# Cisco ISE Radiant ingests Cisco Identity Services Engine (ISE) authentication, authorization, and accounting logs through a Radiant Security Agent acting as a syslog receiver. This guide covers adding the Cisco ISE data feed in Radiant and configuring Cisco ISE to forward logs to the agent. ### Prerequisites * [ ] Administrator access to the Cisco ISE Admin Portal * [ ] A deployed [Radiant Agent](/radiant-connectors/data-connectors/install-the-radiant-security-agent.md) reachable from Cisco ISE * [ ] Administrator role in Radiant Security ### Add the data connector in Radiant Security 1. Sign in to [Radiant Security](https://app.radiantsecurity.ai/). 2. From the navigation menu, select **Settings** > **Data Connectors** and click **+ Add Connector**. 3. Search for and select **Radiant Agent**, then click **Data Feeds**. 4. Under **Select your data feeds**, select **Cisco Identity Services Engine** and click **Credentials**. 5. Under **Credential Name**, enter a descriptive name (e.g., `Radiant Agent Integration`), or select an existing Radiant Agent credential from the drop-down menu. 6. Click **Add Connector**, then click **Done**. ### Configure logging in Cisco ISE Set up a remote logging target that points to the Radiant Security Agent, then map it to the ISE log categories you want forwarded. #### Configure a remote logging target {% stepper %} {% step %} #### **Open the Remote Logging Targets page** In the Cisco ISE GUI, click the **Menu** icon and choose **Administration** > **System** > **Logging** > **Remote Logging Targets**, then click **Add**. {% endstep %} {% step %} #### **Configure the target** Enter the following values: * **Name**: a descriptive name for the target (e.g., `Radiant_Security_Syslog`). * **Target Type**: **TCP Syslog**. * **Status**: **Enabled**. * **Description**: (optional) a brief description of the target. * **Host/IP Address**: the IP address or hostname of the Radiant Security Agent. * **Port**: the TCP port configured on the Radiant Security Agent to receive Cisco ISE traffic. Ensure the port is not blocked by firewalls between Cisco ISE and the agent. If you do not know the port, contact your Customer Success representative. * **Facility Code**: **Local6**. * **Maximum Length**: `8192`. * **Include Alarms For this Target**: **Yes**. * **Comply to RFC 3164**: **Yes**. {% hint style="info" %} If you use a Fully Qualified Domain Name (FQDN) for **Host/IP Address**, enable DNS caching on all Policy Service Nodes (PSNs) in the deployment to avoid performance degradation. Without DNS caching, Cisco ISE queries the DNS server for every syslog packet. Use the `service cache enable hosts ttl 180` CLI command on each PSN. {% endhint %} {% endstep %} {% step %} #### **Save the target** Click **Save**. When Cisco ISE prompts `You have chosen to create an unsecure (TCP/UDP) connection to the server. Are you sure you want to proceed?`, click **Yes** to confirm. {% endstep %} {% endstepper %} #### Map the logging target to categories {% stepper %} {% step %} #### **Open Logging Categories** In the Cisco ISE GUI, click the **Menu** icon and choose **Administration** > **System** > **Logging** > **Logging Categories**. {% endstep %} {% step %} #### **Select the parent categories** Under **Log Categories**, select each of the following: * `AAA Audit` * `AAA Diagnostics` * `Accounting` * `Administrative and Operational Audit` * `Posture and Client Provisioning Audit` * `Profiler` * `External MDM` * `Passive ID` {% endstep %} {% step %} #### **Set severity and local logging** For each category: * Set **Log Severity Level** to `INFO`. Some severity levels cannot be changed; leave those as they are. * (Optional) Disable **Local Logging** if you do not want logs stored on the PSN that generated them. {% endstep %} {% step %} #### **Assign the remote logging target** Under **Targets**, use the arrow icons to move your remote logging target (e.g., `Radiant_Security_Syslog`) from **Available** to **Selected**. Click **Save** to apply the changes. Repeat for each category in the list. {% endstep %} {% endstepper %} For Cisco's reference documentation, see [Configure External Syslog Server on ISE](https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/222223-configure-external-syslog-server-on-ise.html). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/cisco/cisco-ise.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.