Cisco ISE

Cisco Identity Services Engine (ISE) allows for identity management across diverse devices and applications. You can configure Cisco ISE to send VPN data to InsightIDR for visibility into users' remote network ingress activity.

To set up Cisco ISE you’ll need to:

  1. Configure Cisco ISE to send data to your Collector.
  2. Set up the Cisco ISE in InsightIDR.
  3. Verify the configuration works.

Configure Cisco ISE to send logs to InsightIDR

To enable InsightIDR to receive data from your Cisco ISE remote system logging, complete these steps:

Task 1: Configure a remote logging target in Cisco ISE

  1. Log in to your Cisco ISE Administration Interface.
  2. From the navigation menu, select Administration > System > Logging > Remote Logging Targets.
  3. Click Add, and then configure the following parameters:

Option

Description

Name

Type a unique name for the remote target system.

Description

You can uniquely identify the target system for users.

IP Address

Enter the IP address of your InsightIDR collector.

Port

Enter the port value that you specified in your Cisco ISE log source for InsightIDR.

Facility Code

From the Facility Code list, select the syslog facility to use for logging events.

Maximum Length

Type 1024 as the maximum packet length allowed for the UDP syslog message.

  1. Click Submit.

Task 2: Add the new target to your desired logging categories

  1. Select Administration > System > Logging > Logging Categories.
  2. Click the radio button next to the category that you want to edit, and click Edit.
  3. Add the target that you created in the previous section to the following categories. These are default log collection settings and can be modified as needed:
    • AAA Audit
      • Failed Attempts
      • Passed Authentications
    • AAA Diagnostics
      • Administrator Authentication and Authorization
      • Authentication Flow Diagnostics
      • Identity Stores Diagnostics
      • Policy Diagnostics
      • RADIUS Diagnostics
    • Accounting
    • External MDM
    • Passive ID
    • Posture and Client Provisioning Audit
    • Posture and Client Provisioning Diagnostics
    • Profiler
    • Administrative and Operational Audit
    • System Diagnostics
    • System Statistics
  4. Click Save.
  5. Go to the Logging Categories page and verify the configuration changes that were made to the specific categories.

For more information, see "Logging Mechanism" section of the Cisco Identity Services Engine Administrator Guide.

Set Up Cisco ISE in InsightIDR

  1. From your dashboard, select Data Collection from the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Security Data” section, click the VPN icon. The “Add Event Source” panel appears.
  4. Click Cisco ISE.
  5. Choose the timezone that matches the location of your event source logs.
  6. Optionally choose to send unparsed logs.
  7. Select an attribution source.
  8. Optionally configure inactivity timeout threshold in minutes.
  9. Configure your default domain and any advanced settings.
  10. Select syslog as your collection method and specify the port and protocol you identified during Cisco ISE configuration.
  11. Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
  12. Click the Save button.

Attribution source options

Cisco ISE product logs can contain information about hosts and accounts. When setting up Cisco ISE as an event source, you will have the ability to specify the following attribution options:

  1. Use IDR engine if possible; if not, use event log

By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it's unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.

  1. Use event log if possible; if not, use IDR engine

By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.

  1. Use IDR engine only

By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.

  1. Use event log only

By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.

Verify the Configuration

Complete the following steps to view your logs and ensure events are making it to the Collector.

  1. On the new event source that was just created, click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector.
  2. Next, click Log Search in the left menu. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Cisco ISE” if you did not name the event source. Cisco ISE logs flow into the following log sets:
    • Ingress Authentication
    • Firewall Activity

Logs take a minimum of 7 minutes to appear in Log Search

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Sample Logs

The following are log samples that Cisco ISE sends to InsightIDR.

Ingress Authentication (VPN)

 
1
Jun 26 11:32:07 RPD7HOST CISE_RADIUS_Accounting 0038030740 2 0 2020-06-26 11:32:07.519 -04:00 0527431588 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ACSVersion=acs-5.7.0.15-B.257.x86_64, ConfigVersionId=176, Device IP Address=122.68.12.10, DestinationIPAddress=10.8.32.51, DestinationPort=1813, RequestLatency=1, User-Name=mtwain, NAS-IP-Address=122.68.12.10, NAS-Port=2, Framed-IP-Address=10.125.3.20, Class=CACS:ushosmacs03/260356379/9200817, Called-Station-ID=122.68.12.10, Calling-Station-ID=10.125.3.20, NAS-Identifier=demomo-wlc01, Acct-Status-Type=Start, Acct-Session-Id=57ba421c/9c:fc:01:eb:31:50/35306, Acct-Authentic=RADIUS, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 30, cisco-av-pair=audit-session-id=0a637d0a00012f7b1a42ba57, Airespace-Wlan-Id=1, AcsSessionID=USRCSMACS04/250984979/32907000, Step=11004 , Step=11017 , Step=15008 , Step=15004 , Step=15012 , Step=22079 , Step=11005 , NetworkDeviceName=DEMOMO-WLC01";
2
Ingress Authentication (VPN)
3
Jun 26 11:32:07 RPD7HOST CISE_RADIUS_Accounting 0173168007 2 0 2020-06-26 11:32:07.519 -04:00 1716674385 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ACSVersion=acs-5.7.0.15-B.257.x86_64, ConfigVersionId=47, Device IP Address=162.48.4.12, DestinationIPAddress=10.115.6.51, DestinationPort=1813, RequestLatency=0, User-Name=mtwain, NAS-IP-Address=162.48.4.12, NAS-Port=1, Framed-IP-Address=10.148.15.45, Class=CACS:KRDCSMACS05/254262891/120113033, Called-Station-ID=74-a2-e6-c7-4b-20, Calling-Station-ID=84-a1-34-d0-36-05, NAS-Identifier=Cisco_c7:4b:24, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=70779, Acct-Output-Octets=161620, Acct-Session-Id=57ba5e51/84:a1:34:d0:36:05/28561, Acct-Authentic=RADIUS, Acct-Session-Time=3274, Acct-Input-Packets=471, Acct-Output-Packets=367, Acct-Terminate-Cause=Idle Timeout, attribute-52=00:00:00:00, attribute-53=00:00:00:00, Event-Timestamp=1471834908, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN";
4
Jun 26 11:32:07 RPD7HOST CISE_RADIUS_Accounting 0173168014 2 0 2020-06-26 11:32:07.519 -04:00 1716674482 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ACSVersion=acs-5.7.0.15-B.257.x86_64, ConfigVersionId=47, Device IP Address=10.3.0.20, DestinationIPAddress=10.115.6.51, DestinationPort=1813, RequestLatency=0, User-Name=mtwain, NAS-IP-Address=10.3.0.20, NAS-Port=1, Framed-IP-Address=10.3.17.20, Called-Station-ID=10.3.0.20, Calling-Station-ID=10.3.17.20, NAS-Identifier=Knox_Plant, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=5803226, Acct-Output-Octets=2622839, Acct-Session-Id=57b8a71a/00:17:23:0c:80:10/1415, Acct-Authentic=Remote, Acct-Session-Time=141421, Acct-Input-Packets=46062, Acct-Output-Packets=17322, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 2, cisco-av-pair=nas-update=true, Airespace-Wlan-Id=2, AcsSessionID=KRDCSMACS05/254262891/120118472, Step=11004 , Step=11017 , Step=15008 , Step=15004";

Firewall Activity (Passed Authentication)

 
1
Jun 25 15:46:23 RPD7HOST CISE_Passed_Authentications 0000556184 1 0 2020-06-25 15:46:23.961 -07:00 0002321066 5200 NOTICE Passed-Authentication: Authentication succeeded, ConfigVersionId=10, Device IP Address=10.64.120.4, DestinationIPAddress=10.8.40.47, DestinationPort=1812, UserName=hfinn, Protocol=Radius, RequestLatency=14, NetworkDeviceName=BR120-SW, User-Name=hfinn NAS-IP-Address=10.64.120.4, NAS-Port=50126, Service-Type=Call Check, Framed-MTU=1472, Calling-Station-ID=FC-3F-DB-4D-69-A2, NAS-Identifier=BR120-SW1, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/26, EAP-Key-Name=, cisco-av-pair=service-type=Call Check, cisco-av-pair=audit-session-id=0478400A0001E0FEF3C90EFB, cisco-av-pair=method=mab, OriginalUserName=hfinn, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, RadiusFlowType=WiredMAB, AcsSessionID=PRXPISE01W/373955389/136606, AuthenticationIdentityStore=Internal Endpoints, AuthenticationMethod=Lookup, SelectedAccessService=Default Network Access, SelectedAuthorizationProfiles=WIRED-PERMIT, UseCase=Host Lookup, IdentityGroup=Endpoint Identity Groups:Profiled:HP-Device, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15041, Step=15013, Step=24209, Step=24211, Step=22037, Step=24715, Step=15036, Step=15048, Step=15048, Step=15048, Step=15016, Step=11022, Step=11002, SelectedAuthenticationIdentityStores=Internal Endpoints, AuthenticationStatus=AuthenticationPassed, NetworkDeviceGroups=Location#All Locations#RTL - Woodland Hills, NetworkDeviceGroups=Device Type#All Device Types#Switches, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, IdentityPolicyMatchedRule=Default, AuthorizationPolicyMatchedRule=Printers, UserType=Host, CPMSessionID=0478400A0001E0FEF3C90EFB, EndPointMACAddress=FC-3F-DB-4D-69-A2, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=HP-LaserJet-Printer, DeviceRegistrationStatus=notRegistered, ISEPolicySetName=Wired MAB, IdentitySelectionMatchedRule=Default, StepData=5= Normalised Radius.RadiusFlowType, StepData=6= Radius.NAS-Port-Type, StepData=7= DEVICE.Device Type, StepData=9=Internal Endpoints, StepData=15= EndPoints.AnomalousBehaviour, StepData=16= EndPoints.EndPointPolicy, StepData=17= EndPoints.LogicalProfile, allowEasyWiredSession=false, DTLSSupport=Unknown, HostIdentityGroup=Endpoint Identity Groups:Profiled:HP-Device, Network Device Profile=Cisco, Location=Location#All Locations#RTL - Woodland Hills, Device Type=Device Type#All Device Types#Switches, IPSEC=IPSEC#Is IPSEC Device#No, LogicalProfile=3b8d49f0-8c01-11e6-996c-525400b48521, LogicalProfile=b9e45830-1c19-11e8-b9c2-6cb2ae989650, EndPointPolicy=74bff490-51ce-11e8-b9c2-6cb2ae989650, EndPointPolicy=29473540-8c00-11e6-996c-525400b48521, EndPointPolicy=23d26b20-8c00-11e6-996c-525400b48521, Name=Endpoint Identity Groups:Profiled:HP-Device, Response={UserName=hfinn; User-Name=hfinn; State=ReauthSession:0478400A0001E0FEF3C90EFB; Class=CACS:0478400A0001E0FEF3C90EFB:PRXPISE01W/373955389/136606; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-WIRED-DOMAIN-USER-5a6269ae; cisco-av-pair=profile-name=HP-LaserJet-Printer; LicenseTypes=2051; }

Firewall Activity (Failed Attempts)

 
1
Jun 25 15:47:15 RPD7HOST CISE_Failed_Attempts 0000556788 1 0 2020-06-25 15:47:15.796 -07:00 0002322980 5400 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=10, Device IP Address=240.18.16.78, Device Port=5127, DestinationIPAddress=10.8.40.47, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=jfrost, Protocol=Radius, RequestLatency=7, NetworkDeviceName=SNA-ISE-SW, User-Name=jfrost, NAS-IP-Address=240.18.16.78, NAS-Port=50107, Service-Type=Framed, Framed-IP-Address=10.45.51.216, Framed-MTU=1472, State=37CPMSessionID=0F32280A000009533AB6EFE4\\;37SessionID=PRXPISE01W/373955389/136694\\;, Calling-Station-ID=84-B5-17-08-66-1E, NAS-Identifier=SNA-ISE-SW1, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/7, EAP-Key-Name=, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0F32280A000009533AB6EFE4, cisco-av-pair=method=dot1x, cisco-av-pair=vlan-id=0, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, RadiusFlowType=Wired802_1x, AcsSessionID=PRXPISE01W/373955389/136694, SelectedAccessService=EAP_TLS, FailureReason=12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12501, Step=12500, Step=12625, Step=11006, Step=11001, Step=11018, Step=12502, Step=12800, Step=12805, Step=12806, Step=12807, Step=12808, Step=12809, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12811, Step=12814, Step=12817, Step=12514, Step=12507, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=61025, Step=11504, Step=11003, NetworkDeviceGroups=Location#All Locations#3 MacArthur#Fifth Floor, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Device Type#All Device Types, EapAuthentication=EAP-TLS, OpenSSLErrorMessage=SSL alert: code=0x230=560 \\; source=local \\; type=fatal \\; message=\"Unknown CA - error unable to get issuer certificate locally\", OpenSSLErrorStack=  19132:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3411:, CPMSessionID=0F32280A000009533AB6EFE4, EndPointMACAddress=84-B5-17-08-66-1E, ISEPolicySetName=Wired DOT1X, StepData=4= DEVICE.Device Type, TLSCipher=unknown, TLSVersion=TLSv1.2, DTLSSupport=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#3 MacArthur#Fifth Floor, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={RadiusPacketType=AccessReject; },","custom_data":{}}        <181>Jun 25 15:47:15 PRXPISE01W CISE_Failed_Attempts 0000556788 1 0 2020-06-25 15:47:15.796 -07:00 0002322980 5400 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=10, Device IP Address=240.18.16.78, Device Port=5127, DestinationIPAddress=10.8.40.47, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=jfrost, Protocol=Radius, RequestLatency=7, NetworkDeviceName=SNA-ISE-SW, User-Name=jfrost, NAS-IP-Address=240.18.16.78, NAS-Port=50107, Service-Type=Framed, Framed-IP-Address=10.45.51.216, Framed-MTU=1472, State=37CPMSessionID=0F32280A000009533AB6EFE4\;37SessionID=PRXPISE01W/373955389/136694\;, Calling-Station-ID=84-B5-17-08-66-1E, NAS-Identifier=SNA-ISE-SW1, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/7, EAP-Key-Name=, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0F32280A000009533AB6EFE4, cisco-av-pair=method=dot1x, cisco-av-pair=vlan-id=0, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, RadiusFlowType=Wired802_1x, AcsSessionID=PRXPISE01W/373955389/136694, SelectedAccessService=EAP_TLS, FailureReason=12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12501, Step=12500, Step=12625, Step=11006, Step=11001, Step=11018, Step=12502, Step=12800, Step=12805, Step=12806, Step=12807, Step=12808, Step=12809, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12811, Step=12814, Step=12817, Step=12514, Step=12507, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=61025, Step=11504, Step=11003, NetworkDeviceGroups=Location#All Locations#3 MacArthur#Fifth Floor, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Device Type#All Device Types, EapAuthentication=EAP-TLS, OpenSSLErrorMessage=SSL alert: code=0x230=560 \; source=local \; type=fatal \; message="Unknown CA - error unable to get issuer certificate locally", OpenSSLErrorStack=  19132:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3411:, CPMSessionID=0F32280A000009533AB6EFE4, EndPointMACAddress=84-B5-17-08-66-1E, ISEPolicySetName=Wired DOT1X, StepData=4= DEVICE.Device Type, TLSCipher=unknown, TLSVersion=TLSv1.2, DTLSSupport=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#3 MacArthur#Fifth Floor, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={RadiusPacketType=AccessReject; }