cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
798
Views
0
Helpful
3
Replies

Can ISE TACACS report users IP address for logins failure in live logs

wags
Level 1
Level 1

On an ISE deployment that is running TACACS for access control of network routers and switches, is it possible to get the IP address of the user end-stations to display in the details of live logs?

 

ISE 3.1/operation/TACACS/live logs/

you can see that a bad userid was entered.  When you select the details, you get a lot of information, but unless I am missing something, I do not see the end-station IP address.

 

Anyone who has corporate scanners knows there are a lot of noise generated by attempts from those devices, but sometimes you would like to quickly check a failure that looks a bit odd/different to determine if it is friend or foe.

 

TIA

1 Accepted Solution

Accepted Solutions

andrewswanson
Level 7
Level 7

On ISE 2.7 I can see the end user's IP in the TACACs live logs under the column "Remote Address". Is this attribute enabled for display in the live logs? Click on the gear icon at the top right of the TACACs live logs to confirm.

 

hth

Andy

View solution in original post

3 Replies 3

I think you need DHCP profile which make SW send IP address of host to ISE.

That seems strange since ISE TACACS has to know the end station IP address.  As a (we think) good security practice, the scanning accounts can only come from specific end-station IP addresses as coded in the device admin policy sets.  So ISE has to know the end-station IP to apply the policy, however I suppose that TACACS AV information may come later in the the session initiation.  

andrewswanson
Level 7
Level 7

On ISE 2.7 I can see the end user's IP in the TACACs live logs under the column "Remote Address". Is this attribute enabled for display in the live logs? Click on the gear icon at the top right of the TACACs live logs to confirm.

 

hth

Andy