User name reporting - Cisco ISE integration

Overview

User Name Reporting options for Cisco ISE include lists of user names, ability to search across all flows for user names, as well as a Cisco ISE option in the Other menu in reports to see which user has generated specific traffic.

Enabling ERS

The first part of Cisco ISE integration for User Name Reporting is to enable ERS (External RESTful Services) on the Cisco ISE appliance.

Important

Supported versions of Cisco ISE are ISE 1.2, 1.3, 1.4, 2.0, 2.1 and 2.3.

  1. On the Cisco ISE server, create a new user with the following permissions:

    • ERS Admin
    • ERS Operator
    • Super Admin
    • System Admin
  2. To learn more about enabling ERS on Cisco ISE version 1.2, 1.3, 1.4, 2.0, 2.1, or 2.3, visit this page on Cisco’s web site.

  3. To test the configuration external to Scrutinizer, use POSTMAN to make a GET request with this URL:

https://[ISE_SERVER]/ise/mnt/Session/AuthList/null/null

Hint

When making a GET request using POSTMAN, navigate to the server with your browser, tell Chrome it is OK to use a bad certificate, and leave that window open.

Configuring Cisco ISE integration in Plixer Scrutinizer

  1. Log into the Plixer Scrutinizer server with administrative permissions and run the following command to open the interactive CLI prompt:
/home/plixer/scrutinizer/bin/scrut_util.exe
  1. At the SCRUTINIZER> prompt, enter:
SCRUTINIZER> ciscoise add <ise_ip> <ise_tcp_port> <ise_user>

This command adds a CiscoISE node to the queue to acquire user identity on all active sessions. The required parameters are the host address <ise_ip>, tcp port <ise_tcp_port>, and user <ise_user> that can access the API.

  1. Scrutinizer will prompt the user for the <ise_user> password.

Other scrut_util options for CiscoISE

Command Description
ciscoise check Tests polling and outputs the results to the screen for review. It’s a good way to verify that Scrutinizer is collecting user identity information properly.
ciscoise kick <ise_id> <mac_address> <user_ip> Kicks the user off the ISE node forcing them to re-authenticate. Minimally the users IP address is required. Optionally, the <mac_address> can be provided.
ciscoise nodelist Lists the currently configured CiscoISE nodes.
ciscoise poll Runs a poll manually and outputs the results to the screen. When integration is enabled, polling is automatically performed routinely. To diagnose issues, run ‘ciscoise check’ or ‘ciscoise test’
ciscoise remove <ise_ip> Removes a CiscoISE node from Scrutinizer. The required parameter <ise_ip> is the IP address of the CiscoISE node.
ciscoise test Tests polling and outputs the results to the screen for review. It’s a good way to verify that Scrutinizer is collecting user identity information properly.
ciscoise update <ise_ip> <ise_tcp_port> <ise_user>

Updates existing configuration settings for a specific CiscoISE node.

The required parameters are the host address <ise_ip>, tcp port <ise_tcp_port>, and user <ise_user> that can access the API.

Scrutinizer will prompt for the <ise_user> password.