LogicMonitor’s Cisco Identity Services Engine (ISE) monitoring package uses the ISE API to monitor endpoints, users, sessions, and more. Synthetic transactions for RADIUS and TACACS protocols are also initiated for testing authentication to a RADIUS or TACACS server.
As of August 2020, LogicMonitor’s Cisco ISE package is known to be compatible with:
- All versions of RADIUS and TACACS authentication
- ISE API 2.x
- A Collector version of 29.100 or higher must be used for Cisco ISE monitoring (if utilizing the RADIUS_SyntheticTransaction, TACACS_SyntheticTransaction, or Cisco_ISE_TACACS+_Ports LogicModules)
- The Cisco ISE resource must permit HTTPS access to the MnT API
- The Cisco ISE resource must be a monitoring node that is configured for MnT mode to allow for external monitoring. See Cisco Identity Services Engine Administrator Guide for more information on monitoring nodes.
Add Resources Into Monitoring
Add your Cisco ISE node into monitoring. For more information on adding resources into monitoring, see Adding Devices.
LogicMonitor must provide the appropriate credentials in order to successfully access the Cisco ISE API resource’s data. These credentials must belong to a user account that has been assigned suitable permissions to access the ISE MnT API (not to be confused with the ERS API). As discussed next, these credentials will be assigned as properties within LogicMonitor.
For more information on the Cisco ISE API, see the Cisco Identity Services Engine API Reference Guide.
Assign Properties to Resource
The following sets of custom properties must be set on the Cisco ISE node within LogicMonitor. For more information on setting properties, see Resource and Instance Properties.
MnT API Properties
|ise.monitoring.user (or ise.user)||MnT API username|
|ise.monitoring.pass (or ise.pass)||MnT API password|
|ise.monitoring.port||MnT API port (optional, defaults to 443 if not explicitly set)|
RADIUS Authentication Properties
|radius.user||RADIUS authentication user|
|radius.pass||RADIUS authentication password|
|radius.key (or radius.secret)||The secret key used to authenticate|
|radius.port||Connection port for the RADIUS server (optional, defaults to 1812 if not explicitly set)|
|radius.auth||The authentication protocol in use (optional, defaults to “pap” if not explicitly set; other acceptable values are “chap”.)|
TACACS Authentication Properties
|tacacs.user||TACACS authentication user|
|tacacs.pass||TACACS authentication password|
|tacacs.key (or tacacs.secret)||The secret key used to authenticate|
|tacacs.port||Connection port for the TACACS server (optional, defaults to 49 if not explicitly set)|
|tacacs.auth||The authentication protocol in use (optional, defaults to “pap” if not explicitly set; other acceptable value is “chap”.)|
From the LogicMonitor public repository, import all Cisco ISE LogicModules, which are listed in the LogicModules in Package section of this support article. If these LogicModules are already present, ensure you have the most recent versions.
Once the LogicModules are imported (assuming all previous setup requirements have been met), data collection will automatically commence.
Issue: Failure to connect to the MnT API
This is usually the result of one of the following:
- Incorrect credentials (or credentials being set for the ERS API instead of the MnT API)
- The node not being set to MnT
- Incorrect port designation
Issue: Failed RADIUS/TACACS synthetic transactions
These protocols follow standards used by common test tools and are only expected to fail with incorrect credentials. If the credentials are correct, ensure that the LogicMonitor Collector’s attempted connections aren’t being blocked by default (for example, denied as a result of an allow list or deny list).
LogicModules in Package
LogicMonitor’s package for Cisco ISE consists of the following LogicModules. For full coverage, please ensure that all of these LogicModules are imported into your LogicMonitor platform.
|addCategory_Cisco_ISE_MnT||PropertySource||Checks ISE version information to identify MnT nodes.|
|ISE User Sessions||DataSource||Monitors the number of active sessions for each user.|
|ISE Total Active Users||DataSource||The number of unique users across all active sessions.|
|ISE Server Session||DataSource||Monitors the number of active sessions on each server.|
|ISE Profiler Service Sessions||DataSource||Profiler is a service that aids in identifying, locating, and determining the capabilities of all attached endpoints on a Cisco ISE network.|
|ISE Postured Endpoints||DataSource||Posture is a service that aids in checking the state (or posture) for all the endpoints that connect to a Cisco ISE network. Cisco ISE utilizes NAC Agent for checking the posture compliance of a device.|
|ISE Active Sessions||DataSource||Statistics from the Session/ActiveCount endpoint in the ISE MnT API.|
|Cisco ISE: TACACS+ Ports||DataSource||Checks to see if port 49 (or non-default port entered for the tacacs.port property) for Cisco ISE TACACS+ is open.|
|TACACS Synthetic Transaction||DataSource||Tests authentication to a TACACS server.|
|RADIUS Synthetic Transaction||DataSource||Tests authentication to a RADIUS server.|
When setting static datapoint thresholds on the various metrics tracked by this package’s DataSources, LogicMonitor follows the technology owner’s best practice KPI recommendations. If necessary, we encourage you to adjust these predefined thresholds to meet the unique needs of your environment. For more information on tuning datapoint thresholds, see Tuning Static Thresholds for Datapoints.