topic Re: ISE(TACACS) log categories to send NADs audit trail to remote targ in Network Access Control

ISE(TACACS) log categories to send NADs audit trail to remote targets

Andrii Oliinyk — Tue, 05 Dec 2023 15:53:43 GMT

Hi Guys
unsuccessfully have been searching through docs to discover.
Can it be Accounting / TACACS Accounting or ...?

Any help please

Re: ISE(TACACS) log categories to send NADs audit trail to remote targ

adamscottmaster2013 — Tue, 05 Dec 2023 21:00:21 GMT

@Andrii Oliinyk: can you elaborate exactly what you're trying to do so that I might be able to help you?

Re: ISE(TACACS) log categories to send NADs audit trail to remote targ

Andrii Oliinyk — Wed, 06 Dec 2023 08:34:04 GMT

Hi Adam
DNAC-managed devices are configured with below aaa (meaning whatever network admin activity on the switch happens it gets sent to TACACS)
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Now, in the ISE, we want all this events to be sent to remote SYSLOG-server.
What would be appropriate ISE logging category to address this topic?
Within my assumptions r :
AAA Diagnostics / TACACS Diagnostics
Accounting / TACACS Accounting

Can u confirm? Does it fully address requirement?

Re: ISE(TACACS) log categories to send NADs audit trail to remote targ

adamscottmaster2013 — Wed, 06 Dec 2023 12:19:35 GMT

@Andrii Oliinyk: Yes, you are correct but you do not need AAA Diagnostics / TACACS Diagnostics. What you do is to create a new syslog collector and add add under the Accounting remote target. One other thing, make sure you change that syslog collector size limit to 8192 to avoid your AAA accounting log being cutoff.

HTH.

Re: ISE(TACACS) log categories to send NADs audit trail to remote targ

Andrii Oliinyk — Wed, 06 Dec 2023 16:18:53 GMT

Hi Adam
thanks for input. could you please bring more details on collector size (Maximum Length, right?) limit as it seems to be smaller atm

Re: ISE(TACACS) log categories to send NADs audit trail to remote targ

adamscottmaster2013 — Wed, 06 Dec 2023 17:25:18 GMT

@Andrii Oliinyk: The default value of 1024 might not be enough for some of the AAA accounting message because some of them might get truncated. Maximum length 8192 should be used whenever possible.

Re: ISE(TACACS) log categories to send NADs audit trail to remote targ

Andrii Oliinyk — Wed, 06 Dec 2023 18:45:01 GMT

does it mean that TACACS's syslog agent truncates message on its level of operation? bc we have TCP syslog which must manage this stuff with TCP MSS payload adjustment on the transport layer.

Re: ISE(TACACS) log categories to send NADs audit trail to remote targ

adamscottmaster2013 — Wed, 06 Dec 2023 20:23:10 GMT

@Andrii Oliinyk: you might not to worry about if you use TCP syslog but I am not so sure about this. I only use udp syslog and that's what I observed.

Re: ISE(TACACS) log categories to send NADs audit trail to remote targ

Andrii Oliinyk — Wed, 06 Dec 2023 20:45:12 GMT

good to know it's not n application layer defect as well as good syslog implementation could be reliable even with udp :0)