Cisco ISE

Configure the Cisco ISE connector in Radiant Security to forward Cisco Identity Services Engine authentication and audit logs for AI triage.

Radiant ingests Cisco Identity Services Engine (ISE) authentication, authorization, and accounting logs through a Radiant Security Agent acting as a syslog receiver. This guide covers adding the Cisco ISE data feed in Radiant and configuring Cisco ISE to forward logs to the agent.

Prerequisites

Admin access to Cisco ISE
A deployed Radiant Agent reachable from Cisco ISE

Add the data connector in Radiant Security

Sign in to Radiant Security.
From the navigation menu, select Settings > Data Connectors and click + Add Connector.
Search for and select Radiant Agent, then click Data Feeds.
Under Select your data feeds, select Cisco Identity Services Engine and click Credentials.
Under Credential Name, enter a descriptive name (e.g., Radiant Agent Integration), or select an existing Radiant Agent credential from the drop-down menu.
Click Add Connector, then click Done.

Configure logging in Cisco ISE

Set up a remote logging target that points to the Radiant Security Agent, then map it to the ISE log categories you want forwarded.

Configure a remote logging target

Open the Remote Logging Targets page

In the Cisco ISE GUI, click the Menu icon and choose Administration > System > Logging > Remote Logging Targets, then click Add.

Configure the target

Enter the following values:

Name: a descriptive name for the target (e.g., Radiant_Security_Syslog).
Target Type: TCP Syslog.
Status: Enabled.
Description: (optional) a brief description of the target.
Host/IP Address: the IP address or hostname of the Radiant Security Agent.
Port: the TCP port configured on the Radiant Security Agent to receive Cisco ISE traffic. Ensure the port is not blocked by firewalls between Cisco ISE and the agent. If you do not know the port, contact your Customer Success representative.
Facility Code: Local6.
Maximum Length: 8192.
Include Alarms For this Target: Yes.
Comply to RFC 3164: Yes.

If you use a Fully Qualified Domain Name (FQDN) for Host/IP Address, enable DNS caching on all Policy Service Nodes (PSNs) in the deployment to avoid performance degradation. Without DNS caching, Cisco ISE queries the DNS server for every syslog packet. Use the service cache enable hosts ttl 180 CLI command on each PSN.

Save the target

Click Save. When Cisco ISE prompts You have chosen to create an unsecure (TCP/UDP) connection to the server. Are you sure you want to proceed?, click Yes to confirm.

Map the logging target to categories

Open Logging Categories

In the Cisco ISE GUI, click the Menu icon and choose Administration > System > Logging > Logging Categories.

Select the parent categories

Under Log Categories, select each of the following:

AAA Audit
AAA Diagnostics
Accounting
Administrative and Operational Audit
Posture and Client Provisioning Audit
Profiler
External MDM
Passive ID

Set severity and local logging

For each category:

Set Log Severity Level to INFO. Some severity levels cannot be changed; leave those as they are.
(Optional) Disable Local Logging if you do not want logs stored on the PSN that generated them.

Assign the remote logging target

Under Targets, use the arrow icons to move your remote logging target (e.g., Radiant_Security_Syslog) from Available to Selected. Click Save to apply the changes.

Repeat for each category in the list.

For Cisco's reference documentation, see Configure External Syslog Server on ISE.

Verify ingestion

After Cisco ISE begins forwarding, confirm events are reaching Radiant.

In Radiant, navigate to Log Management.
Filter by rs_connectorType:"cisco_ise".
Confirm recent events appear.

Allow several minutes for events to be parsed, indexed, and available for search.

PreviousCisco FTD NextCisco Meraki

Last updated 18 days ago

Was this helpful?