Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3353
Views
0
Helpful
6
Replies

ISE AD Security Event log?

Go to solution
rangerdangerx
Level 1
Level 1

‎01-24-2017 08:16 AM - edited ‎03-11-2019 12:23 AM

If you have ISE integrated with AD, when a user authenticates with ISE does it create a login event on the DC security event log?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee
In response to rangerdangerx

‎01-25-2017 10:02 AM

It should be irrespective of AD/LDAP. As during authentication of user, ISE talks to Kerberos and for group retrieval/Lookup from AD, it uses LDAP application.

In both cases, event should generate on AD.

Request can be DOT1X which uses RADIUS protocol or it can be TACACS user authentication from AD/LDAP server.

Regards

Gagan

PS : rate if it helps!!!!!

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee

‎01-24-2017 03:48 PM

Yes, it does as ISE sends request to DC for user check and once it gets confirmation then ISE looks for authorizing that AD user. So in a nutshell, DC should have a log for that user event viewer.

Regards

Gagan

PS : rate if it helps!!!!!

0 Helpful

Go to solution
rangerdangerx
Level 1
Level 1
In response to Gagandeep Singh

‎01-25-2017 07:03 AM

but it would be a dot1x login event and not ldap correct? 

0 Helpful

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee
In response to rangerdangerx

‎01-25-2017 10:02 AM

It should be irrespective of AD/LDAP. As during authentication of user, ISE talks to Kerberos and for group retrieval/Lookup from AD, it uses LDAP application.

In both cases, event should generate on AD.

Request can be DOT1X which uses RADIUS protocol or it can be TACACS user authentication from AD/LDAP server.

Regards

Gagan

PS : rate if it helps!!!!!

0 Helpful

Go to solution
rangerdangerx
Level 1
Level 1
In response to Gagandeep Singh

‎01-25-2017 10:05 AM

lets say I have a firepower user agent, which picks up login events from a dc, would the user agent see those events?

0 Helpful

Go to solution
Gagandeep Singh
Cisco Employee
Cisco Employee
In response to rangerdangerx

‎01-25-2017 10:24 AM

We can do that from ISE by sending logs to Syslog server. But don't know how to do that from Microsoft end. It would be better to open a thread with Microsoft team.

You can keep this thread running if required any further questions from our end.

Regards

Gagan

PS : rate helpful posts...

0 Helpful

Go to solution
Sakun Sharma
Level 1
Level 1
In response to Gagandeep Singh

‎10-22-2019 09:15 PM

Hi

 

How do we configure ISE to send those logs to FMC or FTD?

 

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents