topic Re: Question ISE logs in Network Access Control

Question ISE logs

cisco.13 — Fri, 25 Aug 2023 10:15:00 GMT

Hello Everybody,

Can you please tell me what the ISE/TACACS logs of my ASA device correspond to?
indeed, the "Username" is configured on both device (local username).

- Who initiates these requests?
- What is the "Username" used (that of ISE or ASA)?
- What are these requests for?
- Is there an impact if I delete the Username from ISE?

Example 1:
13013 Received TACACS+ Authentication START Request - AD
....
13015 Returned TACACS+ Authentication Reply

Request Type Authentication
Status Pass
Message Text Passed-Authentication: Authentication succeeded
Selected Authorization Profile admi_profile

Example 2 :
13005 Received TACACS+ Authorization Request - AD
...
13034 Returned TACACS+ Authorization Reply

Request Type Authorization
Status Pass
Message Text Device-Administration: Session Authorization succeeded
Shell Profile admi_profile
Matched Command Set
Command From Device

Example 3:
13005 Received TACACS+ Authorization Request - AD
...
13034 Returned TACACS+ Authorization Reply

Request Type Authorization
Status Pass
Matched Command Set adminprofile
Command From Device show vpn-sessiondb full anyconnect
Message Text Device-Administration: Command Authorization succeeded

Thank you very much

Re: Question ISE logs

balaji.bandi — Fri, 25 Aug 2023 10:29:25 GMT

Depends on how your AAA config, if the AAA prefered ISE and fall back local, then the user will be from ISE/AD - in this case Local user not valid.

if you look at the full log it will show you username where it authenticated.

Is there an impact if I delete the Username from ISE? - if this is normal user i do not see any impact.

Re: Question ISE logs

cisco.13 — Fri, 25 Aug 2023 11:36:36 GMT

Hello,
I think I expressed my need badly!
this is a local account configured on the ASA and on the ISE (for another another need)
ISE logs are present continuously (~every minute)

I see the command "show vpn-sessiondb full anyconnect" is executed by this account

Example 1:
13013 Received TACACS+ Authentication START Request - AD
....
13015 Returned TACACS+ Authentication Reply

Request Type Authentication
Status Pass
Message Text Passed-Authentication: Authentication succeeded
Selected Authorization Profile admi_profile

Example 2 :
13005 Received TACACS+ Authorization Request - AD
...
13034 Returned TACACS+ Authorization Reply

Request Type Authorization
Status Pass
Message Text Device-Administration: Session Authorization succeeded
Shell Profile admi_profile
Matched Command Set
Command From Device

Example 3:
13005 Received TACACS+ Authorization Request - AD
...
13034 Returned TACACS+ Authorization Reply

Request Type Authorization
Status Pass
Matched Command Set adminprofile
Command From Device show vpn-sessiondb full anyconnect
Message Text Device-Administration: Command Authorization succeeded

Thank you very much

Re: Question ISE logs

cisco.13 — Fri, 25 Aug 2023 12:04:16 GMT

in addition, I've just deleted the local account (MY_LOCAL_USERNAME) on the ASA device and I still see the Live Logs on ISE!

I do not understand these logs from the ISE received continuously

13005 Received TACACS+ Authorization Request - AD
15049 Evaluating Policy Group - MY_LOCAL_USERNAME
15008 Evaluating Service Selection Policy - aaa.domaine.local
15048 Queried PIP - domaine.local
15041 Evaluating Identity Policy
22072 Selected identity source sequence - ERROR_NO_SUCH_USER
15013 Selected Identity Source - AD
24432 Looking up user in Active Directory - AD
24325 Resolving identity - MY_LOCAL_USERNAME
24313 Search for matching accounts at join point - aaa.domaine.local
24318 No matching account found in forest - domaine.local
24322 Identity resolution detected no matching account
24352 Identity resolution failed - ERROR_NO_SUCH_USER
24412 User not found in Active Directory - AD
15013 Selected Identity Source - Internal Users
24210 Looking up User in Internal Users IDStore
24212 Found User in Internal Users IDStore
22037 Authentication Passed
15036 Evaluating Authorization Policy
24432 Looking up user in Active Directory
24325 Resolving identity
24313 Search for matching accounts at join point
24318 No matching account found in forest
24322 Identity resolution detected no matching account
24352 Identity resolution failed
24412 User not found in Active Directory
15048 Queried PIP - AD.ExternalGroups (2 times)
15048 Queried PIP - Network Access.UserName
15048 Queried PIP - IdentityGroup.Name
15018 Selected Command Set
13024 Command matched a Permit rule
13034 Returned TACACS+ Authorization Reply

Overview
Request Type Authorization
Status Pass
Session Key tacacs/478462371/124230950
Message Text Device-Administration: Command Authorization succeeded
Username MY_LOCAL_USERNAME
Authorization Policy ALL-DEVICES_Policy >> MY_Rule
Shell Profile
Matched Command Set My_admin15_tacacs_command_sets
Command From Device show vpn-sessiondb full anyconnect

Re: Question ISE logs

Rob Ingram — Fri, 25 Aug 2023 12:21:01 GMT

@cisco.13 you are using TACACS and each command is authorised by ISE, there will be an authorisation log entry for each command executed on the ASA.

Re: Question ISE logs

cisco.13 — Fri, 25 Aug 2023 12:40:43 GMT

Hello @Rob Ingram,

Thank you for your reply,

How to know who is executing these commands on the ASA (looks like it's an script/robot) ?
ex. show vpn-sessiondb full anyconnect,

No impact on the ASA/VPN service if I delete the account on ISE?

Thank you

Re: Question ISE logs

Rob Ingram — Fri, 25 Aug 2023 13:09:58 GMT

@cisco.13

24325 Resolving identity - MY_LOCAL_USERNAME is the username being authorised.

Why do you think this is a script?

If you delete the account on ISE then the user will fail to be authenticated and subsequently be unable to execute those commands.

Re: Question ISE logs

cisco.13 — Fri, 25 Aug 2023 13:14:34 GMT

@Rob Ingram

Indeed, the account "MY_LOCAL_USERNAME" is used for other needs and I am studying the impact on the ASA/VPN (and other device) if I delete this account following the request of the cyber team.

Why do you think this is a script? because I see live logs continuously on the ISE (~every minute) and I do not see in the logs the IP which executes commands (except the IP of the ASA)

THANKS

Re: Question ISE logs

Rob Ingram — Fri, 25 Aug 2023 13:23:06 GMT

@cisco.13 the "Network Device IP" address will be the IP address of the ASA, but the ISE TACACS logs will also have a "Remote Address" which will be the source of the connection (laptop, desktop or server).

If "show vpn-sessiondb full anyconnect" is the only command being logged every 1 minute by the same user, then yes it sounds like it might be a script.

If you delete/disable that account then that user account will be unable to authenticate and run that command.

Re: Question ISE logs

cisco.13 — Fri, 25 Aug 2023 15:48:30 GMT

@Rob Ingram

unfortunately "Remote Address" is a NAT IP! Is there a command to run on the ASA to get the details?

THANKS

Re: Question ISE logs

Rob Ingram — Fri, 25 Aug 2023 15:56:01 GMT

@cisco.13 "show xlate" for translations and "show conn" for connections.

Re: Question ISE logs

cisco.13 — Fri, 25 Aug 2023 17:44:11 GMT

Thank you @Rob Ingram

I don't see anything special, only syslog and F5 connections. I think it's the ASA itself that executes these commands, I don't know why! and I don't understand how he chose this username "MY_LOCAL_USERNAME" because I have several configured on the ISE/TACACS (not local username on ASA)

I also found:

show crypto ca certificates
show crypto ipsec stats
show vpn-sessiondb summary
show ssl mib 64
show vpn-sessiondb ra-ikev1-ipsec
show vpn-sessiondb detail full webvpn
show vpn-sessiondb anyconnect

Re: Question ISE logs

cisco.13 — Mon, 28 Aug 2023 16:49:51 GMT

Hello,

correction, logs appear every 5 minutes

Re: Question ISE logs

hslai — Fri, 01 Sep 2023 03:25:49 GMT

@cisco.13 Every 5 minutes is most likely from some monitoring system.

"show xlate" would not give you the info unless this ASA is the one performing the NAT for the end workstation.

Re: Question ISE logs

cisco.13 — Fri, 01 Sep 2023 09:05:03 GMT

Hello @hslai, yes, the ip was found in the logs, Thanks

Re: Question ISE logs

arslanbut9090 — Sun, 26 Nov 2023 23:58:51 GMT

The examples you provided are logs related to TACACS+ (Terminal Access Controller Access-Control System Plus) authentication and authorization on your ASA (Adaptive Security Appliance) device using ISE (Identity Services Engine). Here's a breakdown of the key points:

1. TACACS+ Authentication (Example 1):

Who Initiates: The ASA device initiates the TACACS+ Authentication Request to ISE.
Username Used: The "Username" used is the one configured on the ASA device.
Purpose: This is the initial step where the ASA requests authentication from ISE. The ASA sends an authentication request to ISE, and ISE replies with the status of the authentication (success or failure).

2. TACACS+ Authorization (Example 2):

Who Initiates: The ASA device initiates the TACACS+ Authorization Request to ISE.
Username Used: The "Username" used is the one configured on the ASA device.
Purpose: This is the authorization step where the ASA requests authorization for device administration from ISE. The ASA sends an authorization request to ISE, and ISE replies with the status of the authorization (success or failure).

3. TACACS+ Command Authorization (Example 3):

Who Initiates: The ASA device initiates the TACACS+ Authorization Request for a specific command to ISE.
Username Used: The "Username" used is the one configured on the ASA device.
Purpose: This is similar to Example 2 but specifically for command authorization. In this case, the ASA is seeking authorization for a specific command (show vpn-sessiondb full anyconnect). ISE replies with the status of the command authorization.

Impact of Deleting Username from ISE:

If you delete the "Username" from ISE that is configured on the ASA device, authentication and authorization may fail. Ensure that the user exists in ISE with the correct attributes and policies.

Recommendation:

Always review the logs for any failed attempts or errors.
Deleting a user in ISE should be done carefully to avoid service disruption.
Consult the Cisco ISE and ASA documentation for more detailed information on log interpretation and best practices.

Please note that the specific details might vary based on your network configuration and policies. Always refer to Cisco documentation or consult with your network administrator for accurate guidance.

Re: Question ISE logs

arslanbut9090 — Sat, 28 Sep 2024 11:46:30 GMT

The ISE/TACACS logs on your ASA device provide insights into user authentication and authorization processes. Requests are initiated by the ASA when a user tries to access it, using the local username configured on the ASA for authentication against ISE. Successful authentication and authorization are logged, detailing the applied profiles and permissions. Deleting a username from ISE can lead to authentication failures and loss of associated access rights, impacting user access and potentially complicating auditing efforts.

https://ggsaloncorvallis.com/hair_salon/