Govroam

The Roaming solution for the public sector

User Tools

Site Tools

You are here: start » siteadmin » fticks_logging_for_cisco_ise
siteadmin:fticks_logging_for_cisco_ise

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
siteadmin:fticks_logging_for_cisco_ise [2024/05/15 09:55] adminsiteadmin:fticks_logging_for_cisco_ise [2024/05/20 12:37] (current) admin
Line 1: Line 1:
 ======Logging for Cisco ISE====== ======Logging for Cisco ISE======
 +
 +**NOTE: This is untested.**
 +
 +**This only applies to Federation Operators and not to individual sites**
  
 Unfortunately ISE can't generate custom logs in the format required (FTICKS) but, fortunately, it can generate syslog logs with the right information, which can be sent to a syslog server and munged into a suitable format. Unfortunately ISE can't generate custom logs in the format required (FTICKS) but, fortunately, it can generate syslog logs with the right information, which can be sent to a syslog server and munged into a suitable format.
Line 6: Line 10:
  
 =====Configuring Cisco ISE====== =====Configuring Cisco ISE======
 +
 +====Enabling the Operator-Name attribute====
 +
 +  * Go to **Policy** -> **Policy Elements** -> **Dictionaries**.
 +  * Open up the **System** dropdown.
 +  * Open up the **Radius** dropdown.
 +  * Click on **IETF**.
 +  * Click on **unknown-126** and enter
 +    * **Attribute Name** as 'Operator-Name'
 +    * **Data Type** as STRING
 +    * **Direction** as IN
 +  * Click **Save**
 +
 +{{:siteadmin:cisco_ise_on_dictionary_attribute.png?800|}}
 +
 +====Logging====
  
 This has been done with ISE 2.6 but the principle should apply to other versions. This has been done with ISE 2.6 but the principle should apply to other versions.
Line 31: Line 51:
 Here are two options for possible syslog servers and config but you set up any syslog server as long as it has the following behaviour: Here are two options for possible syslog servers and config but you set up any syslog server as long as it has the following behaviour:
  
-  * Proxies to utilities.govroam.uk on port 601/TCP with Facility local6 +  * Uses the [[public:fticks|FTICKS]] format 
-  * Includes in the FTICKS '#FEDID=0X000#' where 0X000 is replaced by the Federation ID supplied.+  * Proxies to utilities.govroam.uk on port 514/UDP with Facility local6 
 +  * Includes in the FTICKS '#FEDID=0X000#' where 0X000 is replaced by the Federation ID supplied by Jisc.
   * Filters down the proxied log to just those for   * Filters down the proxied log to just those for
     * Successful authentications     * Successful authentications
-    * Only authentications between member sites (i.e. NOT those to or from the Jisc NRPS)+    * Only authentications between member sites (i.e. NOT those to or from the Jisc NRPS, or within an organisation)
  
 The two options: The two options:
Line 61: Line 82:
 destination d_jisc {  destination d_jisc { 
   syslog("212.219.243.132"    syslog("212.219.243.132" 
-        transport("tcp")  +        transport("udp")  
-        port("601")+        port("514")
         template("F-TICKS/govroam/1.0#REALM=${ISE.UserName}#VISCOUNTRY=GB#VISINST=${ISE.Operator-Name}#CSI=${ISE.Calling-Station-ID}#RESULT=OK#FEDID=XXXXX#")         template("F-TICKS/govroam/1.0#REALM=${ISE.UserName}#VISCOUNTRY=GB#VISINST=${ISE.Operator-Name}#CSI=${ISE.Calling-Station-ID}#RESULT=OK#FEDID=XXXXX#")
   );    ); 
Line 71: Line 92:
         source(s_remote_udp);         source(s_remote_udp);
         filter(f_local0);         filter(f_local0);
-        filter{ match("Authentication succeeded" value ("MESSAGE"))}; 
         parser {         parser {
             kv-parser (prefix("ISE."));             kv-parser (prefix("ISE."));
Line 92: Line 112:
   * Install [[https://nxlog.co/products/nxlog-community-edition|NXLog CE]] on Windows   * Install [[https://nxlog.co/products/nxlog-community-edition|NXLog CE]] on Windows
   * Use this configuration (with paths changed appropriately)   * Use this configuration (with paths changed appropriately)
 +
 +**Note: This doesn't actually send the logs in FTICKS format but it does send them in a format which Jisc can convert to FTICKS. However, it's absolutely critical that the FedID is set correctly** 
  
 <code> <code>
Line 119: Line 141:
 <Input tcp_ise> <Input tcp_ise>
     Module im_tcp     Module im_tcp
-    Host  10.10.10.10+    Host  10.10.10.10 # Set this to the address of the Windows syslog server
     Port  514     Port  514
     <Exec>     <Exec>
-      if $SyslogFacility != "local6" drop();+      if $SyslogFacility != "local0" drop();
       if $raw_event !~ /CISE_Passed_Authentications/ drop();       if $raw_event !~ /CISE_Passed_Authentications/ drop();
-      $FedID="0X000";+      $FedID="XXXXX"; # Set this to the Federation ID provided by Jisc 
 +      $SyslogFacility = "local6";
     </Exec>     </Exec>
 </Input> </Input>
  
 +## For future use
 <Output syslog_tls> <Output syslog_tls>
     Module      om_ssl     Module      om_ssl
     Host        212.219.243.132     Host        212.219.243.132
     Port        6514     Port        6514
-  CAFile      c:/Program Files (x86)/nxlog/data/cacert.pem+   CAFile      c:/Program Files (x86)/nxlog/data/cacert.pem
 #    CertFile    c:/Program Files (x86)/nxlog/data/clientreq.pem #    CertFile    c:/Program Files (x86)/nxlog/data/clientreq.pem
 #    CertKeyFile c:/Program Files (x86)/nxlog/data/clientkey.pem #    CertKeyFile c:/Program Files (x86)/nxlog/data/clientkey.pem
Line 146: Line 170:
     OutputType  Syslog_TLS     OutputType  Syslog_TLS
     Exec        to_syslog_ietf();     Exec        to_syslog_ietf();
-    Exec        $SyslogFacility = "local6"; 
 </Output> </Output>
  
Line 156: Line 179:
 </code> </code>
  
-  * Change 0X000 to the supplied Federation ID. +  * Change XXXXX to the supplied Federation ID. 
-  * Change the 'Host' in 'Input tcp_ise' to the address of the ISE host.+  * Change the 'Host' in 'Input tcp_ise' to the address of the syslog server.
   * (Ignore the syslog_tls part, that's for future use)   * (Ignore the syslog_tls part, that's for future use)
   * Restart the Service   * Restart the Service
 +
 +====Untested Advanced Configuration====
 +
 +There's a limitation to the logging process which might be addressable.
 +
 +Problem: Not all member organisations can or do set the Operater-Name attribute in their Requests. Ideally the RFO should be able to insert an O-N with a value set on behalf of your site but only some RADIUS servers are capable of doing this (FreeRADIUS, RadSecProxy, RADIATOR). The next best option is to insert a generic value for the Federation. i.e:
 +
 +When an RFO, scarfolk.gov.uk, gets a request from a site, say arkham.nhs.uk:
 +  - If the Operator-Name is set to, say, 1arkham.nhs.uk then leave it as is.
 +  - If the Operator-Name is missing the insert an Operator-Name with the value '1arkham.nhs.uk' no matter which of the several holby,nhs.uk servers the request comes from.
 +  - If there's no way to set the Operator-Name as in (2) then just insert an Operator-Name of, say, '1scarfolk.gov.uk'
 +
 +This way the home site will, at best, see an Operator-Name with the source site's value or, at worst, with it set to the Federation's value. 
 +
 +However, this conditional setting of Operator-Name isn't something found in servers like ClearPass, ISE or NPS. NPS is completely incapable of setting the Operator-Name. ClearPass can't do any sort of conditional setting. ISE might be able to. 
 +
 +===Conditional Setting of Operator-Name===
 +
 +For each RADIUS Server Sequence dealing with proxying to a member organisation for authentication, go into the Advanced Attribute Settings and enable //Modify attributes in Request to External RADIUS Server//
 +
 +Set it to //Update Radius:Operator-Name = "" 1scarfolk.gov.uk//
 +
 +which should replace the Operator-Name's value with 1scarfolk.gov.uk if it's empty.
 +
 +{{:siteadmin:screenshot_2024-05-15_at_11.19.33.png?direct&400|IMAGE}}
 +
 +Unfortunately, due to bugs in our ISE, we can't test this.
 +
 +
siteadmin/fticks_logging_for_cisco_ise.1715766935.txt.gz · Last modified: 2024/05/15 09:55 by admin