Cisco ISE Monitoring

Last updated on 12 April, 2024


LogicMonitor’s Cisco Identity Services Engine (ISE) monitoring package uses the ISE API to monitor endpoints, users, sessions, and more. Synthetic transactions for RADIUS and TACACS protocols are also initiated for testing authentication to a RADIUS or TACACS server.


As of August 2020, LogicMonitor’s Cisco ISE package is known to be compatible with:

  • All versions of RADIUS and TACACS authentication
  • ISE API 2.x

Setup Requirements

  • A Collector version of 29.100 or higher must be used for Cisco ISE monitoring (if utilizing the RADIUS_SyntheticTransaction, TACACS_SyntheticTransaction, or Cisco_ISE_TACACS+_Ports LogicModules)
  • The Cisco ISE resource must permit HTTPS access to the MnT API
  • The Cisco ISE resource must be a monitoring node that is configured for MnT mode to allow for external monitoring. For more information on monitoring nodes, see Cisco Identity Services Engine Configuration Guide.

Add Resources Into Monitoring

Add your Cisco ISE node into monitoring. For more information on adding resources into monitoring, see Adding Devices.

Obtain Credentials

LogicMonitor must provide the appropriate credentials in order to successfully access the Cisco ISE API resource’s data. These credentials must belong to a user account that has been assigned suitable permissions to access the ISE MnT API (not to be confused with the ERS API). As discussed next, these credentials will be assigned as properties within LogicMonitor.

For more information on the Cisco ISE API, see Cisco Identity Services Engine API Reference Guide.

Assign Properties to Resource

The following sets of custom properties must be set on the Cisco ISE node within LogicMonitor. For more information on setting properties, see Resource and Instance Properties.

MnT API Properties
ise.monitoring.user (or ise.user)MnT API username
ise.monitoring.pass (or ise.pass)MnT API password
ise.monitoring.portMnT API port (optional, defaults to 443 if not explicitly set)
RADIUS Authentication Properties
radius.userRADIUS authentication user
radius.passRADIUS authentication password
radius.key (or radius.secret)The secret key used to authenticate
radius.portConnection port for the RADIUS server (optional, defaults to 1812 if not explicitly set)
radius.authThe authentication protocol in use (optional, defaults to “pap” if not explicitly set; other acceptable values are “chap”.)
TACACS Authentication Properties
tacacs.userTACACS authentication user
tacacs.passTACACS authentication password
tacacs.key (or tacacs.secret)The secret key used to authenticate
tacacs.portConnection port for the TACACS server (optional, defaults to 49 if not explicitly set)
tacacs.authThe authentication protocol in use (optional, defaults to “pap” if not explicitly set; other acceptable value is “chap”.)

Import LogicModules

From the LogicMonitor public repository, import all Cisco ISE LogicModules, which are listed in the LogicModules in Package section of this support article. If these LogicModules are already present, ensure you have the most recent versions.

Once the LogicModules are imported (assuming all previous setup requirements have been met), data collection will automatically commence.​


Issue: Failure to connect to the MnT API

This is usually the result of one of the following:

  • Incorrect credentials (or credentials being set for the ERS API instead of the MnT API)
  • The node not being set to MnT
  • Incorrect port designation
Issue: Failed RADIUS/TACACS synthetic transactions

These protocols follow standards used by common test tools and are only expected to fail with incorrect credentials. If the credentials are correct, ensure that the LogicMonitor Collector’s attempted connections aren’t being blocked by default (for example, denied as a result of an allow list or deny list).

LogicModules in Package

LogicMonitor’s package for Cisco ISE consists of the following LogicModules. For full coverage, please ensure that all of these LogicModules are imported into your LogicMonitor platform.

Display NameTypeDescription
addCategory_Cisco_ISE_MnTPropertySourceChecks ISE version information to identify MnT nodes.
ISE User SessionsDataSourceMonitors the number of active sessions for each user.
ISE Total Active UsersDataSourceThe number of unique users across all active sessions.
ISE Server SessionDataSourceMonitors the number of active sessions on each server.
ISE Profiler Service SessionsDataSourceProfiler is a service that aids in identifying, locating, and determining the capabilities of all attached endpoints on a Cisco ISE network.
ISE Postured EndpointsDataSourcePosture is a service that aids in checking the state (or posture) for all the endpoints that connect to a Cisco ISE network. Cisco ISE utilizes NAC Agent for checking the posture compliance of a device.
ISE Active SessionsDataSourceStatistics from the Session/ActiveCount endpoint in the ISE MnT API.
Cisco ISE: TACACS+ PortsDataSourceChecks to see if port 49 (or non-default port entered for the tacacs.port property) for Cisco ISE TACACS+ is open.
TACACS Synthetic TransactionDataSourceTests authentication to a TACACS server.
RADIUS Synthetic TransactionDataSourceTests authentication to a RADIUS server.

When setting static datapoint thresholds on the various metrics tracked by this package’s DataSources, LogicMonitor follows the technology owner’s best practice KPI recommendations. If necessary, we encourage you to adjust these predefined thresholds to meet the unique needs of your environment. For more information on tuning datapoint thresholds, see Tuning Static Thresholds for Datapoints.

In This Article