Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3779
Views
5
Helpful
4
Replies

Cisoc ISE 2.7 P2 - Alarms - Unknown SGT was provisioned

Go to solution
AigarsK
Level 1
Level 1

‎09-17-2020 01:22 PM - edited ‎09-17-2020 01:26 PM

So I have been looking at alarms and identified that "Unknown SGT was provisioned" alarm could be used as security audit to log endpoints which hit Default Policy and instead of just sending Access_Reject

Access_Accept  along with Unknown SGT is sent and technically host gets black-holed, however even so "Unknown SGT was provisioned" alarm is enabled, it does not come up in Cisco ISE Alarms dash.

Suggestion on Alarm states following "ISE provisioned the Unknown SGT as part of the authorization flow. Unknown SGT should not be assigned as part of a known flow"

 

So this makes statement that Unknown SGT was assigned as part of Authorization Rule, which is exactly what I am doing.

 

Can someone advise me if they know how to make it work.

Also if this is known not to work, then what other option is there to get some log outside the Cisoc ISE that something hit Default Authorization Rule?

 

If this worked as intended, would have been passed to Syslog and would generate security alert.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎09-18-2020 12:39 AM

AFAIK, this alarm is triggered only when you have Network Devices that are configured for TrustSec, but you have not create a policy in the Network Device Authorization (NDAC) to assign a specific SGT. This results in the #CTSREQUEST# session hitting the Default NDAC policy which applies the Unknown SGT.

ISE does not have a way to pre-filter logs prior to sending them to an external syslog server. The canned reports in ISE are inflexible and ISE is not built for historical logging/reporting. Most customers send logs to their external syslog server for historical logging and customised reporting.

If you want to work within the constraints of the built-in reports, you can filter on Authorization Rule and export to CSV or create a Scheduled Report. You could also gather information via the REST API.

Screen Shot 2020-09-18 at 5.34.39 pm.png

View solution in original post

4 Replies 4

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎09-17-2020 07:19 PM

 

This is correct. The Unknown SGT should not be used in an AuthZ Policy.

Common practice for external logging is to configure (at a minimum) the following Logging Categories to use the configured external syslog server (remote logging target):

  • AAA Audit
  • Failed Attempts
  • Passed Authentications
  • Accounting
  • Administrative and Operational Audit
  • Profiler

This would allow you to create filters, queries, and/or dashboards in your external logging system (i.e. Splunk) to identify sessions hitting the 'Default' AuthZ Policy (AuthorizationPolicyMatchedRule=Default) or an AuthZ Profile name used for the Default AuthZ Policy in a specific Policy Set (e.g. SelectedAuthorizationProfiles=MM-AuthZ-Default)

0 Helpful

Go to solution
AigarsK
Level 1
Level 1
In response to Greg Gibbs

‎09-17-2020 10:43 PM

Hi Greg,

I appreciate your reply, the reason I was looking at using Unknown SGT is that it technically provides our security requirements and if the Alarm was to work we would be able to pic this up in our monitoring system.

 

Adding Remote Logging Targets to the Logging Categories you are recommending is noisy, This would relay on remote party syslog server to filter through the noise and then cherry pick only logs of interest and at the same time we are wasting bandwidth to deliver all this noise with only few logs we are interested in.

 

Is there a way to filter particular messages at the Cisco ISE side and only send them once they match the AuthZ Default rule?

 

Also then at what conditions I am meant to expect alarm "Unknown SGT was provisioned" to be triggered, is this meant to be logged as soon AuthZ is matched to provision Unknown SGT or is it only picked up when Accounting from NAD reports on its attributes?

 

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎09-18-2020 12:39 AM

AFAIK, this alarm is triggered only when you have Network Devices that are configured for TrustSec, but you have not create a policy in the Network Device Authorization (NDAC) to assign a specific SGT. This results in the #CTSREQUEST# session hitting the Default NDAC policy which applies the Unknown SGT.

ISE does not have a way to pre-filter logs prior to sending them to an external syslog server. The canned reports in ISE are inflexible and ISE is not built for historical logging/reporting. Most customers send logs to their external syslog server for historical logging and customised reporting.

If you want to work within the constraints of the built-in reports, you can filter on Authorization Rule and export to CSV or create a Scheduled Report. You could also gather information via the REST API.

Screen Shot 2020-09-18 at 5.34.39 pm.png

Go to solution
AigarsK
Level 1
Level 1
In response to Greg Gibbs

‎09-18-2020 02:45 AM

Thanks Greg for the explanation and potential workaround.

0 Helpful
Customers Also Viewed These Support Documents