All Apps and Add-ons

ISE Failed wireless Authentications

eclark9651
Engager

We have recently installed the Cisco ISE Add-ON (APP-1915). It appears to be working okay for the most part except for when I try to search the Failed Authentications for a Specific Location tab. I'm not getting any results, however, I do when I look at the summary page. Are there any modification I need to make to get that information?

0 Karma
1 Solution

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

I'm not familiar with the report that you're asking about, but I am familiar with the add-on. A general troubleshooting approach might be helpful though:

  1. click the magnifying glass in the report panel you're concerned about to get the search that it's running in a search bar.
  2. compare what it's looking for with what the raw data looks like.

View solution in original post

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

I'm not familiar with the report that you're asking about, but I am familiar with the add-on. A general troubleshooting approach might be helpful though:

  1. click the magnifying glass in the report panel you're concerned about to get the search that it's running in a search bar.
  2. compare what it's looking for with what the raw data looks like.

View solution in original post

0 Karma

eclark9651
Engager

I took a look at the page at this is the code snippet I believe is attempting to pull the data. Can anyone confirm this would provide "failed authentications by locations"? I want to be able to click on the dropdown box a pick a specific location instead of seeing the entire pie chart that I see on the summary page within the Splunk App.

    eventtype=cisco-ise-failed-authentication Location="$location$" NAS_Port_Type="Wireless - IEEE 802.11" |
    chart count by AuthenticationMethod |
rename AuthenticationMethod AS "Authentication Method"
  </searchString>

jcoates_splunk
Splunk Employee
Splunk Employee

that looks fine on my demo system, using fake event generation.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.