cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1872
Views
1
Helpful
16
Replies

Question ISE logs

cisco.13
Level 1
Level 1

Hello Everybody,

Can you please tell me what the ISE/TACACS logs of my ASA device correspond to?
indeed, the "Username" is configured on both device (local username).

- Who initiates these requests?
- What is the "Username" used (that of ISE or ASA)?
- What are these requests for?
- Is there an impact if I delete the Username from ISE?

Example 1:
13013 Received TACACS+ Authentication START Request - AD
....
13015 Returned TACACS+ Authentication Reply

Request Type Authentication
Status Pass
Message Text Passed-Authentication: Authentication succeeded
Selected Authorization Profile admi_profile

Example 2 :
13005 Received TACACS+ Authorization Request - AD
...
13034 Returned TACACS+ Authorization Reply

Request Type Authorization
Status Pass
Message Text Device-Administration: Session Authorization succeeded
Shell Profile admi_profile
Matched Command Set
Command From Device

Example 3:
13005 Received TACACS+ Authorization Request - AD
...
13034 Returned TACACS+ Authorization Reply

Request Type Authorization
Status Pass
Matched Command Set adminprofile
Command From Device show vpn-sessiondb full anyconnect
Message Text Device-Administration: Command Authorization succeeded

Thank you very much

2 Accepted Solutions

Accepted Solutions

@cisco.13 "show xlate" for translations and "show conn" for connections.

View solution in original post

hslai
Cisco Employee
Cisco Employee

@cisco.13 Every 5 minutes is most likely from some monitoring system.

"show xlate" would not give you the info unless this ASA is the one performing the NAT for the end workstation.

View solution in original post

16 Replies 16

balaji.bandi
Hall of Fame
Hall of Fame

Depends on how your AAA config, if the AAA prefered ISE and fall back local, then the user will be from ISE/AD - in this case Local user not valid.

if you look at the full log it will show you username where it authenticated.

Is there an impact if I delete the Username from ISE?  - if this is normal user i do not see any impact.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

cisco.13
Level 1
Level 1

Hello,
I think I expressed my need badly!
this is a local account configured on the ASA and on the ISE (for another another need)
ISE logs are present continuously (~every minute)

I see the command "show vpn-sessiondb full anyconnect" is executed by this account

Example 1:
13013 Received TACACS+ Authentication START Request - AD
....
13015 Returned TACACS+ Authentication Reply

Request Type Authentication
Status Pass
Message Text Passed-Authentication: Authentication succeeded
Selected Authorization Profile admi_profile

Example 2 :
13005 Received TACACS+ Authorization Request - AD
...
13034 Returned TACACS+ Authorization Reply

Request Type Authorization
Status Pass
Message Text Device-Administration: Session Authorization succeeded
Shell Profile admi_profile
Matched Command Set
Command From Device

Example 3:
13005 Received TACACS+ Authorization Request - AD
...
13034 Returned TACACS+ Authorization Reply

Request Type Authorization
Status Pass
Matched Command Set adminprofile
Command From Device show vpn-sessiondb full anyconnect
Message Text Device-Administration: Command Authorization succeeded

Thank you very much

cisco.13
Level 1
Level 1

in addition, I've just deleted the local account (MY_LOCAL_USERNAME) on the ASA device and I still see the Live Logs on ISE!

I do not understand these logs from the ISE received continuously

 

13005 Received TACACS+ Authorization Request - AD
15049 Evaluating Policy Group - MY_LOCAL_USERNAME
15008 Evaluating Service Selection Policy - aaa.domaine.local
15048 Queried PIP - domaine.local
15041 Evaluating Identity Policy
22072 Selected identity source sequence - ERROR_NO_SUCH_USER
15013 Selected Identity Source - AD
24432 Looking up user in Active Directory - AD
24325 Resolving identity - MY_LOCAL_USERNAME
24313 Search for matching accounts at join point - aaa.domaine.local
24318 No matching account found in forest - domaine.local
24322 Identity resolution detected no matching account
24352 Identity resolution failed - ERROR_NO_SUCH_USER
24412 User not found in Active Directory - AD
15013 Selected Identity Source - Internal Users
24210 Looking up User in Internal Users IDStore
24212 Found User in Internal Users IDStore
22037 Authentication Passed
15036 Evaluating Authorization Policy
24432 Looking up user in Active Directory
24325 Resolving identity
24313 Search for matching accounts at join point
24318 No matching account found in forest
24322 Identity resolution detected no matching account
24352 Identity resolution failed
24412 User not found in Active Directory
15048 Queried PIP - AD.ExternalGroups (2 times)
15048 Queried PIP - Network Access.UserName
15048 Queried PIP - IdentityGroup.Name
15018 Selected Command Set
13024 Command matched a Permit rule
13034 Returned TACACS+ Authorization Reply

 

Overview
Request Type Authorization
Status Pass
Session Key tacacs/478462371/124230950
Message Text Device-Administration: Command Authorization succeeded
Username MY_LOCAL_USERNAME
Authorization Policy ALL-DEVICES_Policy >> MY_Rule
Shell Profile
Matched Command Set My_admin15_tacacs_command_sets
Command From Device show vpn-sessiondb full anyconnect

 

@cisco.13 you are using TACACS and each command is authorised by ISE, there will be an authorisation log entry for each command executed on the ASA.

Hello @Rob Ingram,

Thank you for your reply,

How to know who is executing these commands on the ASA (looks like it's an script/robot) ?
ex. show vpn-sessiondb full anyconnect,

No impact on the ASA/VPN service if I delete the account on ISE?

Thank you

@cisco.13 

24325 Resolving identity - MY_LOCAL_USERNAME is the username being authorised.

Why do you think this is a script?

If you delete the account on ISE then the user will fail to be authenticated and subsequently be unable to execute those commands.

cisco.13
Level 1
Level 1

@Rob Ingram 

Indeed, the account "MY_LOCAL_USERNAME" is used for other needs and I am studying the impact on the ASA/VPN (and other device) if I delete this account following the request of the cyber team.

Why do you think this is a script? because I see live logs continuously on the ISE (~every minute) and I do not see in the logs the IP which executes commands (except the IP of the ASA)

THANKS

@cisco.13 the "Network Device IP" address will be the IP address of the ASA, but the ISE TACACS logs will also have a "Remote Address" which will be the source of the connection (laptop, desktop or server).

If "show vpn-sessiondb full anyconnect" is the only command being logged every 1 minute by the same user, then yes it sounds like it might be a script.

If you delete/disable that account then that user account will be unable to authenticate and run that command.

cisco.13
Level 1
Level 1

@Rob Ingram 

unfortunately "Remote Address" is a NAT IP! Is there a command to run on the ASA to get the details?

THANKS

@cisco.13 "show xlate" for translations and "show conn" for connections.

cisco.13
Level 1
Level 1

Thank you @Rob Ingram 

I don't see anything special, only syslog and F5 connections. I think it's the ASA itself that executes these commands, I don't know why! and I don't understand how he chose this username "MY_LOCAL_USERNAME" because I have several configured on the ISE/TACACS (not local username on ASA)

I also found:

show crypto ca certificates
show crypto ipsec stats
show vpn-sessiondb summary
show ssl mib 64
show vpn-sessiondb ra-ikev1-ipsec
show vpn-sessiondb detail full webvpn
show vpn-sessiondb anyconnect

cisco.13
Level 1
Level 1

Hello,

correction, logs appear every 5 minutes

hslai
Cisco Employee
Cisco Employee

@cisco.13 Every 5 minutes is most likely from some monitoring system.

"show xlate" would not give you the info unless this ASA is the one performing the NAT for the end workstation.

Hello @hslai, yes, the ip was found in the logs, Thanks