Identity Services Engine (ISE)

Cisco Identity Services Engine (ISE) is a network administration product that enables the creation and enforcement of security and access policies for endpoint devices connected to the company's routers and switches. The purpose is to simplify identity management across diverse devices and applications.

App Function

This app has one function. Cisco ISE log messages are logs of events composed of (very) many steps. These steps sometimes have specific data associated with them. In the log messages these steps are represented merely as a series of Step= fields, along with the data as StepData=. This app takes those step and stepdata fields and translates them into an ordered series of step names, along with associated data. This makes the log messages substantially more readable and comprehensible. The log message text is changed to remove the numeric Step=/StepData= fields from the message, and the ordered sequence of step names, with step data, is appended to the message.

Vendor Documentation

• Cisco Identity Services Engine
• Logging (Cisco Identity Services Engine)
• Introduction to Cisco ISE Syslogs

Incoming Log Format

Cisco ISE logs are syslog logs comprised of certain fixed header fields such as date-timestamp, numeric ids, and event summaries, followed by a large section of key/value pairs. Each key and value is separated by =, and each pair is separated by comma and space (,). See examples below.

Parsed Metadata Fields

This app creates no user tags. As mentioned its sole purpose is to parse Step= and StepData= fields and translate them into readable text. Log messages contain a sequence of these fields. Each field is parsed and looked up in a reference list to determine what the name of the step is, that corresponds to the numeric step id.

See the next section for an example of the incoming ISE log messages. An illustrative sample of a portion of the re-generated log message text is:

(...)
[email protected],
Location=Location#All Locations#SJC#WNBU, Device Type=Device Type#All
Device Types#Wireless#WLC#NGWC, Response={RadiusPacketType=AccessReject; }

Steps:
  11001) RADIUS Diagnostics: Received RADIUS Access-Request
  11017) RADIUS Diagnostics: RADIUS created a new session
  15049) Policy Diagnostics: Evaluating Policy Group
  15008) Policy Diagnostics: Evaluating Service Selection Policy
  15048) Policy Diagnostics: Queried PIP
         (data:)  DEVICE.Location
(...)

Log Examples

Failed RADIUS Authentication

0001969854 1 0 2014-08-07 00:00:16.712 -07:00 0098649452 5434
NOTICE RADIUS: Endpoint conducted several failed authentications of the
same scenario, ConfigVersionId=133, Device IP Address=11.22.150.68,
Device Port=1645, DestinationIPAddress=11.22.7.63, DestinationPort=1812,
RadiusPacketType=AccessRequest, UserName=testuser, Protocol=Radius,
NetworkDeviceName=EXAMPLE, User-Name=anonymous, NAS-IP-Address=11.22.150.68,
NAS-Port=60000, Service-Type=Framed, Framed-MTU=1449,
State=37CPMSessionID=0a22964453e324d700000d64\\;42SessionID=jjj-kkkk-lll01/1\
95491152/2084868\\;, Called-Station-ID=3c-08-f6-59-0e-10:alpha_phone,
Calling-Station-ID=00-23-33-41-60-52, NAS-Port-Type=Wireless - IEEE 802.11,
NAS-Port-Id=Capwap7, EAP-Key-Name=, cisco-av-pair=service-type=Framed,
cisco-av-pair=audit-session-id=0a22964453e324d700000d64,
cisco-av-pair=method=dot1x, cisco-av-pair=cisco-wlan-ssid=alpha_phone,
Airespace-Wlan-Id=2, IsEndpointInRejectMode=false, AcsSessionID=jjj-kkkk-ll\
l01/195491152/2084868, AuthenticationIdentityStore=CiscoAD,
AuthenticationMethod=PAP_ASCII, SelectedAccessService=Default
Network Access, FailureReason=24408 User authentication against Active
Directory failed since user has entered the wrong password, Step=11001,
Step=11017, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048,
Step=15048, Step=15048, Step=15004, Step=11507, Step=12300, Step=12625,
Step=11006, Step=11001, Step=11018, Step=12101, Step=12100, Step=12625,
Step=11006, Step=11001, Step=11018, Step=12102, Step=12800, Step=12175,
Step=12805, Step=12806, Step=12801, Step=12802, Step=12105, Step=11006,
Step=11001, Step=11018, Step=12104, Step=12804, Step=12816, Step=12132,
Step=12209, Step=12218, Step=12125, Step=11521, Step=12105, Step=11006,
Step=11001, Step=11018, Step=12104, Step=12220, Step=11522, Step=11806,
Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=12607,
Step=12606, Step=12611, Step=15041, Step=15006, Step=22072, Step=15013,
Step=12606, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104,
Step=12610, Step=15041, Step=15004, Step=15006, Step=22072, Step=15013,
Step=24430, Step=24325, Step=24313, Step=24319, Step=24367, Step=24367,
Step=24367, Step=24367, Step=24367, Step=24367, Step=24367, Step=24367,
Step=24367, Step=24323, Step=24344, Step=24408, Step=22057, Step=22061,
Step=12610, Step=12105, Step=11006, Step=11001, Step=11018, Step=12104,
Step=12610, Step=12853, Step=11520, Step=12117, Step=22028, Step=12965,
Step=12105, Step=11006, Step=11001, Step=11018, Step=12104, Step=11504,
Step=11003, Step=5434, SelectedAuthenticationIdentityStores=CiscoAD,
SelectedAuthenticationIdentityStores=Internal Endpoints,
SelectedAuthenticationIdentityStores=Internal Users,
SelectedAuthenticationIdentityStores=Guest Users,
NetworkDeviceGroups=Location#All Locations#SJC#WNBU,
NetworkDeviceGroups=Device Type#All Device Types#Wireless#WLC#NGWC,
EapTunnel=EAP-FAST, EapAuthentication=EAP-GTC,
CPMSessionID=0a22964453e324d700000d64, EndPointMACAddress=00-23-33-41-60-52,
EapChainingResult=No chaining, ISEPolicySetName=Building_SJC14_WNBU,
AllowedProtocolMatchedRule=WNBU_SJC14_Wireless_Dot1x,
IdentitySelectionMatchedRule=Default, TotalFailedAttempts=12987,
TotalFailedTime=310509, AD-Domain=cisco.com,
[email protected], StepData=4= DEVICE.Location,
StepData=5= Radius.Called-Station-ID, StepData=6= Radius.Service-Type,
StepData=7= Radius.NAS-Port-Type, StepData=8= Radius.NAS-IP-Address,
StepData=9=WNBU_SJC14_Wireless_Dot1x, StepData=59=EAP_TLS_BYOD,
StepData=60=CiscoAD, StepData=69=Default, StepData=71=EAP_TLS_BYOD,
StepData=72=CiscoAD, StepData=73=CiscoAD, StepData=74=testuser,
StepData=75=cisco.com, StepData=76=cisco.com,
StepData=77=icm.cisco.com\\,Domain trust direction is one-way,
StepData=78=sea-alpha.cisco.com\\,Domain trust direction is one-way,
StepData=79=partnet.cisco.com\\,Domain trust direction is one-way,
StepData=80=IL.TEST.COM\\,Domain trust direction is one-way,
StepData=81=UK.TEST.COM\\,Domain trust direction is one-way,
StepData=82=SN.local\\,Domain trust direction is one-way,
StepData=83=webex.local\\,Domain trust direction is one-way,
StepData=84=in.test.com\\,Domain trust direction is one-way,
StepData=85=US.TEST.COM\\,Domain trust direction is one-way,
StepData=87=STATUS_WRONG_PASSWORD\\,ERROR_INVALID_PASSWORD\\,[email protected],
StepData=88=CiscoAD, Location=Location#All Locations#SJC#WNBU, Device
Type=Device Type#All Device Types#Wireless#WLC#NGWC,
Response={RadiusPacketType=AccessReject; },