How to ISE silent drop an authentication

JPavonM · ‎08-02-2024

Hi chaps,

Anybody knows how to silently drop unwanted authentication tries in the Default policy to avoid Rapid7 scanning for default usernames not appearing in the Logs?

I0m runinng ISE 3.3Patch2 and my device admin authentication policies (TACACS+) only allow known account patterns (from admins and service accounts) and Drop unknown usernames, but ISE keeps showing them in the logs. Is that something that maybe tweaked at some time if we need to clean up the Logs?

Thanks in advance

MHM Cisco World · ‎08-02-2024

Setting > protocol > radius or tacacs > suppression & reports

There some config you can add to make ise drop there unknown user

MHM

JPavonM · ‎08-02-2024

Yes but there is only suppression for RADIUS but not TACACS so that does not help.

I've tried with DROP request instead of REJECT if Auth fails or USer does not exist, but that also appear on the Logs and not make much difference but only if it sends a packet to the endpoint or not.

MHM Cisco World · ‎08-03-2024

Hi friend

You use tacacs for admin SW or Router?

If Yes I think about your issue last twp days'

You can run login block-for and login quite'

The idea is device will not allow new login for specific time and allow only access to device with that time for specific IP (this mandatory need to access device in quite time).

In such the ise not receive new login failure try and dont appear it in log event view

Please try these commands before copy config into start-config

JPavonM · ‎08-05-2024

@MHM Cisco World unfortunately this is not what I'm looking for, so we should wait for Cisco t oadd a suppression feature on TACACS+ protocol the same way RADIUS has it. Thanks for the tips.