ISE Notes

 Problem:

ISE consumed license exceeded, but active sessions are less than consumed licenses.

Solution 1:

  • Enter the command: # Application configure ise
  • It will list out the Option to choose the command
  • [1]Reset M&T Session Database
  • Press 1 and Enter
  • #Please note that, reset MNT session DB will restart the service, MW recommended. **
  • After this finish choose the below:
  • [5]Refresh Database Statistics
  • Press 5 and Enter

Solution 2:

On a windows 10 PC \windows\system32\

curl -X DELETE --ssl-no-revoke -u admin https://ise-server/admin/API/mnt/Session/Delete/All

or to ignore cert error

curl -X DELETE -k -u admin https://ise-server/admin/API/mnt/Session/Delete/All

will see status SUCCESSFUL returned,

Verify:

https://ise-server/admin/API/mnt/Session/ActiveCount

https://ise-server/admin/API/mnt/Session/ActiveList



https://developer.cisco.com/docs/identity-services-engine/3.0/#!using-api-calls-for-session-management/stale-sessions


To manually delete a stale session for a MAC address, issue the following API call on the command line:

curl -X DELETE https://<mntnode>/admin/API/mnt/Session/Delete/MACAddress/<xx:xx:xx:xx>

=============

Problem:

login ISE with external AD group, don't see device list


You must have an ISE Admin Group mapped to an AD group. when you create the external admin users, please assign it to the ISE Admin Group you created instead of the Super Admin group.

Then go to Admin Access>> Authorization, RBAC Policy, locate your ISE Admin group, in the permission column, click plus sign to add "Super Admin Data Access" along with "Super Admin Menu Access"

 

==============

PAP—the Policy Administration Point (or PAP) 
      Primary PAP 
      Secondary PAP

PDP—the Policy Decision Point (or PDP)

M&T—the Monitoring and Troubleshooting (M&T)



Problem:

MAB failed




















Fix:








Note the Authentication Protocol shows Lookup












Starting in ISE 3.3, you can now create nuanced authorization policies using four specific attributes from the endpoints connecting to your network. The Multi-Factor Classification (MFC) profiler uses various profiling probes to fetch four new endpoint attributes to the Cisco ISE authorization policy creation workflows. Take note that CWKST has Windows11 as the MFC Operating System.  MFC Endpoint Type, MFC Hardware Manufacturer, MFC Hardware Model, and MFC Operating System.

Comments