CCIE Security Lab: Troubleshooting ISE

Troubleshooting ISE, or just trying to remember what commands need to be put where, is actually REALLY easy.

ISE does it all for you, you just need to tell it to do so.
The Operations menu has a sub-menu, for troubleshooting. In there are some troubleshooting tools. One of these is the “Evaluate Configuration Validator”. It’s under general tools:

Troubleshooting ISE - configuration validation

You tell it what device to query, and what options you want to validate, and it goes away and tries to connect:

ISE Troubleshooting configuration validation

We need to put in the username and password, along with the enable password:

ISE Troubleshooting configuration validation

Once we have put these in, it goes and queries the device:

ISE Troubleshooting configuration validation
 As you can see, I first tried to connect using SSH but then corrected this to telnet, and it did its thing. We then need to tell it what ports we are interested in:
ISE Troubleshooting configuration validation

Once we have done this, we get a nice little report:

ISE Troubleshooting configuration validation

We click on “Show Results Summary” and get this:

ISE Troubleshooting configuration validation

Lots of red there!

Drilling down into each of these we can see exactly what we are missing for the AAA global configuration:

ISE Troubleshooting configuration validation

For RADIUS:

ISE Troubleshooting configuration validation

For Device Discovery:

ISE Troubleshooting configuration validation

Logging:

ISE Troubleshooting configuration validation

The profiler:

ISE Troubleshooting configuration validation

Web Auth:

ISE Troubleshooting configuration validation

CTS:

ISE Troubleshooting configuration validation

And the interfaces, which have a couple of sections:

ISE Troubleshooting configuration validation
ISE Troubleshooting configuration validation

As you can see, I have a bit of work that I need to do, but this tool will be a life-saver for troubleshooting ISE in the lab exam! All you need to do is point ISE at the device and do the config validator.

Many of the missing commands can be pasted on to the device without modification. Others need a little tweaking but are all very self-explanatory. This will certainly make the lab exam a little smoother, especially as we can see which commands are mandatory (by the orange circle). We won’t need ALL of the commands, and some are not valid on different platforms.

Just so long as Cisco don’t remove this tool in the lab, this will make life a whole lot easier, and the exam a little less stressful.