Solved: Failed Authentication Report with Endpoint IP

bilclay · ‎11-16-2017

ISE Teams,

What is the best report to export a De-duplicated list of 5,000+ endpoint IPs that are failing authentication?

My customer needs:

Export over 5000 logs
Logs with similar endpoint MAC de-duplicated
Shows endpoint IP address

This is help with switch from monitor or low-impact mode.

Thanks!

Bill III

hslai · ‎11-16-2017

Many network devices (e.g. Cisco WLC) would not allow DHCP until auth success. Anyhow, after exporting the reports to a CSV in a repo, we may use UNIX/Linux/BSD/macOS CLI commands awk and "sort -uf" to get unique data in a field; e.g. I exported a report on RADIUS error to my repository and then use the following to

awk -v FPAT="([^,]+)|(\"[^\"]+\")" '{print $20}' RptExp_testAdmin_RADIUS_Errors_2017-11-16_13-30-00.000000040.csv | sort -uf

View solution in original post

hslai · ‎11-16-2017

Many network devices (e.g. Cisco WLC) would not allow DHCP until auth success. Anyhow, after exporting the reports to a CSV in a repo, we may use UNIX/Linux/BSD/macOS CLI commands awk and "sort -uf" to get unique data in a field; e.g. I exported a report on RADIUS error to my repository and then use the following to

awk -v FPAT="([^,]+)|(\"[^\"]+\")" '{print $20}' RptExp_testAdmin_RADIUS_Errors_2017-11-16_13-30-00.000000040.csv | sort -uf

bilclay · ‎11-20-2017

Thanks that solves de-duplication (somewhat) and the IP problem. Is there anyway to export more than 1000 failed authentication logs from ISE at a single point in time?