思科伊势
Cisco身份识别服务引擎(ISE)允许跨不同设备和应用程序进行身份管理。您可以配置Cisco ISE将VPN数据发送到InsightIDR,以便查看用户的远程网络进入活动。
要设置思科ISE,你需要:
- 配置Cisco ISE将数据发送到您的收集器。
- 在InsightIDR中设置Cisco ISE。
- 验证配置是否有效。
配置Cisco ISE向InsightIDR发送日志
要使InsightIDR从您的Cisco ISE远程系统日志中接收数据,请完成以下步骤:
任务1:在Cisco ISE中配置远程日志目标
- 登录到您的Cisco ISE管理界面。
- 在导航菜单中,选择“Administration > System > Logging > Remote Logging Targets”。
- 单击“新建”,配置以下参数:
选项 |
描述 |
---|---|
的名字 |
为远程目标系统键入唯一名称。 |
描述 |
您可以为用户唯一地标识目标系统。 |
IP地址 |
输入InsightIDR采集器的IP地址。 |
港口 |
为InsightIDR输入您在Cisco ISE日志源中指定的端口值。 |
工厂代码 |
从设施代码列表中,选择用于记录事件的syslog设施。 |
最大长度 |
1024作为UDP syslog消息允许的最大报文长度。 |
- 单击Submit。
任务2:将新目标添加到所需的日志类别中
- 选择管理>系统>日志>日志类别。
- 单击要编辑的类别旁边的单选按钮,然后单击“编辑”。
- 将您在上一节中创建的目标添加到以下类别中。这些是默认的日志收集设置,可以根据需要进行修改:
- AAA审计
- 失败的尝试
- 通过了认证
- AAA诊断
- 管理员认证与授权
- 身份验证流诊断
- 身份存储诊断
- 政策诊断
- 半径诊断
- 会计
- 外部MDM
- 被动的ID
- 姿态和客户端配置审计
- 姿态和客户端配置诊断
- 分析器
- 行政及业务审计
- 系统诊断
- 系统统计数据
- AAA审计
- 单击Save。
- 转到Logging Categories页面并验证对特定类别所做的配置更改。
有关更多信息,请参见思科身份识别服务引擎管理员指南.
在InsightIDR中设置Cisco ISE
- 从仪表板中,从左边的菜单中选择Data Collection。
- 当出现“数据采集”界面时,单击“设置事件源”下拉菜单,选择“添加事件源”。
- 从“安全数据”部分,单击VPN图标。出现“添加事件源”面板。
- 单击思科伊势。
- 选择与事件源日志位置匹配的时区。
- 可以选择发送未过滤的日志。
- 可选地配置不活动超时阈值(以分钟为单位)。
- 配置您的默认域和任何高级设置。
- 选择syslog作为收集方法,并指定在Cisco ISE配置期间标识的端口和协议。
- 如果通过下载Rapid7证书选择TCP,也可以选择加密事件源。
- 单击Save按钮。
验证配置
完成以下步骤以查看日志,并确保事件被发送到Collector。
- 在刚刚创建的新事件源上,单击View Raw Log按钮。如果您在框中看到日志消息,那么这表明日志正在流向收集器。
- 接下来,单击日志搜索在左边的菜单中。选择适用的日志集和其中的日志名称。日志名称将是事件源名称或“Cisco ISE”,如果您没有命名事件源。思科ISE日志流入以下日志集:
- 进入认证
- 防火墙的活动
日志至少需要7分钟才能出现在“日志搜索”中
请注意,设置事件源后,日志至少需要7分钟才能出现在日志搜索中。如果您在事件源上选择“查看原始日志”时看到了日志消息,但等待几分钟后在“日志搜索”中没有看到任何日志消息,那么您的日志不符合该事件源的推荐格式和类型。
示例日志
以下是Cisco ISE发送给InsightIDR的日志示例。
进入认证(VPN)
1june 26 11:32:07 RPD7HOST CISE_RADIUS_Accounting 0038030740 20 2020-06-26 11:32:07.519 -04:00 0527431588 3000 NOTICE RADIUS -Accounting: RADIUS Accounting start request, ACSVersion=acs-5.7.0.15-B.257。x86_64, ConfigVersionId = 176,设备IP地址= 122.68.12.10 DestinationIPAddress = 10.8.32.51 DestinationPort = 1813, RequestLatency = 1,用户名= mtwain NAS-IP-Address = 122.68.12.10 NAS-Port = 2, Framed-IP-Address = 10.125.3.20 =机电类:ushosmacs03/260356379/9200817, Called-Station-ID = 122.68.12.10 Calling-Station-ID = 10.125.3.20,NAS-Identifier = demomo-wlc01 Acct-Status-Type =开始,Acct-Session-Id = 57 ba421c / 9 c: fc: 01:海尔哥哥:31:50/35306,Acct-Authentic =半径,隧道式=(标签= 0)VLAN, Tunnel-Medium-Type =(标签= 0)802,Tunnel-Private-Group-ID =(标签= 0)30日cisco-av-pair = audit-session-id = 0 a637d0a00012f7b1a42ba57 Airespace-Wlan-Id = 1, AcsSessionID = USRCSMACS04/250984979/32907000,Step=11004, Step=11017, Step=15008, Step=15004, Step=15012, Step=22079, Step=11005, NetworkDeviceName=DEMOMO-WLC01";2进入认证(VPN)3.june 26 11:32:07 RPD7HOST CISE_RADIUS_Accounting 0173168007 20 2020-06-26 11:32:07.519 -04:00 1716674385 3001 NOTICE RADIUS -Accounting: RADIUS Accounting stop request, ACSVersion=acs-5.7.0.1 - b .257。x86_64, ConfigVersionId = 47岁的设备IP地址= 162.48.4.12 DestinationIPAddress = 10.115.6.51 DestinationPort = 1813, RequestLatency = 0,用户名= mtwain NAS-IP-Address = 162.48.4.12 NAS-Port = 1, Framed-IP-Address = 10.148.15.45 =机电类:KRDCSMACS05/254262891/120113033, Called-Station-ID = 74 - a2 - e6 - c7 - 4 - b - 20, Calling-Station-ID = 84 - a1 - 34 - d0 - 36 - 05,Acct-Status-Type =停止NAS-Identifier = Cisco_c7:4b: 24日,Acct-Delay-Time = 0, Acct-Input-Octets = 70779, Acct-Output-Octets = 161620, Acct-Session-Id = 57 ba5e51/84: a1:34: d0:36:05/28561, Acct-Authentic =半径,Acct-Session-Time = 3274, Acct-Input-Packets = 471, Acct-Output-Packets = 367, Acct-Terminate-Cause =闲置超时,attribute-52 = 00:00:00:00,attribute-53=00:00:00:00, Event-Timestamp=1471834908, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN";4june 26 11:32:07 RPD7HOST CISE_RADIUS_Accounting 0173168014 20 2020-06-26 11:32:07.519 -04:00 1716674482 3002 NOTICE RADIUS -Accounting: RADIUS Accounting watchdog update, ACSVersion=acs-5.7.0.1 - b .257。x86_64, ConfigVersionId = 47岁的设备IP地址= 10.3.0.20 DestinationIPAddress = 10.115.6.51 DestinationPort = 1813, RequestLatency = 0,用户名= mtwain NAS-IP-Address = 10.3.0.20 NAS-Port = 1, Framed-IP-Address = 10.3.17.20 Called-Station-ID = 10.3.0.20 Calling-Station-ID = 10.3.17.20 NAS-Identifier = Knox_Plant Acct-Status-Type =中期财报,Acct-Delay-Time = 0, Acct-Input-Octets = 5803226, Acct-Output-Octets = 2622839, Acct-Session-Id = 57 b8a71a / 00:17:23:0c: 80:10/1415, Acct-Authentic =远程Acct-Session-Time = 141421, Acct-Input-Packets = 46062, Acct-Output-Packets = 17322,隧道式=(标签= 0)VLAN, Tunnel-Medium-Type =(标签= 0)802,Tunnel-Private-Group-ID =(标签= 0)2,cisco-av-pair = nas-update = true,airspace - lan- id =2, AcsSessionID=KRDCSMACS05/254262891/120118472, Step=11004, Step=11017, Step=15008, Step=15004";
防火墙活动(通过认证)
1Jun 25 15:46:23 RPD7HOST CISE_Passed_Authentications 0000556184 10 2020-06-25 15:46:23.961 -07:00 0002321066 5200 NOTICE Passed-Authentication:身份验证成功,ConfigVersionId = 10,设备IP地址= 10.64.120.4 DestinationIPAddress = 10.8.40.47 DestinationPort = 1812,用户名= hfinn协议=半径,RequestLatency = 14日NetworkDeviceName = BR120-SW,用户名= hfinn NAS-IP-Address = 10.64.120.4 NAS-Port = 50126,服务型=叫检查,Framed-MTU = 1472,Calling-Station-ID = fc - 3 - f - db - 4 d - 69 - a2, NAS-Identifier = BR120-SW1 NAS-Port-Type =以太网,NAS-Port-Id = GigabitEthernet1/0/26 EAP-Key-Name = cisco-av-pair =服务型=叫检查,cisco-av-pair = audit-session-id = 0478400 a0001e0fef3c90efb cisco-av-pair =方法=马伯,OriginalUserName = hfinn NetworkDeviceProfileName =思科,NetworkDeviceProfileId = b0699505 - 3150 - 4215 - a80e - 6753 d45bf56c IsThirdPartyDeviceFlow = false, RadiusFlowType = WiredMAB AcsSessionID = PRXPISE01W / 373955389/136606, AuthenticationIdentityStore =内部端点,AuthenticationMethod =查找,SelectedAccessService =默认网络访问,SelectedAuthorizationProfiles = WIRED-PERMIT UseCase =主机查找,IdentityGroup=Endpoint Identity Groups:Profiled:HP-Device, Step=11001, Step=11017, Step=11027, Step=15049, Step=15008, Step=15048, Step=15048, Step=15048, Step=15048, Step=15041, Step=15013, Step=24209, Step=24211, Step=22037, Step=24715, Step=15036, Step=15048, Step=15048, Step=15048, Step=15016, Step=11022, Step=11002,SelectedAuthenticationIdentityStores =内部端点,AuthenticationStatus = AuthenticationPassed NetworkDeviceGroups = #所有位置# RTL位置-林地山NetworkDeviceGroups =设备类型# #开关,所有设备类型NetworkDeviceGroups = IPSEC # IPSEC设备#不,IdentityPolicyMatchedRule =违约,AuthorizationPolicyMatchedRule =打印机,UserType=Host, CPMSessionID=0478400A0001E0FEF3C90EFB, EndPointMACAddress=FC-3F-DB-4D-69-A2, PostureAssessmentStatus=NotApplicable, EndPointMatchedProfile=HP-LaserJet-Printer, DeviceRegistrationStatus= noregistered, ISEPolicySetName=Wired MAB, IdentitySelectionMatchedRule=Default, StepData=5= Normalised Radius。RadiusFlowType StepData = 6 =半径。NAS-Port-Type StepData = 7 =设备。设备类型,StepData=9=内部端点,StepData=15=端点。AnomalousBehaviour StepData = 16 =端点。EndPointPolicy StepData = 17 =端点。LogicalProfile allowEasyWiredSession = false, DTLSSupport =未知,HostIdentityGroup =端点标识组:异形:HP-Device,网络设备配置文件=思科,位置=位置#所有位置# RTL林地山,设备类型=设备类型#所有设备类型#开关,IPSEC = IPSEC # IPSEC设备#不,LogicalProfile = 3 b8d49f0 c01 - 8 - 11 - e6 - 996 - c - 525400 b48521LogicalProfile=b9e45830-1c19-11e8-b9c2-6cb2ae989650, EndPointPolicy=74bff490-51ce-11e8-b9c2-6cb2ae989650, EndPointPolicy=29473540-8c00-11e6-996c-525400b48521, EndPointPolicy=23d26b20-8c00-11e6-996c-525400b48521, Name=Endpoint Identity Groups: profile:HP-Device, Response={UserName=hfinn; User-Name=hfinn; State=ReauthSession:0478400A0001E0FEF3C90EFB; Class=CACS:0478400A0001E0FEF3C90EFB:PRXPISE01W/373955389/136606; cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-WIRED-DOMAIN-USER-5a6269ae; cisco-av-pair=profile-name=HP-LaserJet-Printer; LicenseTypes=2051; }
防火墙活动(失败的尝试)
16月25日15点47分15秒RPD7HOST CISE_Failed_Attempts 0000556788 1 0 2020年6月25日15:47:15.796 -07:00 0002322980 5400通知失败 - 尝试:验证失败,ConfigVersionId = 10,设备IP地址= 240.18.16.78,设备端口= 5127,DestinationIPAddress = 10.8.40.47,DestinationPort = 1812,RadiusPacketType = AccessRequest,用户名= jfrost,协议=半径,RequestLatency = 7,NetworkDeviceName = SNA-ISE-SW,用户名= jfrost,NAS-IP-ADDRESS = 240.18.16.78,NAS端口= 50107,服务类型=成帧,帧IP地址= 10.45.51.216,加框-MTU = 1472,状态= 37CPMSessionID = 0F32280A000009533AB6EFE4 \\; 37SessionID = PRXPISE01W /136694分之373955389\\ ;,呼叫站ID = 84-B5-17-08-66-1E,NAS标识符= SNA-ISE-SW1,NAS端口类型=以太网,NAS端口-ID =端口GigabitEthernet1 / 0/7,EAP-密钥名称=,思科-AV-对=服务类型=裱,思科-AV-对=审计会话id = 0F32280A000009533AB6EFE4,思科-AV-对=方法=下dot1x,思科-AV-对= VLAN-ID= 0,NetworkDeviceProfileName =思科,NetworkDeviceProfileId = b0699505-3150-4215-a80e-6753d45bf56c,IsThirdPartyDeviceFlow =假,RadiusFlowType = Wired802_1x,AcsSessionID = PRXPISE01W /136694分之373955389,SelectedAccessService = EAP_TLS,FailureReason = 12514 EAP-TLS失败,因为在客户端证书链中的未知CA,步骤= 11001,步骤= 11017的SSL / TLS握手,步长= 15049,步长= 15008,步长= 15048,步长= 11507,步长= 12300,步长= 12625,步长= 11006,步长= 11001,步长= 11018,步长= 12501,步长= 12500,步长= 12625,步长=11006, Step=11001, Step=11018, Step=12502, Step=12800, Step=12805, Step=12806, Step=12807, Step=12808, Step=12809, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12811, Step=12814, Step=12817, Step=12514, Step=12507, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=61025, Step=11504, Step=11003, NetworkDeviceGroups=Location#All Locations#3 MacArthur#Fifth Floor, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Device Type#All Device Types, EapAuthentication=EAP-TLS, OpenSSLErrorMessage=SSL alert: code=0x230=560 \\; source=local \\; type=fatal \\; message=\"Unknown CA - error unable to get issuer certificate locally\", OpenSSLErrorStack= 19132:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3411:, CPMSessionID=0F32280A000009533AB6EFE4, EndPointMACAddress=84-B5-17-08-66-1E, ISEPolicySetName=Wired DOT1X, StepData=4= DEVICE.Device Type, TLSCipher=unknown, TLSVersion=TLSv1.2, DTLSSupport=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#3 MacArthur#Fifth Floor, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={RadiusPacketType=AccessReject; },","custom_data":{}} <181>Jun 25 15:47:15 PRXPISE01W CISE_Failed_Attempts 0000556788 1 0 2020-06-25 15:47:15.796 -07:00 0002322980 5400 NOTICE Failed-Attempt: Authentication failed, ConfigVersionId=10, Device IP Address=240.18.16.78, Device Port=5127, DestinationIPAddress=10.8.40.47, DestinationPort=1812, RadiusPacketType=AccessRequest, UserName=jfrost, Protocol=Radius, RequestLatency=7, NetworkDeviceName=SNA-ISE-SW, User-Name=jfrost, NAS-IP-Address=240.18.16.78, NAS-Port=50107, Service-Type=Framed, Framed-IP-Address=10.45.51.216, Framed-MTU=1472, State=37CPMSessionID=0F32280A000009533AB6EFE4\;37SessionID=PRXPISE01W/373955389/136694\;, Calling-Station-ID=84-B5-17-08-66-1E, NAS-Identifier=SNA-ISE-SW1, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet1/0/7, EAP-Key-Name=, cisco-av-pair=service-type=Framed, cisco-av-pair=audit-session-id=0F32280A000009533AB6EFE4, cisco-av-pair=method=dot1x, cisco-av-pair=vlan-id=0, NetworkDeviceProfileName=Cisco, NetworkDeviceProfileId=b0699505-3150-4215-a80e-6753d45bf56c, IsThirdPartyDeviceFlow=false, RadiusFlowType=Wired802_1x, AcsSessionID=PRXPISE01W/373955389/136694, SelectedAccessService=EAP_TLS, FailureReason=12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain, Step=11001, Step=11017, Step=15049, Step=15008, Step=15048, Step=11507, Step=12300, Step=12625, Step=11006, Step=11001, Step=11018, Step=12501, Step=12500, Step=12625, Step=11006, Step=11001, Step=11018, Step=12502, Step=12800, Step=12805, Step=12806, Step=12807, Step=12808, Step=12809, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=12811, Step=12814, Step=12817, Step=12514, Step=12507, Step=12505, Step=11006, Step=11001, Step=11018, Step=12504, Step=61025, Step=11504, Step=11003, NetworkDeviceGroups=Location#All Locations#3 MacArthur#Fifth Floor, NetworkDeviceGroups=IPSEC#Is IPSEC Device#No, NetworkDeviceGroups=Device Type#All Device Types, EapAuthentication=EAP-TLS, OpenSSLErrorMessage=SSL alert: code=0x230=560 \; source=local \; type=fatal \; message="Unknown CA - error unable to get issuer certificate locally", OpenSSLErrorStack= 19132:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3411:, CPMSessionID=0F32280A000009533AB6EFE4, EndPointMACAddress=84-B5-17-08-66-1E, ISEPolicySetName=Wired DOT1X, StepData=4= DEVICE.Device Type, TLSCipher=unknown, TLSVersion=TLSv1.2, DTLSSupport=Unknown, Network Device Profile=Cisco, Location=Location#All Locations#3 MacArthur#Fifth Floor, Device Type=Device Type#All Device Types, IPSEC=IPSEC#Is IPSEC Device#No, Response={RadiusPacketType=AccessReject; }
日志查询中的防火墙日志样例
日志查询中的VPN日志样例
这个页面对你有帮助吗?