Cisco Ise

Overview

Cisco Identity Services Engine (ISE) is a network administration product that enables the creation and enforcement of security and access policies for endpoint devices connected to organizational routers and switches. ISE simplifies identity management across diverse devices and applications.

App Function

The Cisco ISE app performs step translation to improve log readability. Cisco ISE log messages contain authentication and authorization events composed of multiple processing steps. These steps are represented as numeric Step= fields with associated StepData= values in the original logs.

The ISE app transforms these numeric step references into human-readable step names with associated data. The app removes the numeric Step= and StepData= fields from the message text and appends an ordered sequence of descriptive step names with their corresponding data, making the logs substantially more readable and comprehensible.

Vendor Documentation

• Cisco Identity Services Engine
• Logging (Cisco Identity Services Engine)
• Introduction to Cisco ISE Syslogs

Incoming Log Format

Cisco ISE logs use syslog format with fixed header fields (date-timestamp, numeric IDs, and event summaries) followed by extensive key/value pairs. Each key and value is separated by =, and pairs are separated by commas and spaces.

Parsed Metadata Fields

The Cisco ISE app does not create user tags. The app's primary function is to parse Step= and StepData= fields and translate them into readable text. Each numeric step ID is looked up in a reference list to determine the corresponding step name.

Example of Enhanced Log Output:

The app transforms numeric step sequences into descriptive text. Below is a sample of the enhanced log message format:

text
Wrap: OnCopyFullscreen
(...)
[email protected],
Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All
Device Types#Wireless#WLC#NGWC, Response={RadiusPacketType=AccessReject; }

Steps:
  11001) RADIUS Diagnostics: Received RADIUS Access-Request
  11017) RADIUS Diagnostics: RADIUS created a new session
  15049) Policy Diagnostics: Evaluating Policy Group
  15008) Policy Diagnostics: Evaluating Service Selection Policy
  15048) Policy Diagnostics: Queried PIP
         (data:) DEVICE.Location
(...)

Log Examples

Failed RADIUS Authentication

text
Wrap: OnCopyFullscreen
0001969854 1 0 2014-08-07 00:00:16.712 -07:00 0098649452 5434
NOTICE RADIUS: Endpoint conducted several failed authentications of the
same scenario, ConfigVersionId=133, Device IP Address=11.22.150.68,
Device Port=1645, DestinationIPAddress=11.22.7.63, DestinationPort=1812,
RadiusPacketType=AccessRequest, UserName=testuser, Protocol=Radius,
NetworkDeviceName=EXAMPLE, User-Name=anonymous, NAS-IP-Address=11.22.150.68,
NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449,
State=37CPMSessionID=0a22964453e324d700000d64\\;42SessionID=jjj-kkkk-lll01/1\
95491152/2084868\\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone,
Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11,
NAS-Port-Id=Capwap7, EAP-Key-Name=, cisco-av-pair=service-type=Framed,
cisco-av-pair=audit-session-id=0a22964453e324d700000d64,
cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone,
Airespace-Wlan-Id=2, IsEndpointInRejectMode=false, AcsSessionID=jjj-kkkk-ll\
l01/195491152/2084868, AuthenticationIdentityStore=CiscoAD,
AuthenticationMethod=PAP_ASCII, SelectedAccessService=Default
Network Access, FailureReason=24408 User authentication against Active
Directory failed since user has entered the wrong password, Step=11001,
Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048,
Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625,
Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625,
Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12175,
Step=12805, Step=12806, Step=12801, Step=12802, Step=12105, Step=11006,
Step=11001, Step=11018, Step=12104, Step=12804, Step=12816, Step=12132,
Step=12209, Step=12218, Step=12125, Step=11521, Step=12105, Step=11006,
Step=11001, Step=11018, Step=12104, Step=12220, Step=11522, Step=11806,
Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12607,
Step=12606, Step=12611, Step=15041, Step=15006, Step=22072, Step=15013,
Step=12606, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104,
Step=12610, Step=15041, Step=15004, Step=15006, Step=22072, Step=15013,
Step=24430, Step=24325, Step=24313, Step=24319, Step=24367, Step=24367,
Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367,
Step=24367, Step=24323, Step=24344, Step=24408, Step=22057, Step=22061,
Step=12610, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104,
Step=12610, Step=12853, Step=11520, Step=12117, Step=22028, Step=12965,
Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=11504,
Step=11003, Step=5434, SelectedAuthenticationIdentityStores=CiscoAD,
SelectedAuthenticationIdentityStores=Internal Endpoints,
SelectedAuthenticationIdentityStores=Internal Users,
SelectedAuthenticationIdentityStores=Guest Users,
NetworkDeviceGroups=Location#All Locations#SJC#WNBU,
NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC,
EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC,
CPMSessionID=0a22964453e324d700000d64, EndPointMACAddress=00-23-33-41-60-52,
EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU,
AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x,
IdentitySelectionMatchedRule=Default, TotalFailedAttempts=12987,
TotalFailedTime=310509, AD-Domain=cisco.com,
[email protected], StepData=4= DEVICE.Location,
StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type,
StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address,
StepData=9=WNBU_SJC14_Wireless_Dot1x, StepData=59=EAP_TLS_BYOD,
StepData=60=CiscoAD, StepData=69=Default, StepData=71=EAP_TLS_BYOD,
StepData=72=CiscoAD, StepData=73=CiscoAD, StepData=74=testuser,
StepData=75=cisco.com, StepData=76=cisco.com,
StepData=77=icm.cisco.com\\,Domain trust direction is one-way,
StepData=78=sea-alpha.cisco.com\\,Domain trust direction is one-way,
StepData=79=partnet.cisco.com\\,Domain trust direction is one-way,
StepData=80=IL.TEST.COM\\,Domain trust direction is one-way,
StepData=81=UK.TEST.COM\\,Domain trust direction is one-way,
StepData=82=SN.local\\,Domain trust direction is one-way,
StepData=83=webex.local\\,Domain trust direction is one-way,
StepData=84=in.test.com\\,Domain trust direction is one-way,
StepData=85=US.TEST.COM\\,Domain trust direction is one-way,
StepData=87=STATUS_WRONG_PASSWORD\\,ERROR_INVALID_PASSWORD\\,[email protected],
StepData=88=CiscoAD, Location=Location#All Locations#SJC#WNBU, Device
Type=Device Type#All Device Types#Wireless#WLC#NGWC,
Response={RadiusPacketType=AccessReject; },