cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

605
Views
0
Helpful
5
Replies
Highlighted
Beginner

Stealthwatch TACACS

I would like to use TACACS for logging into Stealthwatch's webUI.  Per the user guide, I added ISE servers as authentication servers in the Stealthwatch Management Console.  Also, I added the Stealthwatch server as a network device into ISE and configured a minimal policy set.  After several login attempts, I never see the authentications hit the ISE TACACS logs.  I tested against another non-ISE TACACS server to be sure it wasn't an ISE issue and do not see the authentication there, either.  It seems as though Stealthwatch needs additional config to tell it to use the TACACS servers that were specified.  Is there some other configuration required in Stealthwatch that tells it to do so?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Master

Re: Stealthwatch TACACS

When you add ISE servers in the SMC console web UI, that is for using ISE as an identity source (i.e. mapping flows' IP addresses to users).

To use ISE as your TACACS (or RADIUS) authentication server, you need to do it from the Swing client (the Java desktop applet). Select your SW domain and then Configuration > Users and Role Management. Select the Authentication Service icon and then add your TACACS server there. Once successfully added, create a user in Stealthwatch and tell Stealthwatch to use this newly added Authentication service for that user.

SW TACACS.PNG

5 REPLIES 5
Hall of Fame Master

Re: Stealthwatch TACACS

When you add ISE servers in the SMC console web UI, that is for using ISE as an identity source (i.e. mapping flows' IP addresses to users).

To use ISE as your TACACS (or RADIUS) authentication server, you need to do it from the Swing client (the Java desktop applet). Select your SW domain and then Configuration > Users and Role Management. Select the Authentication Service icon and then add your TACACS server there. Once successfully added, create a user in Stealthwatch and tell Stealthwatch to use this newly added Authentication service for that user.

SW TACACS.PNG

Beginner

Re: Stealthwatch TACACS

Thanks Martin! I apologize as my post wasn't very clear. I added the ISE servers under the Authentication Service, as pictured in you screenshot, but I did not add the user in the Stealthwatch WebUI, which was the missing piece of information. I just added the TACACS user in the WebUI, told it to use the ISE servers from the Authentication Service for this user, and now TACACS works. Thanks for the helpful advice!

Hall of Fame Master

Re: Stealthwatch TACACS

You're welcome. I'm glad it helped.

That actual process is very sparsely documented in the SW configuration guide. I had to dig deep for it, so I learned something myself in the process.

Beginner

Re: Stealthwatch TACACS

It would be great if the second step of adding the user manually to the webUI wasn't necessary for TACACS to function, just like it's unnecessary to do on a switch, router, etc.

Hall of Fame Master

Re: Stealthwatch TACACS

I agree - it's kind of an add-on afterthought. Just like is done with FMC.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards
This widget could not be displayed.