07-06-2022 05:22 AM
On an ISE deployment that is running TACACS for access control of network routers and switches, is it possible to get the IP address of the user end-stations to display in the details of live logs?
ISE 3.1/operation/TACACS/live logs/
you can see that a bad userid was entered. When you select the details, you get a lot of information, but unless I am missing something, I do not see the end-station IP address.
Anyone who has corporate scanners knows there are a lot of noise generated by attempts from those devices, but sometimes you would like to quickly check a failure that looks a bit odd/different to determine if it is friend or foe.
TIA
Solved! Go to Solution.
07-06-2022 06:10 AM
On ISE 2.7 I can see the end user's IP in the TACACs live logs under the column "Remote Address". Is this attribute enabled for display in the live logs? Click on the gear icon at the top right of the TACACs live logs to confirm.
hth
Andy
07-06-2022 05:31 AM
I think you need DHCP profile which make SW send IP address of host to ISE.
07-06-2022 05:56 AM
That seems strange since ISE TACACS has to know the end station IP address. As a (we think) good security practice, the scanning accounts can only come from specific end-station IP addresses as coded in the device admin policy sets. So ISE has to know the end-station IP to apply the policy, however I suppose that TACACS AV information may come later in the the session initiation.
07-06-2022 06:10 AM
On ISE 2.7 I can see the end user's IP in the TACACs live logs under the column "Remote Address". Is this attribute enabled for display in the live logs? Click on the gear icon at the top right of the TACACs live logs to confirm.
hth
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide