cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6812
Views
10
Helpful
11
Replies

Stealthwatch TACACS

thecompnerd
Level 1
Level 1

I would like to use TACACS for logging into Stealthwatch's webUI.  Per the user guide, I added ISE servers as authentication servers in the Stealthwatch Management Console.  Also, I added the Stealthwatch server as a network device into ISE and configured a minimal policy set.  After several login attempts, I never see the authentications hit the ISE TACACS logs.  I tested against another non-ISE TACACS server to be sure it wasn't an ISE issue and do not see the authentication there, either.  It seems as though Stealthwatch needs additional config to tell it to use the TACACS servers that were specified.  Is there some other configuration required in Stealthwatch that tells it to do so?

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

When you add ISE servers in the SMC console web UI, that is for using ISE as an identity source (i.e. mapping flows' IP addresses to users).

To use ISE as your TACACS (or RADIUS) authentication server, you need to do it from the Swing client (the Java desktop applet). Select your SW domain and then Configuration > Users and Role Management. Select the Authentication Service icon and then add your TACACS server there. Once successfully added, create a user in Stealthwatch and tell Stealthwatch to use this newly added Authentication service for that user.

SW TACACS.PNG

View solution in original post

11 Replies 11

Marvin Rhoads
Hall of Fame
Hall of Fame

When you add ISE servers in the SMC console web UI, that is for using ISE as an identity source (i.e. mapping flows' IP addresses to users).

To use ISE as your TACACS (or RADIUS) authentication server, you need to do it from the Swing client (the Java desktop applet). Select your SW domain and then Configuration > Users and Role Management. Select the Authentication Service icon and then add your TACACS server there. Once successfully added, create a user in Stealthwatch and tell Stealthwatch to use this newly added Authentication service for that user.

SW TACACS.PNG

Thanks Martin! I apologize as my post wasn't very clear. I added the ISE servers under the Authentication Service, as pictured in you screenshot, but I did not add the user in the Stealthwatch WebUI, which was the missing piece of information. I just added the TACACS user in the WebUI, told it to use the ISE servers from the Authentication Service for this user, and now TACACS works. Thanks for the helpful advice!

You're welcome. I'm glad it helped.

That actual process is very sparsely documented in the SW configuration guide. I had to dig deep for it, so I learned something myself in the process.

It would be great if the second step of adding the user manually to the webUI wasn't necessary for TACACS to function, just like it's unnecessary to do on a switch, router, etc.

I agree - it's kind of an add-on afterthought. Just like is done with FMC.

Now configuring users manually on SMC WebUI won't be necessary anymore, starting in SMC 7.1.2 version, that will be released on December this year. Plus you will be able to perform authorization also with TACACS+, so the roles can be configured and pushed from ISE side.

Hi

"Once successfully added, create a user in Stealthwatch and tell Stealthwatch to use this newly added Authentication service for that user."

When authentication 10 users or more with tacacs+, do you have to create each and every user in Stealthwatch too?

Is there no Tacacs / Radius attributes the Radius (ISE) server can send back to Stealthwatch SMC to automaticaly assign the Role ?

Regards

Jarle

HI,

 

each and every user has to be created, no role assignment.  The integration is for user authentication only as of now.


Regards
Hanna Jabbour

 

 

Hi @Marvin Rhoads 

 

Do you possible know if the Flow Sensors can be integrated into TACACS.

From what I could find so far it seems that TACACS configuration is only valid for the SMC?

Correct - it is only for the SMC.

It's ironic that a security product doesn't leverage external authentication services.

Thank you, made my day.

 

At 7.4 you can configure die ISE as a RADIUS in the WebGUI. But still need to configure the user. But instead of choose a password, you use ISE as the identity source