Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
593
Views
0
Helpful
2
Replies

ISE 2.4 : Cleaning unused Tacacs identities accounts

Go to solution
gillessapene
Level 1
Level 1

‎07-19-2019 01:31 AM

We use the Cisco ACS (and now ISE) Tacacs server for more than 12 years. We have too many tacacs accounts. I am sure that a lot of them are no more used. I would like to get the list of the accounts (identities) which have not been used for a long time. I mean the date when the account has been used to authenticate against a device.

 

It seems that there is nothing natively and that the only way would be to use a REST API script.

 

I have looked at the "External RESTful Services (ERS) Online SDK"./API Documentation/Internal User.

There is a way to get an identity, but I have not found how to get the "last used date" parameter.

Has someone already worked on this ?

I don't want to use any expiration date/purge. I just need the list and I will then ask for confirmation before deleting any identity.

Thanks

Gilles

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-20-2019 10:41 AM

ISE ERS API is for ISE configurations. Assuming you are using ISE Internal users, which are part of ISE configurations, but the authentication attempts using them are part of ISE operational data, which by default kept for 3 months only.

If you are using this default kept duration, then you may run a report on Device Administration > TACACS Authentication for the last 3 months, export the results into CSV and use Excel or similar tool to find out what user accounts are used in that period.

There is no API to interact with ISE operational data at present.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-20-2019 10:41 AM

ISE ERS API is for ISE configurations. Assuming you are using ISE Internal users, which are part of ISE configurations, but the authentication attempts using them are part of ISE operational data, which by default kept for 3 months only.

If you are using this default kept duration, then you may run a report on Device Administration > TACACS Authentication for the last 3 months, export the results into CSV and use Excel or similar tool to find out what user accounts are used in that period.

There is no API to interact with ISE operational data at present.

0 Helpful

Go to solution
gillessapene
Level 1
Level 1
In response to hslai

‎08-05-2019 07:59 AM

May I ask you where are configured the 3 months of historic data that you can get in the report?.

When I run a report , the maximum that I can set is 30 days.

reports2.JPG

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents