cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

925
Views
0
Helpful
4
Replies
Kashish_Patel
Explorer

Monitoring ISE node as syslog destination

Hi Security Experts,

We are setting up Cisco ISE (Identity Services Engine) in our network.

I have the confusion if we need to configure monitoring node IP address as the syslog destination on the access switches. In what situations is this needed and in which situations is it not needed?

PS: I rate useful posts.

Thanks,

Kashish

2 ACCEPTED SOLUTIONS

Accepted Solutions
Tarik Admani
Advocate

Kashish,

When you look at the user authentication report, ISE also builds related syslog messages that pertain to the user connection.

This isnt mandatory but useful since it does help correlate syslog messages to the user authentication session. Here is an example of it in action:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1050132

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Exactly, ISE will attached the relevant syslog data (if you have it configured) to the report. The radius authentication will still appear no matter what.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

4 REPLIES 4
Tarik Admani
Advocate

Kashish,

When you look at the user authentication report, ISE also builds related syslog messages that pertain to the user connection.

This isnt mandatory but useful since it does help correlate syslog messages to the user authentication session. Here is an example of it in action:

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_troubleshooting.html#wp1050132

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Thanks Tarik.

So you mean that even if we don't configure monitoring ISE node IP as syslog destination on access switches, even then ISE gives details of user authentication.

Configuring the IP gives us additional details, right?

Thanks,

Kashish

Exactly, ISE will attached the relevant syslog data (if you have it configured) to the report. The radius authentication will still appear no matter what.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

Thanks Tarik. That answers my question.

Content for Community-Ad