Cisco Identity Services Engine
Configure the Cisco Identity Services Engine (ISE) data connector.
In this guide, you'll configure Cisco Identity Services Engine (ISE) to send logs to Radiant Security. Cisco ISE is a network administration product that provides centralized authentication, authorization, and accounting (AAA) for network access, endpoint compliance, and security policy enforcement. ISE generates valuable security data including authentication attempts, authorization decisions, posture compliance events, and network access violations that are critical for threat detection and analysis.
Prerequisites
Add the data connector in Radiant Security
Log in to Radiant Security.
From the navigation menu, click Settings > Data Connectors and click + Add Connector.
Search for and select the Radiant Agent option and then click Data Feeds, then select the Cisco Identity Services Engine click Credentials.
Under Credential Name, give the credential an identifiable name (e.g.,
Radiant Agent Integration). If you already have a credential in place, select it from the drop-down menu. Click Add Connector.Click Add Connector.
Click Done to save your changes.
Configure a local Radiant Security Agent
Refer to the Install the Radiant Security Agent guide to set up a local agent to collect the logs. Once installed, the agent will act as the syslog receiver for Cisco ISE.
Before you begin the Configure logging in Cisco ISE section, ensure you have the following information from your agent installation:
The IP address or hostname of the server on which the Radiant Security Agent is installed.
The port configured for receiving Cisco ISE data.
Configure logging in Cisco ISE
Step 1: Configure Remote Logging Target
In the Cisco ISE GUI, click the Menu icon and choose Administration > System > Logging > Remote Logging Targets, then click Add.
Configure the following settings:
Name: Enter a descriptive name for the remote syslog server (e.g.,
Radiant_Security_Syslog). This is used for identification purposes.Target Type: Select TCP Syslog.
Status: Select Enabled.
Description: (Optional) Enter a brief description of the target.
Host / IP Address: Enter the IP address or hostname of the server running the Radiant Security Agent.
Note: If using a Fully Qualified Domain Name (FQDN), configure DNS caching to avoid performance impact. Without DNS caching, ISE queries the DNS server each time a syslog packet is sent, which can severely impact performance. Use the
service cache enable hosts ttl 180command on all PSNs in the deployment.Port: Enter the port number the Radiant Security Agent is listening on (
6514).Ensure the port is not blocked by firewalls. Valid range: 1-65535.
Facility Code: Select Local6.
Maximum Length: Set to
8192.Include Alarms For this Target: Yes.
Comply to RFC 3164: Yes.
Click Save to create the remote logging target. When prompted with the warning "You have chosen to create an unsecure (TCP/UDP) connection to the server. Are you sure you want to proceed?", click Yes to confirm.
Step 2: Map Remote Logging Target to Categories
Once you've configured the remote logging target, you need to map it to the intended categories to forward auditable events.
In the Cisco ISE GUI, click the Menu icon and choose Administration > System > Logging > Logging Categories.
1. Log Categories
Select the parent categories: AAA Audit, AAA Diagnostics, Accounting, Administrative and Operational Audit, Posture and Client Provisioning Audit, Profiler, External MDM and Passive ID.
1. Log Severity Level
Select the severity level: INFO . Some cannot be change, keep them as is.
2. Local Logging
Disable if you do not want to save logs on the PSN generating them.
3. Targets
Under the Targets section, use the arrow icons to move the
Radiant_Security_Syslogtarget from the Available area to the Selected area.This associates your remote logging target with the category.
4. Save Configuration
Click Save to apply the changes for each category.
Additional Resources
Last updated