思科伊势

Cisco身份识别服务引擎(ISE)允许跨不同设备和应用程序进行身份管理。您可以配置Cisco ISE将VPN数据发送到InsightIDR,以便查看用户的远程网络进入活动。

要设置思科ISE,你需要

  1. 配置Cisco ISE将数据发送到您的收集器。
  2. 在InsightIDR中设置Cisco ISE。
  3. 验证配置是否有效。

配置Cisco ISE向InsightIDR发送日志

要使InsightIDR从您的Cisco ISE远程系统日志中接收数据,请完成以下步骤:

任务1:在Cisco ISE中配置远程日志目标

  1. 登录到您的Cisco ISE管理界面。
  2. 在导航菜单中,选择“Administration > System > Logging > Remote Logging Targets”。
  3. 单击“新建”,配置以下参数:

选项

描述

的名字

为远程目标系统键入唯一名称。

描述

您可以为用户唯一地标识目标系统。

IP地址

输入InsightIDR采集器的IP地址。

港口

为InsightIDR输入您在Cisco ISE日志源中指定的端口值。

工厂代码

从设施代码列表中,选择用于记录事件的syslog设施。

最大长度

1024作为UDP syslog消息允许的最大报文长度。
  1. 单击Submit。

任务2:将新目标添加到所需的日志类别中

  1. 选择管理>系统>日志>日志类别。
  2. 单击要编辑的类别旁边的单选按钮,然后单击“编辑”。
  3. 将您在上一节中创建的目标添加到以下类别中。这些是默认的日志收集设置,可以根据需要进行修改:
    • AAA审计
      • 失败的尝试
      • 通过了认证
    • AAA诊断
      • 管理员认证与授权
      • 身份验证流诊断
      • 身份存储诊断
      • 政策诊断
      • 半径诊断
    • 会计
    • 外部MDM
    • 被动的ID
    • 姿态和客户端配置审计
    • 姿态和客户端配置诊断
    • 分析器
    • 行政及业务审计
    • 系统诊断
    • 系统统计数据
  4. 单击Save。
  5. 转到Logging Categories页面并验证对特定类别所做的配置更改。

有关更多信息,请参见思科身份识别服务引擎管理员指南

在InsightIDR中设置Cisco ISE

  1. 从仪表板中,从左边的菜单中选择Data Collection。
  2. 当出现“数据采集”界面时,单击“设置事件源”下拉菜单,选择“添加事件源”。
  3. 从“安全数据”部分,单击VPN图标。出现“添加事件源”面板。
  4. 单击思科伊势。
  5. 选择与事件源日志位置匹配的时区。
  6. 可以选择发送未过滤的日志。
  7. 可选地配置不活动超时阈值(以分钟为单位)。
  8. 配置您的默认域和任何高级设置。
  9. 选择syslog作为收集方法,并指定在Cisco ISE配置期间标识的端口和协议。
  10. 如果通过下载Rapid7证书选择TCP,也可以选择加密事件源。
  11. 单击Save按钮。

验证配置

完成以下步骤以查看日志,并确保事件被发送到Collector。

  1. 在刚刚创建的新事件源上,单击View Raw Log按钮。如果您在框中看到日志消息,那么这表明日志正在流向收集器。
  2. 接下来,单击日志搜索在左边的菜单中。选择适用的日志集和其中的日志名称。日志名称将是事件源名称或“Cisco ISE”,如果您没有命名事件源。思科ISE日志流入以下日志集:
    • 进入认证
    • 防火墙的活动

日志至少需要7分钟才能出现在“日志搜索”中

请注意,设置事件源后,日志至少需要7分钟才能出现在日志搜索中。如果您在事件源上选择“查看原始日志”时看到了日志消息,但等待几分钟后在“日志搜索”中没有看到任何日志消息,那么您的日志不符合该事件源的推荐格式和类型。

示例日志

以下是Cisco ISE发送给InsightIDR的日志示例。

进入认证(VPN)

         

          

           
          

         

          

           

            1

           june 26 11:32:07 RPD7HOST CISE_RADIUS_Accounting 0038030740 20 2020-06-26 11:32:07.519 -04:00 0527431588 3000 NOTICE RADIUS -Accounting: RADIUS Accounting start request, ACSVersion=acs-5.7.0.15-B.257。x86_64, ConfigVersionId = 176,设备IP地址= 122.68.12.10 DestinationIPAddress = 10.8.32.51 DestinationPort = 1813, RequestLatency = 1,用户名= mtwain NAS-IP-Address = 122.68.12.10 NAS-Port = 2, Framed-IP-Address = 10.125.3.20 =机电类:ushosmacs03/260356379/9200817, Called-Station-ID = 122.68.12.10 Calling-Station-ID = 10.125.3.20,NAS-Identifier = demomo-wlc01 Acct-Status-Type =开始,Acct-Session-Id = 57 ba421c / 9 c: fc: 01:海尔哥哥:31:50/35306,Acct-Authentic =半径,隧道式=(标签= 0)VLAN, Tunnel-Medium-Type =(标签= 0)802,Tunnel-Private-Group-ID =(标签= 0)30日cisco-av-pair = audit-session-id = 0 a637d0a00012f7b1a42ba57 Airespace-Wlan-Id = 1, AcsSessionID = USRCSMACS04/250984979/32907000,Step=11004, Step=11017, Step=15008, Step=15004, Step=15012, Step=22079, Step=11005, NetworkDeviceName=DEMOMO-WLC01";
          

          

           

            2

           进入认证(VPN)
          

          

           

            3.

           june 26 11:32:07 RPD7HOST CISE_RADIUS_Accounting 0173168007 20 2020-06-26 11:32:07.519 -04:00 1716674385 3001 NOTICE RADIUS -Accounting: RADIUS Accounting stop request, ACSVersion=acs-5.7.0.1 - b .257。x86_64, ConfigVersionId = 47岁的设备IP地址= 162.48.4.12 DestinationIPAddress = 10.115.6.51 DestinationPort = 1813, RequestLatency = 0,用户名= mtwain NAS-IP-Address = 162.48.4.12 NAS-Port = 1, Framed-IP-Address = 10.148.15.45 =机电类:KRDCSMACS05/254262891/120113033, Called-Station-ID = 74 - a2 - e6 - c7 - 4 - b - 20, Calling-Station-ID = 84 - a1 - 34 - d0 - 36 - 05,Acct-Status-Type =停止NAS-Identifier = Cisco_c7:4b: 24日,Acct-Delay-Time = 0, Acct-Input-Octets = 70779, Acct-Output-Octets = 161620, Acct-Session-Id = 57 ba5e51/84: a1:34: d0:36:05/28561, Acct-Authentic =半径,Acct-Session-Time = 3274, Acct-Input-Packets = 471, Acct-Output-Packets = 367, Acct-Terminate-Cause =闲置超时,attribute-52 = 00:00:00:00,attribute-53=00:00:00:00, Event-Timestamp=1471834908, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN";
          

          

           

            4

           june 26 11:32:07 RPD7HOST CISE_RADIUS_Accounting 0173168014 20 2020-06-26 11:32:07.519 -04:00 1716674482 3002 NOTICE RADIUS -Accounting: RADIUS Accounting watchdog update, ACSVersion=acs-5.7.0.1 - b .257。x86_64, ConfigVersionId = 47岁的设备IP地址= 10.3.0.20 DestinationIPAddress = 10.115.6.51 DestinationPort = 1813, RequestLatency = 0,用户名= mtwain NAS-IP-Address = 10.3.0.20 NAS-Port = 1, Framed-IP-Address = 10.3.17.20 Called-Station-ID = 10.3.0.20 Calling-Station-ID = 10.3.17.20 NAS-Identifier = Knox_Plant Acct-Status-Type =中期财报,Acct-Delay-Time = 0, Acct-Input-Octets = 5803226, Acct-Output-Octets = 2622839, Acct-Session-Id = 57 b8a71a / 00:17:23:0c: 80:10/1415, Acct-Authentic =远程Acct-Session-Time = 141421, Acct-Input-Packets = 46062, Acct-Output-Packets = 17322,隧道式=(标签= 0)VLAN, Tunnel-Medium-Type =(标签= 0)802,Tunnel-Private-Group-ID =(标签= 0)2,cisco-av-pair = nas-update = true,airspace - lan- id =2, AcsSessionID=KRDCSMACS05/254262891/120118472, Step=11004, Step=11017, Step=15008, Step=15004";

防火墙活动(通过认证)

         

          

           
          

         

          

           

            1

           Jun 25 15:46:23 RPD7HOST CISE_Passed_Authentications 0000556184 10 2020-06-25 15:46:23.961 -07:00 0002321066 5200 NOTICE Passed-Authentication:身份验证成功,ConfigVersionId = 10,设备IP地址= 10.64.120.4 DestinationIPAddress = 10.8.40.47 DestinationPort = 1812,用户名= hfinn协议=半径,RequestLatency = 14日NetworkDeviceName = BR120-SW,用户名= hfinn NAS-IP-Address = 10.64.120.4 NAS-Port = 50126,服务型=叫检查,Framed-MTU = 1472,Calling-Station-ID = fc - 3 - f - db - 4 d - 69 - a2, NAS-Identifier = BR120-SW1 NAS-Port-Type =以太网,NAS-Port-Id = GigabitEthernet1/0/26 EAP-Key-Name = cisco-av-pair =服务型=叫检查,cisco-av-pair = audit-session-id = 0478400 a0001e0fef3c90efb cisco-av-pair =方法=马伯,OriginalUserName = hfinn NetworkDeviceProfileName =思科,NetworkDeviceProfileId = b0699505 - 3150 - 4215 - a80e - 6753 d45bf56c IsThirdPartyDeviceFlow = false, RadiusFlowType = WiredMAB AcsSessionID = PRXPISE01W / 373955389/136606, AuthenticationIdentityStore =内部端点,AuthenticationMethod =查找,SelectedAccessService =默认网络访问,SelectedAuthorizationProfiles = WIRED-PERMIT UseCase =主机查找,IdentityGroup=Endpoint Identity Groups:Profiled:HP-Device, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15041, Step=15013, Step=24209, Step=24211, Step=22037, Step=24715, Step=15036, Step=15048, Step=15048, Step=15048, Step=15016, Step=11022, Step=11002,SelectedAuthenticationIdentityStores =内部端点,AuthenticationStatus = AuthenticationPassed NetworkDeviceGroups = #所有位置# RTL位置-林地山NetworkDeviceGroups =设备类型# #开关,所有设备类型NetworkDeviceGroups = IPSEC # IPSEC设备#不,IdentityPolicyMatchedRule =违约,AuthorizationPolicyMatchedRule =打印机,UserType=Host, CPMSessionID=0478400A0001E0FEF3C90EFB, EndPointMACAddress=FC-3F-DB-4D-69-A2, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=HP-LaserJet-Printer, DeviceRegistrationStatus= noregistered, ISEPolicySetName=Wired MAB, IdentitySelectionMatchedRule=Default, StepData=5= Normalised Radius。RadiusFlowType StepData = 6 =半径。NAS-Port-Type StepData = 7 =设备。设备类型,StepData=9=内部端点,StepData=15=端点。AnomalousBehaviour StepData = 16 =端点。EndPointPolicy StepData = 17 =端点。LogicalProfile allowEasyWiredSession = false, DTLSSupport =未知,HostIdentityGroup =端点标识组:异形:HP-Device,网络设备配置文件=思科,位置=位置#所有位置# RTL林地山,设备类型=设备类型#所有设备类型#开关,IPSEC = IPSEC # IPSEC设备#不,LogicalProfile = 3 b8d49f0 c01 - 8 - 11 - e6 - 996 - c - 525400 b48521LogicalProfile=b9e45830-1c19-11e8-b9c2-6cb2ae989650, EndPointPolicy=74bff490-51ce-11e8-b9c2-6cb2ae989650, EndPointPolicy=29473540-8c00-11e6-996c-525400b48521, EndPointPolicy=23d26b20-8c00-11e6-996c-525400b48521, Name=Endpoint Identity Groups: profile:HP-Device, Response={UserName=hfinn; User-Name=hfinn; State=ReauthSession:0478400A0001E0FEF3C90EFB; Class=CACS:0478400A0001E0FEF3C90EFB:PRXPISE01W/373955389/136606; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-WIRED-DOMAIN-USER-5a6269ae; cisco-av-pair=profile-name=HP-LaserJet-Printer; LicenseTypes=2051; }

防火墙活动(失败的尝试)

         

          

           
          

         

          

           

            1

           6月25日15点47分15秒RPD7HOST CISE_Failed_Attempts 0000556788 1 0 2020年6月25日15:47:15.796 -07:00 0002322980 5400通知失败 - 尝试:验证失败,ConfigVersionId = 10,设备IP地址= 240.18.16.78,设备端口= 5127,DestinationIPAddress = 10.8.40.47,DestinationPort = 1812,RadiusPacketType = AccessRequest,用户名= jfrost,协议=半径,RequestLatency = 7,NetworkDeviceName = SNA-ISE-SW,用户名= jfrost,NAS-IP-ADDRESS = 240.18.16.78,NAS端口= 50107,服务类型=成帧,帧IP地址= 10.45.51.216,加框-MTU = 1472,状态= 37CPMSessionID = 0F32280A000009533AB6EFE4 \\; 37SessionID = PRXPISE01W /136694分之373955389\\ ;,呼叫站ID = 84-B5-17-08-66-1E,NAS标识符= SNA-ISE-SW1,NAS端口类型=以太网,NAS端口-ID =端口GigabitEthernet1 / 0/7,EAP-密钥名称=,思科-AV-对=服务类型=裱,思科-AV-对=审计会话id = 0F32280A000009533AB6EFE4,思科-AV-对=方法=下dot1x,思科-AV-对= VLAN-ID= 0,NetworkDeviceProfileName =思科,NetworkDeviceProfileId = b0699505-3150-4215-a80e-6753d45bf56c,IsThirdPartyDeviceFlow =假,RadiusFlowType = Wired802_1x,AcsSessionID = PRXPISE01W /136694分之373955389,SelectedAccessService = EAP_TLS,FailureReason = 12514 EAP-TLS失败,因为在客户端证书链中的未知CA,步骤= 11001,步骤= 11017的SSL / TLS握手,步长= 15049,步长= 15008,步长= 15048,步长= 11507,步长= 12300,步长= 12625,步长= 11006,步长= 11001,步长= 11018,步长= 12501,步长= 12500,步长= 12625,步长=11006, Step=11001, Step=11018, Step=12502, Step=12800, Step=12805, Step=12806, Step=12807, Step=12808, Step=12809, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12811, Step=12814, Step=12817, Step=12514, Step=12507, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=61025, Step=11504, Step=11003, NetworkDeviceGroups=Location#All Locations#3 MacArthur#Fifth Floor, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Device Type#All Device Types, EapAuthentication=EAP-TLS, OpenSSLErrorMessage=SSL alert: code=0x230=560 \\; source=local \\; type=fatal \\; message=\"Unknown CA - error unable to get issuer certificate locally\", OpenSSLErrorStack= 19132:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3411:, CPMSessionID=0F32280A000009533AB6EFE4, EndPointMACAddress=84-B5-17-08-66-1E, ISEPolicySetName=Wired DOT1X, StepData=4= DEVICE.Device Type, TLSCipher=unknown, TLSVersion=TLSv1.2, DTLSSupport=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#3 MacArthur#Fifth Floor, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={RadiusPacketType=AccessReject; },","custom_data":{}} <181>Jun 25 15:47:15 PRXPISE01W CISE_Failed_Attempts 0000556788 1 0 2020-06-25 15:47:15.796 -07:00 0002322980 5400 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=10, Device IP Address=240.18.16.78, Device Port=5127, DestinationIPAddress=10.8.40.47, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=jfrost, Protocol=Radius, RequestLatency=7, NetworkDeviceName=SNA-ISE-SW, User-Name=jfrost, NAS-IP-Address=240.18.16.78, NAS-Port=50107, Service-Type=Framed, Framed-IP-Address=10.45.51.216, Framed-MTU=1472, State=37CPMSessionID=0F32280A000009533AB6EFE4\;37SessionID=PRXPISE01W/373955389/136694\;, Calling-Station-ID=84-B5-17-08-66-1E, NAS-Identifier=SNA-ISE-SW1, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/7, EAP-Key-Name=, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0F32280A000009533AB6EFE4, cisco-av-pair=method=dot1x, cisco-av-pair=vlan-id=0, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, RadiusFlowType=Wired802_1x, AcsSessionID=PRXPISE01W/373955389/136694, SelectedAccessService=EAP_TLS, FailureReason=12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12501, Step=12500, Step=12625, Step=11006, Step=11001, Step=11018, Step=12502, Step=12800, Step=12805, Step=12806, Step=12807, Step=12808, Step=12809, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12811, Step=12814, Step=12817, Step=12514, Step=12507, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=61025, Step=11504, Step=11003, NetworkDeviceGroups=Location#All Locations#3 MacArthur#Fifth Floor, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Device Type#All Device Types, EapAuthentication=EAP-TLS, OpenSSLErrorMessage=SSL alert: code=0x230=560 \; source=local \; type=fatal \; message="Unknown CA - error unable to get issuer certificate locally", OpenSSLErrorStack= 19132:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3411:, CPMSessionID=0F32280A000009533AB6EFE4, EndPointMACAddress=84-B5-17-08-66-1E, ISEPolicySetName=Wired DOT1X, StepData=4= DEVICE.Device Type, TLSCipher=unknown, TLSVersion=TLSv1.2, DTLSSupport=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#3 MacArthur#Fifth Floor, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={RadiusPacketType=AccessReject; }