows the reason for rejecting an access request that is made by a network device.

Remote Address

Shows the IP address, MAC address, or any other string that uniquely identifies the end station.

Matched Command Set

Shows the MatchedCommandSet attribute value if it is present, or an empty value if the MatchedCommandSet attribute value is empty or the attribute itself does not exist in the syslog.

Shell Profile

Shows the privileges that were granted to a device administrator for executing commands on the network device.

You can do the following in the TACACS Live Logs window:

  • Export the data in CSV or PDF format.

  • Show or hide the columns based on your requirements.

  • Filter the data using the quick or custom filter. You can also save your filters for later use.

  • Rearrange the columns and adjust the width of the columns.

  • Sort the column values.


Note
All the user customizations are stored as user preferences.

Export Summary

You can view the details of the reports exported by all the users in the last seven days, along with the status. The export summary includes both the manual and scheduled reports. The Export Summary window is automatically refreshed every two minutes. Click the Refresh icon to refresh the Export Summary window manually.

The super admin can cancel the export that is In-Progess or in Queued state. Other users are allowed only to cancel the export process that they have initiated.

By default, only three manual export of reports can run at a given point of time; the remaining triggered manual export of reports are queued. There are no such limits for the scheduled export of reports.

The following table describes the fields in the Export Summary window. The navigation path for this page is: Operations > Reports > Export Summary.

Table 4. Export Summary

Field Name

Description

Report Exported

Displays the name of the report.

Exported By

Shows the role of the user who initiated the export process.

Scheduled

Shows whether the report export is a scheduled one.

Triggered On

Shows the time at which the export process has been triggered in the system.

Repository

Displays the name of the repository where the exported data will be stored.

Filter Parameters

Shows the filter parameters selected while exporting the report.

Status

Shows the status of the exported reports. It can be one of the following:

  • Queued

  • In-progress

  • Completed

  • Cancellation-in-progress

  • Cancelled

  • Failed

  • Skipped

Note

 
Failed status indicates the reason for failure. Skipped status indicates that the scheduled export of reports is skipped because the primary MnT node is down.

You can do the following in the Export Summary window:

  • Show or hide the columns based on your requirements.

  • Filter the data using quick or custom filter. You can also save your filters for later use.

  • Rearrange the columns and adjust the width of the columns.