Overview

LogicMonitor’s Cisco Identity Services Engine (ISE) monitoring package uses the ISE API to monitor endpoints, users, sessions, and more. Synthetic transactions for RADIUS and TACACS protocols are also initiated for testing authentication to a RADIUS or TACACS server.

Compatibility

As of August 2020, LogicMonitor’s Cisco ISE package is known to be compatible with:

  • All versions of RADIUS and TACACS authentication
  • ISE API 2.x

As Cisco releases newer versions of Cisco ISE, LogicMonitor will test and extend coverage as necessary.

Setup Requirements

Satisfy Dependencies

  • A Collector version of 29.100 or higher must be used for Cisco ISE monitoring (if utilizing the RADIUS_SyntheticTransaction, TACACS_SyntheticTransaction, or Cisco_ISE_TACACS+_Ports LogicModules)
  • The Cisco ISE resource must permit HTTPS access to the MnT API
  • The Cisco ISE resource must be a monitoring node that is configured for MnT mode to allow for external monitoring. See Cisco Identity Services Engine Administrator Guide for more information on monitoring nodes.

Add Resources Into Monitoring

Add your Cisco ISE node into monitoring. For more information on adding resources into monitoring, see Adding Devices.

Obtain Credentials

LogicMonitor must provide the appropriate credentials in order to successfully access the Cisco ISE API resource’s data. These credentials must belong to a user account that has been assigned suitable permissions to access the ISE MnT API (not to be confused with the ERS API). As discussed next, these credentials will be assigned as properties within LogicMonitor.

For more information on the Cisco ISE API, see the Cisco Identity Services Engine API Reference Guide.

Assign Properties to Resource

The following sets of custom properties must be set on the Cisco ISE node within LogicMonitor. For more information on setting properties, see Resource and Instance Properties.

MnT API Properties
Property Value
ise.monitoring.user (or ise.user) MnT API username
ise.monitoring.pass (or ise.pass) MnT API password
ise.monitoring.port MnT API port (optional, defaults to 443 if not explicitly set)
RADIUS Authentication Properties
Property Value
radius.user RADIUS authentication user
radius.pass RADIUS authentication password
radius.key (or radius.secret) The secret key used to authenticate
radius.port Connection port for the RADIUS server (optional, defaults to 1812 if not explicitly set)
radius.auth The authentication protocol in use (optional, defaults to “pap” if not explicitly set; other acceptable values are “chap”, “eap”, and “mschapv2”)
TACACS Authentication Properties
Property Value
tacacs.user TACACS authentication user
tacacs.pass TACACS authentication password
tacacs.key (or tacacs.secret) The secret key used to authenticate
tacacs.port Connection port for the TACACS server (optional, defaults to 49 if not explicitly set)
tacacs.auth The authentication protocol in use (optional, defaults to “pap” if not explicitly set; other acceptable value is “chap”.

Import LogicModules

From the LogicMonitor public repository, import all Cisco ISE LogicModules, which are listed in the LogicModules in Package section of this support article. If these LogicModules are already present, ensure you have the most recent versions.

Once the LogicModules are imported (assuming all previous setup requirements have been met), data collection will automatically commence.​

Troubleshooting

Issue: Failure to connect to the MnT API

This is usually the result of one of the following:

  • Incorrect credentials (or credentials being set for the ERS API instead of the MnT API)
  • The node not being set to MnT
  • Incorrect port designation
Issue: Failed RADIUS/TACACS synthetic transactions

These protocols follow standards used by common test tools and are only expected to fail with incorrect credentials. If the credentials are correct, ensure that the LogicMonitor Collector’s attempted connections aren’t being blocked by default (for example, denied as a result of an allow list or deny list).

LogicModules in Package

LogicMonitor’s package for Cisco ISE consists of the following LogicModules. For full coverage, please ensure that all of these LogicModules are imported into your LogicMonitor platform.

Display Name Type Description
addCategory_Cisco_ISE_MnT PropertySource Checks ISE version information to identify MnT nodes.
ISE User Sessions DataSource Monitors the number of active sessions for each user.
ISE Total Active Users DataSource The number of unique users across all active sessions.
ISE Server Session DataSource Monitors the number of active sessions on each server.
ISE Profiler Service Sessions DataSource Profiler is a service that aids in identifying, locating, and determining the capabilities of all attached endpoints on a Cisco ISE network.
ISE Postured Endpoints DataSource Posture is a service that aids in checking the state (or posture) for all the endpoints that connect to a Cisco ISE network. Cisco ISE utilizes NAC Agent for checking the posture compliance of a device.
ISE Active Sessions DataSource Statistics from the Session/ActiveCount endpoint in the ISE MnT API.
Cisco ISE: TACACS+ Ports DataSource Checks to see if port 49 (or non-default port entered for the tacacs.port property) for Cisco ISE TACACS+ is open.
TACACS Synthetic Transaction DataSource Tests authentication to a TACACS server.
RADIUS Synthetic Transaction DataSource Tests authentication to a RADIUS server.

When setting static datapoint thresholds on the various metrics tracked by this package’s DataSources, LogicMonitor follows the technology owner’s best practice KPI recommendations. If necessary, we encourage you to adjust these predefined thresholds to meet the unique needs of your environment. For more information on tuning datapoint thresholds, see Tuning Static Thresholds for Datapoints.

In this Article: