ISE TAC Case Preparation

Template for preparing Cisco TAC cases for ISE issues. Proper data collection reduces back-and-forth and speeds resolution.

1. Pre-Case Checklist

  • Contract ID / Smart Account verified

  • ISE version and patch level documented

  • Problem statement clear and concise

  • Support bundle collected (if applicable)

  • Logs/screenshots captured

  • Steps to reproduce documented

2. Case Information Template

2.1. Environment Details

ISE Version: 3.4 Patch X
Deployment Type: Standalone / Distributed (PAN/MnT/PSN)
Node Count: X
Platform: Virtual (KVM/VMware/HyperV) / Physical Appliance

Primary PAN: ise-01.inside.domusdigitalis.dev (10.50.1.20)
Secondary PAN: N/A (or ise-02)
PSN Nodes: Same as PAN (all-in-one)
MnT Node: Same as PAN

AD Integration: Yes - home-dc01.inside.domusdigitalis.dev
External Identity Sources: AD, Internal Users

2.2. Problem Statement

SUMMARY: [One-line description]

SYMPTOMS:
- [Symptom 1]
- [Symptom 2]
- [Symptom 3]

IMPACT:
- [How it affects operations]
- [Number of users/devices affected]

TIMELINE:
- When did it start?
- Was anything changed before it started?
- Intermittent or constant?

3. Common Issue: Live Logs "No Data Available"

3.1. Symptom

When viewing endpoint in Live Logs or Reports on PAN:

No data available for this record. Either the data is purged or authentication
for this session record happened a week ago. Or if this is an 'PassiveID' or
'PassiveID Visibility' session, it will not have authentication details on ISE
but only the session.

3.2. Data to Collect

3.2.1. 1. ISE Version and Patch

# Via CLI
ssh ise-01
show version

# Via API
netapi ise api-call openapi GET '/api/v1/deployment/version' | jq .

3.2.2. 2. MnT Database Status

# Check MnT service status
ssh ise-01
show application status ise | grep -i mnt

# Check database space
show mnt-report-data-status

3.2.3. 3. Data Purge Settings

# Via GUI: Administration > System > Maintenance > Data Purge
# Document current settings:
# - RADIUS Live Session retention: X days
# - RADIUS Authentication retention: X days
# - Authorization retention: X days

3.2.4. 4. Endpoint Details

# Get endpoint info
netapi ise ers endpoint get-by-mac <MAC_ADDRESS> | jq .

# Check if endpoint exists in database
netapi ise dc query "SELECT * FROM ENDPOINTS WHERE mac_address = '<MAC_ADDRESS>'"

3.2.5. 5. Recent Authentication Attempts

# Check DataConnect for recent auths (last 48 hours)
netapi ise dc query "
SELECT USERNAME, ENDPOINT_MAC_ADDRESS, AUTHENTICATION_STATUS,
       POLICY_SET_NAME, TIMESTAMP_TIMEZONE
FROM RADIUS_AUTHENTICATIONS
WHERE ENDPOINT_MAC_ADDRESS = '<MAC_ADDRESS>'
  AND TIMESTAMP_TIMEZONE > SYSDATE - 2
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 10 ROWS ONLY
"

3.2.6. 6. Live Logs vs DataConnect Comparison

# What Live Logs shows (GUI screenshot)
# What DataConnect returns (API query above)
# Note any discrepancy

3.2.7. 7. Support Bundle

# Generate support bundle
ssh ise-01
backup-logs repository <REPO_NAME> encryption-key plain <PASSWORD>

# Or via GUI: Operations > Troubleshoot > Download Logs > Support Bundle

3.3. Possible Root Causes

Cause Symptoms Solution

Data purged

Old sessions show "no data"

Check purge settings, increase retention

PassiveID session

Session exists but no auth details

Expected behavior for PassiveID

MnT sync issue

Recent auths not visible

Check MnT service, restart if needed

Database corruption

Random "no data" errors

TAC escalation required

Time sync issue

Timestamps mismatched

Fix NTP on ISE nodes

3.4. TAC Questions to Expect

  1. Is this for all endpoints or specific ones?

  2. What is the authentication method? (802.1X, MAB, etc.)

  3. Is the endpoint authenticating to primary or secondary PSN?

  4. What does the switch RADIUS accounting show?

  5. Is there a load balancer between NAD and ISE?

4. Other Common ISE TAC Issues

4.1. Certificate Trust Issues

# List trusted certs
netapi ise api-call openapi GET '/api/v1/certs/trusted-certificate?size=100' | jq '.response[].friendlyName'

# Check specific cert
netapi ise api-call openapi GET '/api/v1/certs/trusted-certificate/id/<ID>' | jq .

4.2. AD Join Issues

# Check AD status
ssh ise-01
show running-config | section identity-store-ad

# Test AD connectivity
test aaa group radius identity <AD_JOIN_POINT> <USERNAME> <PASSWORD>

4.3. RADIUS Authentication Failures

# Recent failures
netapi ise dc query "
SELECT USERNAME, ENDPOINT_MAC_ADDRESS, FAILURE_REASON, POLICY_SET_NAME
FROM RADIUS_AUTHENTICATIONS
WHERE AUTHENTICATION_STATUS = 'Failed'
  AND TIMESTAMP_TIMEZONE > SYSDATE - 1
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 20 ROWS ONLY
"

5. TAC Contact Information

Channel Details

Web

mycase.cloudapps.cisco.com/

Phone

1-800-553-2447 (US/Canada)

Severity

S1 (network down), S2 (degraded), S3 (minor), S4 (info)

Contract ID

Check Smart Account

6. Case Follow-Up Template

TAC Case: SR xxxxxxxxxx

STATUS UPDATE:
- [What we tried]
- [Results]
- [New information]

QUESTIONS:
1. [Question 1]
2. [Question 2]

ATTACHMENTS:
- support_bundle_YYYYMMDD.tar.gz
- screenshot_live_logs.png
- debug_logs.txt

7. Quick Reference

Task Command

ISE version

show version or netapi ise api-call openapi GET '/api/v1/deployment/version'

MnT status

show application status ise | grep mnt

Recent auths (48h)

netapi ise dc query SELECT …​ FROM RADIUS_AUTHENTICATIONS WHERE TIMESTAMP  SYSDATE - 2

Endpoint lookup

netapi ise ers endpoint get-by-mac <MAC>

Support bundle

backup-logs repository <REPO> encryption-key plain <PASS>

8. Related