Radius Failure - cisco-pxgrid/pxgrid-rest-ws GitHub Wiki
Service: com.cisco.ise.radius
This service provides information about Radius protocol. RFC2865
Service properties
| Name | Description | Example |
|---|---|---|
| restBaseUrl | https://ise-host1:8910/pxgrid/ise/radius | |
| wsPubsubService | com.cisco.ise.pubsub | |
| failureTopic | /topic/com.cisco.ise.radius.failure |
HTTP APIs
POST [restBaseUrl]/getFailures
This gets the Radius authentication failures since startTimestamp
If startTimestamp is not specified, the failures for the last hour is returned.
The failures included are ISE syslog message codes 5400 to 5499 that are listed here
If no failure is found, failures attribute will contain an empty array.
Note that radius authentication failures can be suppressed, so the timestamps being reported may not be the latest events.
Request
{
// Last one hour if not specified
"startTimestamp": ISO8601 Datetime (optional)
}
Reponse
{
"failures": [
array of failure objects
]
}
POST [restBaseUrl]/getFailureById
This gets the failure object with the specified id.
If not found, HTTP status "204 No content" will be returned.
Note that radius authentication failures can be suppressed, so the timestamps being reported may not be the latest events.
Request
{
"id": ID of the entry (required)
}
Reponse
{
failure objects
}
WS STOMP messaging
The topic provides events of Radius failures.
Note that repeated radius authentication failures can be suppressed. In other words, repeated failures may not be published.
failureTopic
{
"sequence": integer sequence number for loss detection (since ISE 3.0)
"failures": [
array of failure objects
]
}
Objects
"failure" object
| Name | Type | Description |
|---|---|---|
| id | string | |
| timestamp | ISO8601 Datetime | The time this record was created in ISE. |
| failureReason | string | The reason for the authentication failure |
| userName | string | |
| serverName | string | ISE server name where failure occured |
| callingStationId | string | Radius Calling-Station-ID |
| auditSessionId | string | |
| nasIpAddress | string | |
| nasPortId | string | |
| nasPortType | string | |
| ipAddresses | array of string | |
| macAddress | string | |
| messageCode | integer | |
| destinationIpAddress | string | |
| userType | string | |
| accessService | string | |
| identityStore | string | |
| identityGroup | string | |
| authenticationMethod | string | |
| authenticationProtocol | string | |
| serviceType | string | |
| networkDeviceName | string | |
| deviceType | string | |
| location | string | |
| selectedAznProfiles | string | |
| postureStatus | string | |
| ctsSecurityGroup | string | |
| response | string | |
| responseTime | integer | Time taken to response in millisecond |
| executionSteps | string | |
| credentialCheck | string | |
| endpointProfile | string | |
| mdmServerName | string | |
| policySetName | string | |
| authorizationRule | string | |
| mseResponseTime | time | |
| mseServerName | string | |
| originalCallingStationId | string |
Samples
"failure" objects
{
"failures":[
{
"id":"1494300801107032",
"timestamp":"2017-05-08T20:56:34.379-07:00",
"failureReason":"22040 Wrong password or invalid shared secret",
"messageCode":5400,
"userName":"user1",
"serverName":"pxgrid-001",
"auditSessionId":"101",
"ipAddresses":[
"1.2.3.4"
],
"nasIpAddress":"172.21.170.242",
"nasName":"DefaultNetworkDevice",
"callingStationId":"00:11:22:33:44:55",
"originalCallingStationId":"00:11:22:33:44:55",
"userType":"User",
"accessService":"Default Network Access",
"identityStore":"Internal Users",
"authenticationMethod":"PAP_ASCII",
"authenticationProtocol":"PAP_ASCII",
"deviceType":"All Device Types",
"location":"All Locations",
"response":"{RadiusPacketType\u003dAccessReject; AuthenticationResult\u003dFailed; }",
"responseTime":325,
"executionSteps":[
"11001",
"11017",
"11049",
"15049",
"15008",
"15041",
"15048",
"22072",
"15013",
"24210",
"24212",
"22040",
"22057",
"22061",
"11003"
],
"credentialCheck":"PAP_ASCII",
"policySetName":"Default",
"mseResponseTime":0
}
]
}
ISE configuration
Radius failure suppress repeated
By default, ISE suppress repeated failures in order to protect the system. This will also affect the events being stored and published. The setting in the UI can be found under Administrator->System->Settings->Protocols->RADIUS.
Here is a screenshot from ISE 2.4 of the default settings.
