Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
799
Views
0
Helpful
3
Replies

Can ISE TACACS report users IP address for logins failure in live logs

Go to solution
wags
Level 1
Level 1

‎07-06-2022 05:22 AM

On an ISE deployment that is running TACACS for access control of network routers and switches, is it possible to get the IP address of the user end-stations to display in the details of live logs?

 

ISE 3.1/operation/TACACS/live logs/

you can see that a bad userid was entered.  When you select the details, you get a lot of information, but unless I am missing something, I do not see the end-station IP address.

 

Anyone who has corporate scanners knows there are a lot of noise generated by attempts from those devices, but sometimes you would like to quickly check a failure that looks a bit odd/different to determine if it is friend or foe.

 

TIA

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrewswanson
Level 7
Level 7

‎07-06-2022 06:10 AM

On ISE 2.7 I can see the end user's IP in the TACACs live logs under the column "Remote Address". Is this attribute enabled for display in the live logs? Click on the gear icon at the top right of the TACACs live logs to confirm.

 

hth

Andy

View solution in original post

0 Helpful
3 Replies 3

Go to solution
MHM Cisco World
VIP
VIP

‎07-06-2022 05:31 AM

I think you need DHCP profile which make SW send IP address of host to ISE.

0 Helpful

Go to solution
wags
Level 1
Level 1
In response to MHM Cisco World

‎07-06-2022 05:56 AM

That seems strange since ISE TACACS has to know the end station IP address.  As a (we think) good security practice, the scanning accounts can only come from specific end-station IP addresses as coded in the device admin policy sets.  So ISE has to know the end-station IP to apply the policy, however I suppose that TACACS AV information may come later in the the session initiation.  

0 Helpful

Go to solution
andrewswanson
Level 7
Level 7

‎07-06-2022 06:10 AM

On ISE 2.7 I can see the end user's IP in the TACACs live logs under the column "Remote Address". Is this attribute enabled for display in the live logs? Click on the gear icon at the top right of the TACACs live logs to confirm.

 

hth

Andy

0 Helpful
Customers Also Viewed These Support Documents