https://community.cisco.com/t5/network-access-control/monitoring-nac/m-p/3479390#M526582 <HTML><HEAD></HEAD><BODY><P>I am making the assumption that "user ports" is referring to switch port configuration, or the ports on the network access device.&nbsp; TACACS configuration on switch should be covered in the switch docs.&nbsp; For example, to configure TACACS+ on a Catalyst 3850, you can quickly get links from Cisco.com search, or Google, example: <A href="http://lmgtfy.com/?q=catalyst+3850+TACACS" title="http://lmgtfy.com/?q=catalyst+3850+TACACS">LMGTFY</A></P><P></P><P>For ISE configuration of T+, this is covered in ISE documentation.&nbsp; Example: <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01000.html" title="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01000.html">Cisco Identity Services Engine Administrator Guide, Release 2.3 - Control Device Administration Using TACACS+ [Cisco I…</A></P><P></P><P>ISE does log and provide reports based on TACACS+ or RADIUS events for device admin access, but ISE does not <EM>alarm </EM>on these events.&nbsp; This is more of the realm of the network device management system.&nbsp;&nbsp; It is possible to generate SNMP traps from switches when config is changed:</P><P><A href="https://www.petri.com/notified-cisco-router-configuration-change" title="https://www.petri.com/notified-cisco-router-configuration-change">https://www.petri.com/notified-cisco-router-configuration-change</A></P><P><A href="https://supportforums.cisco.com/t5/network-management/config-management-snmp-trap/td-p/1955634" title="https://supportforums.cisco.com/t5/network-management/config-management-snmp-trap/td-p/1955634">Config Management SNMP Trap - Cisco Support Community</A></P><P></P><P>Your SNMP Management system can then generate the desired alert.</P><P></P><P>Craig</P></BODY></HTML> Wed, 20 Sep 2017 21:01:33 GMT Craig Hyps 2017-09-20T21:01:33Z https://community.cisco.com/t5/network-access-control/monitoring-nac/m-p/3479387#M526577 <HTML><HEAD></HEAD><BODY><P>What is the best practice/process to make sure someone does not inadvertently remove the NAC configuration from a user port? Is there a method to monitor the ports set up for NAC and alert if they are changed? </P></BODY></HTML> Tue, 19 Sep 2017 07:55:42 GMT https://community.cisco.com/t5/network-access-control/monitoring-nac/m-p/3479387#M526577 ashvaras 2017-09-19T07:55:42Z https://community.cisco.com/t5/network-access-control/monitoring-nac/m-p/3479388#M526579 <HTML><HEAD></HEAD><BODY><P>TACACS with command authorization and accounting will 1) validate user authorized to make change, 2) Log changes by command by admin.</P><P></P><P>Craig</P></BODY></HTML> Tue, 19 Sep 2017 17:21:48 GMT https://community.cisco.com/t5/network-access-control/monitoring-nac/m-p/3479388#M526579 Craig Hyps 2017-09-19T17:21:48Z https://community.cisco.com/t5/network-access-control/monitoring-nac/m-p/3479389#M526581 <HTML><HEAD></HEAD><BODY><P>hmmmm-So is there documentation or any more detail on how to do this? And also if I understand correctly you are saying there is no ability to alert on a configuration change?</P></BODY></HTML> Wed, 20 Sep 2017 20:11:12 GMT https://community.cisco.com/t5/network-access-control/monitoring-nac/m-p/3479389#M526581 ashvaras 2017-09-20T20:11:12Z https://community.cisco.com/t5/network-access-control/monitoring-nac/m-p/3479390#M526582 <HTML><HEAD></HEAD><BODY><P>I am making the assumption that "user ports" is referring to switch port configuration, or the ports on the network access device.&nbsp; TACACS configuration on switch should be covered in the switch docs.&nbsp; For example, to configure TACACS+ on a Catalyst 3850, you can quickly get links from Cisco.com search, or Google, example: <A href="http://lmgtfy.com/?q=catalyst+3850+TACACS" title="http://lmgtfy.com/?q=catalyst+3850+TACACS">LMGTFY</A></P><P></P><P>For ISE configuration of T+, this is covered in ISE documentation.&nbsp; Example: <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01000.html" title="https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01000.html">Cisco Identity Services Engine Administrator Guide, Release 2.3 - Control Device Administration Using TACACS+ [Cisco I…</A></P><P></P><P>ISE does log and provide reports based on TACACS+ or RADIUS events for device admin access, but ISE does not <EM>alarm </EM>on these events.&nbsp; This is more of the realm of the network device management system.&nbsp;&nbsp; It is possible to generate SNMP traps from switches when config is changed:</P><P><A href="https://www.petri.com/notified-cisco-router-configuration-change" title="https://www.petri.com/notified-cisco-router-configuration-change">https://www.petri.com/notified-cisco-router-configuration-change</A></P><P><A href="https://supportforums.cisco.com/t5/network-management/config-management-snmp-trap/td-p/1955634" title="https://supportforums.cisco.com/t5/network-management/config-management-snmp-trap/td-p/1955634">Config Management SNMP Trap - Cisco Support Community</A></P><P></P><P>Your SNMP Management system can then generate the desired alert.</P><P></P><P>Craig</P></BODY></HTML> Wed, 20 Sep 2017 21:01:33 GMT https://community.cisco.com/t5/network-access-control/monitoring-nac/m-p/3479390#M526582 Craig Hyps 2017-09-20T21:01:33Z https://community.cisco.com/t5/network-access-control/monitoring-nac/m-p/3479391#M526585 <HTML><HEAD></HEAD><BODY><P>ISE does not manage configurations of network devices. Please look for others, such as Cisco Prime Infrastructure -- <A href="https://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/3-1-5/user/guide/pi_ug/chgdevconfig.html#91391">Comparing Current and Previous Device Configurations</A></P></BODY></HTML> Wed, 20 Sep 2017 21:03:13 GMT https://community.cisco.com/t5/network-access-control/monitoring-nac/m-p/3479391#M526585 hslai 2017-09-20T21:03:13Z