Cisco ISE Monitoring

Overview

LogicMonitor’s Cisco Identity Services Engine (ISE) monitoring package uses the ISE API to monitor endpoints, users, sessions, and more. Synthetic transactions for RADIUS and TACACS protocols are also initiated for testing authentication to a RADIUS or TACACS server.

Compatibility

As of September 2024, LogicMonitor’s Cisco ISE package is known to be compatible with:

• All versions of RADIUS and TACACS authentication
• Cisco Identity Services Engine 2.6 to 3.3

Setup Requirements

• A Collector version of 29.100 or higher must be used for Cisco ISE monitoring (if utilizing the RADIUS_SyntheticTransaction, TACACS_SyntheticTransaction, or Cisco_ISE_TACACS+_Ports LogicModules)
• The Cisco ISE resource must permit HTTPS access to the MnT API
• The Cisco ISE resource must be a monitoring node that is configured for MnT mode to allow for external monitoring. For more information on monitoring nodes, see Cisco Identity Services Engine Configuration Guide.

Add Resources Into Monitoring

Add your Cisco ISE node into monitoring. For more information on adding resources into monitoring, see Adding Devices.

Obtain Credentials

LogicMonitor must provide the appropriate credentials in order to successfully access the Cisco ISE API resource’s data. These credentials must belong to a user account that has been assigned suitable permissions to access the ISE MnT API (not to be confused with the ERS API). As discussed next, these credentials will be assigned as properties within LogicMonitor.

For more information on the Cisco ISE API, see Cisco Identity Services Engine API Reference Guide.

Assign Properties to Resource

The following sets of custom properties must be set on the Cisco ISE node within LogicMonitor. For more information on setting properties, see Resource and Instance Properties.

MnT API Properties

Property	Value
ise.monitoring.user (or ise.user)	MnT API username
ise.monitoring.pass (or ise.pass)	MnT API password
ise.monitoring.port	MnT API port (optional, defaults to 443 if not explicitly set)

RADIUS Authentication Properties

Property	Value
radius.user	RADIUS authentication user
radius.pass	RADIUS authentication password
radius.key (or radius.secret)	The secret key used to authenticate
radius.port	Connection port for the RADIUS server (optional, defaults to 1812 if not explicitly set)
radius.auth	The authentication protocol in use (optional, defaults to “pap” if not explicitly set; other acceptable values are “chap”.)

TACACS Authentication Properties

Property	Value
tacacs.user	TACACS authentication user
tacacs.pass	TACACS authentication password
tacacs.key (or tacacs.secret)	The secret key used to authenticate
tacacs.port	Connection port for the TACACS server (optional, defaults to 49 if not explicitly set)
tacacs.auth	The authentication protocol in use (optional, defaults to “pap” if not explicitly set; other acceptable value is “chap”.)

Proxy Bypass

Property	Value
proxy.enable	(Optional) Defaults to “true” if not explicitly set, which causes modules to use the proxy configured in the Collector’s ‘agent.conf’ file. Set to “false” to bypass the Collector’s proxy settings and force the modules to not use a proxy when making API requests.

Import LogicModules

From the LogicMonitor public repository, import all Cisco ISE LogicModules, which are listed in the LogicModules in Package section of this support article. If these LogicModules are already present, ensure you have the most recent versions.

Once the LogicModules are imported (assuming all previous setup requirements have been met), data collection will automatically commence.​

Troubleshooting

Issue: Failure to connect to the MnT API

This is usually the result of one of the following:

• Incorrect credentials (or credentials being set for the ERS API instead of the MnT API)
• The node not being set to MnT
• Incorrect port designation
• The device’s proxy configuration — consider bypassing the proxy by setting the proxy.enable property on the device to false.

Issue: Failed RADIUS/TACACS synthetic transactions

These protocols follow standards used by common test tools and are only expected to fail with incorrect credentials. If the credentials are correct, ensure that the LogicMonitor Collector’s attempted connections aren’t being blocked by default (for example, denied as a result of an allow list or deny list).

LogicModules in Package

LogicMonitor’s package for Cisco ISE consists of the following LogicModules. For full coverage, please ensure that all of these LogicModules are imported into your LogicMonitor platform.

Display Name	Type	Description
addCategory_Cisco_ISE_MnT	PropertySource	Checks ISE version information to identify MnT nodes.
ISE Total Active Users	DataSource	The number of unique users across all active sessions.
ISE Server Session	DataSource	Monitors the number of active sessions on each server.
ISE Profiler Service Sessions	DataSource	Profiler is a service that aids in identifying, locating, and determining the capabilities of all attached endpoints on a Cisco ISE network.
ISE Postured Endpoints	DataSource	Posture is a service that aids in checking the state (or posture) for all the endpoints that connect to a Cisco ISE network. Cisco ISE utilizes NAC Agent for checking the posture compliance of a device.
ISE Active Sessions	DataSource	Statistics from the Session/ActiveCount endpoint in the ISE MnT API.
Cisco ISE: TACACS+ Ports	DataSource	Checks to see if port 49 (or non-default port entered for the tacacs.port property) for Cisco ISE TACACS+ is open.
TACACS Synthetic Transaction	DataSource	Tests authentication to a TACACS server.
RADIUS Synthetic Transaction	DataSource	Tests authentication to a RADIUS server.

When setting static datapoint thresholds on the various metrics tracked by this package’s DataSources, LogicMonitor follows the technology owner’s best practice KPI recommendations. If necessary, we encourage you to adjust these predefined thresholds to meet the unique needs of your environment. For more information on tuning datapoint thresholds, see Tuning Static Thresholds for Datapoints.