Troubleshoot User Control
If you notice unexpected user rule behavior, consider tuning your rule, identity source, or realm configurations. For other related troubleshooting information, see:
Rules targeting realms, users, or user groups are not matching traffic
If you configure a TS Agent or ISE/ISE-PIC device to monitor a large number of user groups, or if you have a very large number of users mapped to hosts on your network, the system may drop user records due to your Cisco Defense Orchestrator user limit. As a result, rules with user conditions may not match traffic as expected.
Rules targeting user groups or users within user groups are not matching traffic as expected
If you configure a rule with a user group condition, your LDAP or Active Directory server must have user groups configured. The system cannot perform user group control if the server organizes the users in basic object hierarchy.
Rules targeting users in secondary groups are not matching traffic as expected
If you configure a rule with a user group condition that includes or excludes users who are members of a secondary group on your Active Directory server, your server may be limiting the number of users it reports.
By default, Active Directory servers limit the number of users they report from secondary groups. You must customize this limit so that all of the users in your secondary groups are reported to the Cisco Defense Orchestrator and eligible for use in rules with user conditions.
Rules are not matching users when seen for the first time
After the system detects activity from a previously-unseen user, the system retrieves information about them from the server. Until the system successfully retrieves this information, activity seen by this user is not handled by matching rules. Instead, the user session is handled by the next rule it matches (or the policy's default action, if applicable).
For example, this might explain when:
-
Users who are members of user groups are not matching rules with user group conditions.
-
Users who were reported by a TS Agentor ISE/ISE-PIC device are not matching rules, when the server used for user data retrieval is an Active Directory server.
Note that this might also cause the system to delay the display of user data in event views and analysis tools.
Rules are not matching all ISE users
This is expected behavior. You can perform user control on ISE users who were authenticated by an Active Directory domain controller. You cannot perform user control on ISE users who were authenticated by an LDAP, RADIUS, or RSA domain controller.
Rules are not matching all ISE/ISE-PIC users
This is expected behavior. You can perform user control on ISE/ISE-PIC users who were authenticated by an Active Directory domain controller. You cannot perform user control on ISE/ISE-PIC users who were authenticated by an LDAP, RADIUS, or RSA domain controller.
Users and groups using too much memory
If processing users and groups is using too much memory, health alerts are displayed. Remember that all user sessions are propagated to all devices managed by the CDO. If your CDO manages devices with different amounts of memory, the device with the least amount of memory determines the number of user sessions the system can handle without errors.
If issues persist, you have the following options:
-
Segregate lower capacity managed devices on subnets and configure ISE/ISE-PIC to not report passive authentication data to those subnets.
See the chapter on managing network devices in the Cisco Identity Services Engine Administrator Guide.
-
Unsubscribe from Security Group Tags (SGTs).
For more information, see Configure ISE/ISE-PIC for User Control.
-
Upgrade your managed device to a model with more memory.