Govroam

The Roaming solution for the public sector

User Tools

Site Tools

You are here: start » siteadmin » fticks_logging_for_cisco_ise
siteadmin:fticks_logging_for_cisco_ise

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
siteadmin:fticks_logging_for_cisco_ise [2024/05/15 09:57] adminsiteadmin:fticks_logging_for_cisco_ise [2024/05/20 12:37] (current) admin
Line 1: Line 1:
 ======Logging for Cisco ISE====== ======Logging for Cisco ISE======
 +
 +**NOTE: This is untested.**
 +
 +**This only applies to Federation Operators and not to individual sites**
  
 Unfortunately ISE can't generate custom logs in the format required (FTICKS) but, fortunately, it can generate syslog logs with the right information, which can be sent to a syslog server and munged into a suitable format. Unfortunately ISE can't generate custom logs in the format required (FTICKS) but, fortunately, it can generate syslog logs with the right information, which can be sent to a syslog server and munged into a suitable format.
Line 47: Line 51:
 Here are two options for possible syslog servers and config but you set up any syslog server as long as it has the following behaviour: Here are two options for possible syslog servers and config but you set up any syslog server as long as it has the following behaviour:
  
-  * Proxies to utilities.govroam.uk on port 601/TCP with Facility local6 +  * Uses the [[public:fticks|FTICKS]] format 
-  * Includes in the FTICKS '#FEDID=0X000#' where 0X000 is replaced by the Federation ID supplied.+  * Proxies to utilities.govroam.uk on port 514/UDP with Facility local6 
 +  * Includes in the FTICKS '#FEDID=0X000#' where 0X000 is replaced by the Federation ID supplied by Jisc.
   * Filters down the proxied log to just those for   * Filters down the proxied log to just those for
     * Successful authentications     * Successful authentications
-    * Only authentications between member sites (i.e. NOT those to or from the Jisc NRPS)+    * Only authentications between member sites (i.e. NOT those to or from the Jisc NRPS, or within an organisation)
  
 The two options: The two options:
Line 77: Line 82:
 destination d_jisc {  destination d_jisc { 
   syslog("212.219.243.132"    syslog("212.219.243.132" 
-        transport("tcp")  +        transport("udp")  
-        port("601")+        port("514")
         template("F-TICKS/govroam/1.0#REALM=${ISE.UserName}#VISCOUNTRY=GB#VISINST=${ISE.Operator-Name}#CSI=${ISE.Calling-Station-ID}#RESULT=OK#FEDID=XXXXX#")         template("F-TICKS/govroam/1.0#REALM=${ISE.UserName}#VISCOUNTRY=GB#VISINST=${ISE.Operator-Name}#CSI=${ISE.Calling-Station-ID}#RESULT=OK#FEDID=XXXXX#")
   );    ); 
Line 87: Line 92:
         source(s_remote_udp);         source(s_remote_udp);
         filter(f_local0);         filter(f_local0);
-        filter{ match("Authentication succeeded" value ("MESSAGE"))}; 
         parser {         parser {
             kv-parser (prefix("ISE."));             kv-parser (prefix("ISE."));
Line 108: Line 112:
   * Install [[https://nxlog.co/products/nxlog-community-edition|NXLog CE]] on Windows   * Install [[https://nxlog.co/products/nxlog-community-edition|NXLog CE]] on Windows
   * Use this configuration (with paths changed appropriately)   * Use this configuration (with paths changed appropriately)
 +
 +**Note: This doesn't actually send the logs in FTICKS format but it does send them in a format which Jisc can convert to FTICKS. However, it's absolutely critical that the FedID is set correctly** 
  
 <code> <code>
Line 135: Line 141:
 <Input tcp_ise> <Input tcp_ise>
     Module im_tcp     Module im_tcp
-    Host  10.10.10.10+    Host  10.10.10.10 # Set this to the address of the Windows syslog server
     Port  514     Port  514
     <Exec>     <Exec>
-      if $SyslogFacility != "local6" drop();+      if $SyslogFacility != "local0" drop();
       if $raw_event !~ /CISE_Passed_Authentications/ drop();       if $raw_event !~ /CISE_Passed_Authentications/ drop();
-      $FedID="0X000";+      $FedID="XXXXX"; # Set this to the Federation ID provided by Jisc 
 +      $SyslogFacility = "local6";
     </Exec>     </Exec>
 </Input> </Input>
  
 +## For future use
 <Output syslog_tls> <Output syslog_tls>
     Module      om_ssl     Module      om_ssl
     Host        212.219.243.132     Host        212.219.243.132
     Port        6514     Port        6514
-  CAFile      c:/Program Files (x86)/nxlog/data/cacert.pem+   CAFile      c:/Program Files (x86)/nxlog/data/cacert.pem
 #    CertFile    c:/Program Files (x86)/nxlog/data/clientreq.pem #    CertFile    c:/Program Files (x86)/nxlog/data/clientreq.pem
 #    CertKeyFile c:/Program Files (x86)/nxlog/data/clientkey.pem #    CertKeyFile c:/Program Files (x86)/nxlog/data/clientkey.pem
Line 162: Line 170:
     OutputType  Syslog_TLS     OutputType  Syslog_TLS
     Exec        to_syslog_ietf();     Exec        to_syslog_ietf();
-    Exec        $SyslogFacility = "local6"; 
 </Output> </Output>
  
Line 172: Line 179:
 </code> </code>
  
-  * Change 0X000 to the supplied Federation ID. +  * Change XXXXX to the supplied Federation ID. 
-  * Change the 'Host' in 'Input tcp_ise' to the address of the ISE host.+  * Change the 'Host' in 'Input tcp_ise' to the address of the syslog server.
   * (Ignore the syslog_tls part, that's for future use)   * (Ignore the syslog_tls part, that's for future use)
   * Restart the Service   * Restart the Service
 +
 +====Untested Advanced Configuration====
 +
 +There's a limitation to the logging process which might be addressable.
 +
 +Problem: Not all member organisations can or do set the Operater-Name attribute in their Requests. Ideally the RFO should be able to insert an O-N with a value set on behalf of your site but only some RADIUS servers are capable of doing this (FreeRADIUS, RadSecProxy, RADIATOR). The next best option is to insert a generic value for the Federation. i.e:
 +
 +When an RFO, scarfolk.gov.uk, gets a request from a site, say arkham.nhs.uk:
 +  - If the Operator-Name is set to, say, 1arkham.nhs.uk then leave it as is.
 +  - If the Operator-Name is missing the insert an Operator-Name with the value '1arkham.nhs.uk' no matter which of the several holby,nhs.uk servers the request comes from.
 +  - If there's no way to set the Operator-Name as in (2) then just insert an Operator-Name of, say, '1scarfolk.gov.uk'
 +
 +This way the home site will, at best, see an Operator-Name with the source site's value or, at worst, with it set to the Federation's value. 
 +
 +However, this conditional setting of Operator-Name isn't something found in servers like ClearPass, ISE or NPS. NPS is completely incapable of setting the Operator-Name. ClearPass can't do any sort of conditional setting. ISE might be able to. 
 +
 +===Conditional Setting of Operator-Name===
 +
 +For each RADIUS Server Sequence dealing with proxying to a member organisation for authentication, go into the Advanced Attribute Settings and enable //Modify attributes in Request to External RADIUS Server//
 +
 +Set it to //Update Radius:Operator-Name = "" 1scarfolk.gov.uk//
 +
 +which should replace the Operator-Name's value with 1scarfolk.gov.uk if it's empty.
 +
 +{{:siteadmin:screenshot_2024-05-15_at_11.19.33.png?direct&400|IMAGE}}
 +
 +Unfortunately, due to bugs in our ISE, we can't test this.
 +
 +
siteadmin/fticks_logging_for_cisco_ise.1715767040.txt.gz · Last modified: 2024/05/15 09:57 by admin