Cisco Identity Services Engine
Configure the Cisco Identity Services Engine (ISE) data connector.
In this guide, you'll configure Cisco Identity Services Engine (ISE) to send logs to Radiant Security. Cisco ISE provides centralized network authentication, authorization, and accounting (AAA), generating security data on authentication attempts, authorization decisions, endpoint compliance, and access violations—all critical for threat detection and analysis.
Prerequisites
Add the data connector in Radiant Security
Log in to Radiant Security.
From the navigation menu, click Settings > Data Connectors and click + Add Connector.
Search for and select the Radiant Agent option and then click Data Feeds, then select the Cisco Identity Services Engine and click Credentials.
Under Credential Name, give the credential an identifiable name (e.g.,
Radiant Agent Integration). If you already have a credential in place, select it from the drop-down menu.Click Add Connector.
Click Done to save your changes.
Configure a local Radiant Security Agent
Refer to the Install the Radiant Security Agent guide to set up a local agent to collect the logs. Once installed, the agent will act as the syslog receiver for Cisco ISE.
Before you begin the Configure logging in Cisco ISE section, ensure you have the following information from your agent installation:
The IP address or hostname of the server on which the Radiant Security Agent is installed.
The port configured for receiving Cisco ISE data.
Configure logging in Cisco ISE
To configure logging in Cisco ISE, you'll need to first configure a remote logging target and then map it to the intended log categories to forward auditable events.
Configure Remote Logging Target
In the Cisco ISE GUI, click the Menu icon and choose Administration > System > Logging > Remote Logging Targets, then click Add.
Configure the following settings:
Name: Enter a descriptive name for the remote syslog server (e.g.,
Radiant_Security_Syslog). This is used for identification purposes.Target Type: Select TCP Syslog
Status: Select Enabled
Description: (Optional) Enter a brief description of the target
Host/IP Address: Enter the IP address or hostname of the server running the Radiant Security Agent
Port: Enter the port number the Radiant Security Agent is listening on (
6514). Ensure the port is not blocked by firewalls. A valid range includes 1-65535Facility Code: Select Local6
Maximum Length: Set to
8192Include Alarms For this Target: Yes
Comply to RFC 3164: Yes
Click Save to create the remote logging target. When prompted with the warning "You have chosen to create an unsecure (TCP/UDP) connection to the server. Are you sure you want to proceed?", click Yes to confirm.
Map Remote Logging Target to Categories
In the Cisco ISE GUI, click the Menu icon and choose Administration > System > Logging > Logging Categories.
For Log Categories, select the parent categories:
AAA AuditAAA DiagnosticsAccountingAdministrative and Operational AuditPosture and Client Provisioning AuditProfilerExternal MDMPassive ID
For Log Severity Level, select
INFO. Some severity levels cannot be changed, so leave them as is.For Local Logging, disable this setting if you do not want to save logs on the PSN generating them.
Under the Targets section, use the arrow icons to move the
Radiant_Security_Syslogtarget from the Available area to the Selected area. This associates your remote logging target with the category.
4. Click Save to apply the changes for each category.
For more information on how to configure an external syslog server on ISE, check out Configure External Syslog Server on ISE.
Last updated