Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
871
Views
0
Helpful
1
Replies

ISE TACACS Syslog attributes explanation

ckumar2
Cisco Employee
Cisco Employee

‎03-11-2019 02:30 PM

Greetings experts,

I am working with a customer where they are using ISE for TACACS (ISE 2.4) and sending TACACS Syslog to an external Syslog server. The customer would like to get some official doc or something from Cisco about these TACACS Syslog messages

 

DestinationIPAddress----------(This IP address is TACACS server, however, external Syslog server vendor interprets this field  differently)

Remote-Address------------(The IP of endpoint and tried to log in to a switch/routers for TACACS authentication)

Device IP Address----------(This IP is of NAD i.e TACACS client)

 

Raw log data sent by ISE TACACS

Description of what the data is

Confusion in Naming

Device IP Address = 192.168.x.x

The device being impacted, the device that sent the log in the first place, the destination of the logon/attack

DESTINATION HOST – need this clearly stated somewhere by Cisco

DestinationIPAddress = 10.1.x.x

The log forwarder, the “management station”, this is the ISE Server

Why is the word “Destination” used when this is the management station/ISE

Remote-Address = 192.168.x.x

The host from which the logon was attempted, the actual attacker

SOURCE HOST – the host where the logon came from, not a “remote address”

 

The difference how ISE looks remote-address is different what the customer Syslog server wanted to expect, hence we need some explanation on these parameters.

I found this link but this does not have an explanation 

https://community.cisco.com/t5/identity-services-engine-ise/ise-and-complete-syslog-message-list-for-clever-event-management/td-p/3733218

 

Regards,

Chandan

Any help on this would be much appreciated.

0 Helpful
1 Reply 1

Damien Miller
VIP
VIP

‎03-11-2019 03:32 PM

If you look at the RFCs related to TACACS you will actually find that the remote address is not a reliable field. For example, an F5 I worked with didn't send it.

https://tools.ietf.org/html/draft-grant-tacacs-02
"The rem_addr is a "best effort" description of the remote location from which the user has connected to the client. In many cases, the remote address will not be available or will be unreliable at best, but it may be useful when included."

https://tools.ietf.org/html/draft-ietf-opsawg-tacacs-11
"A printable US-ASCII string indicating the remote location from which the user has connected to the client. It is intended to hold a network address if the user is connected via a network, a caller ID is the user is connected via ISDN or a POTS, or any other remote location information that is available. This field is optional (since the information may not be available). The rem_addr_len indicates the length of the user field, in bytes."
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents