08-25-2023 03:14 AM - edited 08-25-2023 03:15 AM
Hello Everybody,
Can you please tell me what the ISE/TACACS logs of my ASA device correspond to?
indeed, the "Username" is configured on both device (local username).
- Who initiates these requests?
- What is the "Username" used (that of ISE or ASA)?
- What are these requests for?
- Is there an impact if I delete the Username from ISE?
Example 1:
13013 Received TACACS+ Authentication START Request - AD
....
13015 Returned TACACS+ Authentication Reply
Request Type Authentication
Status Pass
Message Text Passed-Authentication: Authentication succeeded
Selected Authorization Profile admi_profile
Example 2 :
13005 Received TACACS+ Authorization Request - AD
...
13034 Returned TACACS+ Authorization Reply
Request Type Authorization
Status Pass
Message Text Device-Administration: Session Authorization succeeded
Shell Profile admi_profile
Matched Command Set
Command From Device
Example 3:
13005 Received TACACS+ Authorization Request - AD
...
13034 Returned TACACS+ Authorization Reply
Request Type Authorization
Status Pass
Matched Command Set adminprofile
Command From Device show vpn-sessiondb full anyconnect
Message Text Device-Administration: Command Authorization succeeded
Thank you very much
Solved! Go to Solution.
08-25-2023 08:56 AM
@cisco.13 "show xlate" for translations and "show conn" for connections.
08-31-2023 08:25 PM
@cisco.13 Every 5 minutes is most likely from some monitoring system.
"show xlate" would not give you the info unless this ASA is the one performing the NAT for the end workstation.
08-25-2023 03:29 AM
Depends on how your AAA config, if the AAA prefered ISE and fall back local, then the user will be from ISE/AD - in this case Local user not valid.
if you look at the full log it will show you username where it authenticated.
Is there an impact if I delete the Username from ISE? - if this is normal user i do not see any impact.
08-25-2023 04:36 AM
Hello,
I think I expressed my need badly!
this is a local account configured on the ASA and on the ISE (for another another need)
ISE logs are present continuously (~every minute)
I see the command "show vpn-sessiondb full anyconnect" is executed by this account
Example 1:
13013 Received TACACS+ Authentication START Request - AD
....
13015 Returned TACACS+ Authentication Reply
Request Type Authentication
Status Pass
Message Text Passed-Authentication: Authentication succeeded
Selected Authorization Profile admi_profile
Example 2 :
13005 Received TACACS+ Authorization Request - AD
...
13034 Returned TACACS+ Authorization Reply
Request Type Authorization
Status Pass
Message Text Device-Administration: Session Authorization succeeded
Shell Profile admi_profile
Matched Command Set
Command From Device
Example 3:
13005 Received TACACS+ Authorization Request - AD
...
13034 Returned TACACS+ Authorization Reply
Request Type Authorization
Status Pass
Matched Command Set adminprofile
Command From Device show vpn-sessiondb full anyconnect
Message Text Device-Administration: Command Authorization succeeded
Thank you very much
08-25-2023 05:04 AM
in addition, I've just deleted the local account (MY_LOCAL_USERNAME) on the ASA device and I still see the Live Logs on ISE!
I do not understand these logs from the ISE received continuously
13005 Received TACACS+ Authorization Request - AD
15049 Evaluating Policy Group - MY_LOCAL_USERNAME
15008 Evaluating Service Selection Policy - aaa.domaine.local
15048 Queried PIP - domaine.local
15041 Evaluating Identity Policy
22072 Selected identity source sequence - ERROR_NO_SUCH_USER
15013 Selected Identity Source - AD
24432 Looking up user in Active Directory - AD
24325 Resolving identity - MY_LOCAL_USERNAME
24313 Search for matching accounts at join point - aaa.domaine.local
24318 No matching account found in forest - domaine.local
24322 Identity resolution detected no matching account
24352 Identity resolution failed - ERROR_NO_SUCH_USER
24412 User not found in Active Directory - AD
15013 Selected Identity Source - Internal Users
24210 Looking up User in Internal Users IDStore
24212 Found User in Internal Users IDStore
22037 Authentication Passed
15036 Evaluating Authorization Policy
24432 Looking up user in Active Directory
24325 Resolving identity
24313 Search for matching accounts at join point
24318 No matching account found in forest
24322 Identity resolution detected no matching account
24352 Identity resolution failed
24412 User not found in Active Directory
15048 Queried PIP - AD.ExternalGroups (2 times)
15048 Queried PIP - Network Access.UserName
15048 Queried PIP - IdentityGroup.Name
15018 Selected Command Set
13024 Command matched a Permit rule
13034 Returned TACACS+ Authorization Reply
Overview
Request Type Authorization
Status Pass
Session Key tacacs/478462371/124230950
Message Text Device-Administration: Command Authorization succeeded
Username MY_LOCAL_USERNAME
Authorization Policy ALL-DEVICES_Policy >> MY_Rule
Shell Profile
Matched Command Set My_admin15_tacacs_command_sets
Command From Device show vpn-sessiondb full anyconnect
08-25-2023 05:21 AM
@cisco.13 you are using TACACS and each command is authorised by ISE, there will be an authorisation log entry for each command executed on the ASA.
08-25-2023 05:40 AM
Hello @Rob Ingram,
Thank you for your reply,
How to know who is executing these commands on the ASA (looks like it's an script/robot) ?
ex. show vpn-sessiondb full anyconnect,
No impact on the ASA/VPN service if I delete the account on ISE?
Thank you
08-25-2023 05:53 AM - edited 08-25-2023 06:09 AM
24325 Resolving identity - MY_LOCAL_USERNAME is the username being authorised.
Why do you think this is a script?
If you delete the account on ISE then the user will fail to be authenticated and subsequently be unable to execute those commands.
08-25-2023 06:14 AM
Indeed, the account "MY_LOCAL_USERNAME" is used for other needs and I am studying the impact on the ASA/VPN (and other device) if I delete this account following the request of the cyber team.
Why do you think this is a script? because I see live logs continuously on the ISE (~every minute) and I do not see in the logs the IP which executes commands (except the IP of the ASA)
THANKS
08-25-2023 06:23 AM
@cisco.13 the "Network Device IP" address will be the IP address of the ASA, but the ISE TACACS logs will also have a "Remote Address" which will be the source of the connection (laptop, desktop or server).
If "show vpn-sessiondb full anyconnect" is the only command being logged every 1 minute by the same user, then yes it sounds like it might be a script.
If you delete/disable that account then that user account will be unable to authenticate and run that command.
08-25-2023 08:48 AM
unfortunately "Remote Address" is a NAT IP! Is there a command to run on the ASA to get the details?
THANKS
08-25-2023 08:56 AM
@cisco.13 "show xlate" for translations and "show conn" for connections.
08-25-2023 10:44 AM
Thank you @Rob Ingram
I don't see anything special, only syslog and F5 connections. I think it's the ASA itself that executes these commands, I don't know why! and I don't understand how he chose this username "MY_LOCAL_USERNAME" because I have several configured on the ISE/TACACS (not local username on ASA)
I also found:
show crypto ca certificates
show crypto ipsec stats
show vpn-sessiondb summary
show ssl mib 64
show vpn-sessiondb ra-ikev1-ipsec
show vpn-sessiondb detail full webvpn
show vpn-sessiondb anyconnect
08-28-2023 09:49 AM
Hello,
correction, logs appear every 5 minutes
08-31-2023 08:25 PM
@cisco.13 Every 5 minutes is most likely from some monitoring system.
"show xlate" would not give you the info unless this ASA is the one performing the NAT for the end workstation.
08-31-2023 11:29 PM - edited 09-01-2023 02:05 AM
Hello @hslai, yes, the ip was found in the logs, Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide