I am working with a customer where they are using ISE for TACACS (ISE 2.4) and sending TACACS Syslog to an external Syslog server. The customer would like to get some official doc or something from Cisco about these TACACS Syslog messages
DestinationIPAddress----------(This IP address is TACACS server, however, external Syslog server vendor interprets this field differently)
Remote-Address------------(The IP of endpoint and tried to log in to a switch/routers for TACACS authentication)
Device IP Address----------(This IP is of NAD i.e TACACS client)
Raw log data sent by ISE TACACS
Description of what the data is
Confusion in Naming
Device IP Address = 192.168.x.x
The device being impacted, the device that sent the log in the first place, the destination of the logon/attack
DESTINATION HOST – need this clearly stated somewhere by Cisco
DestinationIPAddress = 10.1.x.x
The log forwarder, the “management station”, this is the ISE Server
Why is the word “Destination” used when this is the management station/ISE
Remote-Address = 192.168.x.x
The host from which the logon was attempted, the actual attacker
SOURCE HOST – the host where the logon came from, not a “remote address”
The difference how ISE looks remote-address is different what the customer Syslog server wanted to expect, hence we need some explanation on these parameters.
I found this link but this does not have an explanation
If you look at the RFCs related to TACACS you will actually find that the remote address is not a reliable field. For example, an F5 I worked with didn't send it.
https://tools.ietf.org/html/draft-grant-tacacs-02 "The rem_addr is a "best effort" description of the remote location from which the user has connected to the client. In many cases, the remote address will not be available or will be unreliable at best, but it may be useful when included."
https://tools.ietf.org/html/draft-ietf-opsawg-tacacs-11 "A printable US-ASCII string indicating the remote location from which the user has connected to the client. It is intended to hold a network address if the user is connected via a network, a caller ID is the user is connected via ISDN or a POTS, or any other remote location information that is available. This field is optional (since the information may not be available). The rem_addr_len indicates the length of the user field, in bytes."