Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
875
Views
0
Helpful
3
Replies

ISE reporting questions

Go to solution
jonbrown
Cisco Employee
Cisco Employee

‎09-05-2017 06:12 PM

Greetings, customer is looking for the following information from ISE, working with the partner we came up with the text in red. Can you confirm we've vetted out all the possibilities? There may be other software (like Prime or a syslog server) which gives them information, but they want it from ISE so they can react.

  • ISE configuration is removed from a network switch port that was ISE enabled previously
    • ISE cannot provide any report/alert of this event. Is this on the roadmap?
  • A computer has plugged into a port not configured for ISE -
    • ISE cannot provide any report/alert of this event.
  • A non-corporate asset has been plugged into an ISE port.
    • Can be done but may give you false positives. (Customer has devices that don't support certificates.) I believe we could create a rule to check if the device is part of an AD group?
  • A generated monthly report of all ports that do not have ISE enabled.
    • Can be done in real time by ISE, could run an operations report for device status. Would show ports without an ISE configuration as NA. see attachment. I think this requires SNMP for ISE to query the switch ports for this. Can this report be automated to run monthly?

Thanks!

jb

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎09-06-2017 12:53 AM

Hi Jb,

Please see the answers inline ( blue) for the response I received from the team on this query .

  • ISE configuration is removed from a network switch port that was ISE enabled previously
    • ISE cannot provide any report/alert of this event. Is this on the roadmap?

There are no such reports for this event. But we can go to troubleshooting page and check the configuration for the network switch.

Please check with the PM team about the roadmap for this,

  • A computer has plugged into a port not configured for ISE -
    • ISE cannot provide any report/alert of this event.

True, ISE cannot provide any report for this.

  • A non-corporate asset has been plugged into an ISE port.
    • Can be done but may give you false positives. (Customer has devices that don't support certificates.) I believe we could create a rule to check if the device is part of an AD group?

BYOD flow is there. And we do have couple of reports in BYOD section in the reports.

  • A generated monthly report of all ports that do not have ISE enabled.
    • Can be done in real time by ISE, could run an operations report for device status. Would show ports without an ISE configuration as NA. see attachment. I think this requires SNMP for ISE to query the switch ports for this. Can this report be automated to run monthly?

For this particular report we don’t have option to schedule it.

Thanks,

Nidhi

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎09-06-2017 12:53 AM

Hi Jb,

Please see the answers inline ( blue) for the response I received from the team on this query .

  • ISE configuration is removed from a network switch port that was ISE enabled previously
    • ISE cannot provide any report/alert of this event. Is this on the roadmap?

There are no such reports for this event. But we can go to troubleshooting page and check the configuration for the network switch.

Please check with the PM team about the roadmap for this,

  • A computer has plugged into a port not configured for ISE -
    • ISE cannot provide any report/alert of this event.

True, ISE cannot provide any report for this.

  • A non-corporate asset has been plugged into an ISE port.
    • Can be done but may give you false positives. (Customer has devices that don't support certificates.) I believe we could create a rule to check if the device is part of an AD group?

BYOD flow is there. And we do have couple of reports in BYOD section in the reports.

  • A generated monthly report of all ports that do not have ISE enabled.
    • Can be done in real time by ISE, could run an operations report for device status. Would show ports without an ISE configuration as NA. see attachment. I think this requires SNMP for ISE to query the switch ports for this. Can this report be automated to run monthly?

For this particular report we don’t have option to schedule it.

Thanks,

Nidhi

0 Helpful

Go to solution
jonbrown
Cisco Employee
Cisco Employee
In response to Nidhi

‎09-07-2017 09:32 PM

Thank you!

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-07-2017 08:23 AM

Please keep in mind that ISE is not to use for configuring or auditing of the configurations on network devices. You should seek other tools, such as PI, DNA-C, or ISE Deployment Assistant (IDA) to do that.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents