cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

761
Views
3
Helpful
6
Replies
DanWeaver
Cisco Employee

AAA on ISE for FMC

Hi,

I have a customer asking if they will have the same degree of audit logs (accounting/forensics) with a GUI based management system.

Please advise.

Thank you,

Dan Weaver

1 ACCEPTED SOLUTION

Accepted Solutions

ISE should be your single source to enforce, track and audit who is logging into the various systems.  You can also use it to assign roles and privilege levels where supported.  If a device supports command authorization/accounting ISE can also detail what actions were performed on the system.  Otherwise it is up to that system to log what actions were done on the system. 

If the customer is looking for a single pane of glass for everything they should be looking at a SIEM.

View solution in original post

6 REPLIES 6
Charlie Moreton
Cisco Employee

Yes, the Auditing does not change.

In my case, Administrator exists in AD, authenticated through ISE

AAA_FMC1.PNG

AAA_FMC1a.PNG

The audit logs still show what is expected:

AAA_FMC2.PNG

So they have to look at 2 systems now, ISE/ACS and the FMC to have complete logs for all managed systems?

ISE should be your single source to enforce, track and audit who is logging into the various systems.  You can also use it to assign roles and privilege levels where supported.  If a device supports command authorization/accounting ISE can also detail what actions were performed on the system.  Otherwise it is up to that system to log what actions were done on the system. 

If the customer is looking for a single pane of glass for everything they should be looking at a SIEM.

View solution in original post

“If a device supports command authorization/accounting ISE can also detail what actions were performed on the system.” – so ASA/FMC config changes made in a GUI will be translated to CLI input and shown in the ISE AAA reports for authorization/accounting?  I don’t want to sound skeptical but I would kind of like to see that in action.  For example, if I add a NAT statement when I’m logged into the GUI as User1, I’ll find a corresponding authorization/accounting line item in ISE for something like “nat (inside,outside) dynamic interface” attributed to User1 in the logs?

No I was making a general statement. If he device authenticating against supports command authorization/accounting it would show in ISE reports. I wasn't saying FMC supported this.

Sent from my iPhone

Can someone just let me know if GUI changes made in FMC are logged in the equivalent detail that they would have been in CLI, that's all the customer wants to know.

Content for Community-Ad