Security

 View Only
Back to discussions
Expand all | Collapse all

Missing switchentries in Insight reports

This thread has been viewed 5 times

  • 1.  Missing switchentries in Insight reports

    Posted Jun 03, 2025 04:24 AM

    Hi,

    Seem to have a small issue with insight generated reports 

    I've been rolling NAC out over a multi site  enterprise network and have relied heavily of report contents to identify how a client device is treated based upon what we know about it. In phase 1 a client either remains in the switch port staticaly assigned vlan or is moved to a DUR driven captive portal vlan.

    Switches are members of either a "monitor mode group" or a "live mode group. Switch config is identical  in both cases so "going live" simply means moving a switch from 1 group to another.

    Multiple cppm services exist wirth two versions , 1 with work live in name, the other with work monitor in name.

    Switches have  a naming convention that uniquely identifies each switch, <prefixdown to physical location><switchno>

    When creating reports I have a live report and a monitor mode report.

    A monitor report has selection criteria of 

    NAS-Identifier Starts  <switch prefix>

    AND

    Authentication Contains "Monitor"

    While. a live report contains  above but authentication Contains "live"

    Rest of reports config are identical.

    Tested the above on small sites  ( up to 30-40 switches ) and everything worked.

    So i could

    • run a monitor report
    • check which clients got. dropped into captive portal
    • Fix them
    • Repeat until none
    • Go live 

    And it all worked ...... except ........

    We discovered that at 1 site with 100's of managed switchs/stacks some switches didnt appear in the reports, we went live and. unknown devices swere pushed into the captive portal.

    Generating reports covering smaller numbers of. switches didnt seem to make a difference

    As each site also had a different managment IP address scope, I changed the selection criteria to be NAS-IP-Address = <Ip address subnet>

    and. even covering the whole site extra switches appeared in the reports 

    As far as i can see, no errors were generated  when creating the reports. Even moved the report schedule for this specific site to a different time from other reports ..still the same.

    Only seems to affect big sites. All reports return a sweeks worth of auth data that cppm sees. 

    Any way we can see if there are any errors renerated for a switch report? 



Related Content