User Name Reporting - Cisco ISE Integration

Overview

User Name Reporting options for Cisco ISE include lists of user names available at Status>Vendor Specific>Cisco ISE; ability to search across all flows for user names, and also a Cisco ISE option in the Other menu in reports to see which user has generated specific traffic.

Enable ERS

The first part of Cisco ISE integration for User Name Reporting is to enable ERS (External RESTful Services) on the Cisco ISE appliance.

Supported versions of Cisco ISE are ISE 1.2, 1.3, 1.4, 2.0, and 2.1.

  1. On the Cisco ISE server, create a new user with the following permissions:

    • ERS Admin
    • ERS Operator
    • Super Admin
    • System Admin
  2. To learn more about enabling ERS on Cisco ISE version 1.2, 1.3, 1.4, 2.0 or 2.1, visit this page on Cisco’s web site.

  3. To test the configuration external to Scrutinizer, use POSTMAN to do a GET Request.

    1. Making a GET Request Using POSTMAN-
    2. Use this URL for the test - https://[ISE_SERVER]/ise/mnt/Session/AuthList/null/null

Tip

When using POSTMAN, first navigate to the server with your browser, tell Chrome it is OK to use a bad certificate, and leave that window open.

Configure Cisco ISE Integration in Scrutinizer

The initial configuration on the Scrutinizer server can be performed from within Interactive scrut_util with just one command.

Login to the Scrutinizer server with administrative permissions and run the following command to open the Interactive scrut_util prompt:

/home/plixer/scrutinizer/bin/scrut_util.exe

Then, at the SCRUTINIZER> prompt, enter:

SCRUTINIZER> ciscoise add <ise_ip> <ise_tcp_port> <ise_user>

This command adds a CiscoISE node to the queue to acquire user identity on all active sessions.

The required parameters are the host address <ise_ip>, tcp port <ise_tcp_port>, and user <ise_user> that can access the API (the new user created in step 1 of Enable ERS).

Scrutinizer will prompt the user for the <ise_user> password.

Other scrut_util options for CiscoISE

ciscoise check
Tests polling and outputs the results to the screen for review.
ciscoise kick <ise_id> [<mac_address>] <user_ip>
Kicks the user off the ISE node forcing them to re-authenticate. Minimally the user’s IP address is required. Optionally, the <mac_address> can be provided.
ciscoise nodelist
Lists the currently configured CiscoISE nodes.
ciscoise poll
Runs a poll manually and outputs the results to the screen.
ciscoise remove <ise_ip>
Removes a CiscoISE node from Scrutinizer. The required parameter <ise_ip> is the IP address of the CiscoISE node.
ciscoise update <ise_ip> <ise_tcp_port> <ise_user>
Updates existing configuration settings for a specific CiscoISE node. The required parameters are the host address <ise_ip>, tcp port <ise_tcp_port>, and user <ise_user> that can access the API.

Scrutinizer will prompt the user for the <ise_user> password.

Note

For further information on CiscoISE scrut_util commands, see the Interactive scrut_util section.