Blog :: Network Operations

Username Reporting – NetFlow Integration with Cisco ISE

scottr

Traditionally in networking, we track down end systems by searching on IP addresses. Although this is a great way to narrow in on an end system, what do you do if the IP address changes? Would you benefit if you could associate the host IP to an actual username? After all, we really want to know “who done it” and that would be the person who authenticated the device onto the network.

Configuring and using the integration with Cisco ISE (Identity Services Engine) makes it very easy to find which IP Address a user has logged into by username.

The first step to integrate Cisco ISE for username reporting is to Enable ERS (External RESTful Services) on the Cisco ISE appliance.

(Supported versions of Cisco ISE are ISE 1.2, 1.3, 1.4, 2.0, and 2.1)

From the ISE console:

  1. Go to Administration Tab>Systems>Admin Access
  2. Under Administrators, select Admin Groups
  3. Check the option ERS Admin

Cisco ISE - Enable ERS Admin in Admin Groups to access RestAPI

The second step of the integration setup is to create a new user with the following permissions:

  • ERS Admin
  • ERS Operator
  • Super Admin
  • System Admin

From the ISE console:

  1. Go to Administration Tab>Systems>Admin Access
  2. Under Administrators, select Admin Users
  3. Click on New Administrator

Enter the appropriate user information to fill in the boxes.

At the bottom of this page, under Admin Groups,add groups so that this user is a member of the four groups listed above.

Cisco ISE - Add an Admin User

Now it is time to configure the Integration with Cisco ISE in Scrutinizer.

The last step to complete the integration between Scrutinizer and Cisco ISE configuration requires just one command in the interactive scrut_util command line shell on the Scrutinizer server.

Log in to the Scrutinizer server with administrative permissions and run the following command to open the Interactive scrut_util prompt:

/home/plixer/scrutinizer/bin/scrut_util.exe

**Note that if you log in via the plixer user, you will already be in the scrut_util command shell.

Then at the SCRUTINIZER> prompt, enter:

ciscoise add <ise_ip> <ise_web_port> <ise_user>

This command adds a CiscoISE node to the queue to acquire user identity on all active sessions.

The required parameters are the host address <ise_ip>, tcp port <ise_tcp_port>, and user <ise_user> that can access the API (the new user created on the ISE server in step 2).

Scrutinizer will prompt the user for the <ise_user> password.

Here are some other scrut_util options used to test or modify existing Cisco ISE configuration:

ciscoise check

Tests polling and outputs the results to the screen for review.

ciscoise kick <ise_id> [<mac_address>] <user_ip>

Kicks the user off the ISE node, forcing them to re-authenticate.

Minimally the user’s IP address is required. Optionally, you can supply the <mac_address> as well.

ciscoise nodelist

Lists the currently configured CiscoISE nodes.

ciscoise poll

Runs a poll manually and outputs the results to the screen.

ciscoise remove <ise_ip>

Removes a CiscoISE node from Scrutinizer.

The required parameter <ise_ip> is the IP address of the CiscoISE node.

ciscoise update <ise_ip> <ise_tcp_port> <ise_user>

Updates existing configuration settings for a specific CiscoISE node.

The required parameters are the host address <ise_ip>, tcp port <ise_tcp_port>, and user <ise_user> that can access the API.

Scrutinizer will prompt the user for the <ise_user> password in any of the above commands that reference the ISE_User.

Having the IP address of the affected users is good. Correlating IPs with usernames is much better

Username NetFlow Reporting options for Cisco ISE include lists of usernames available in the webUI at Status Tab>Vendor Specific>Cisco ISE, the ability to search across all flows for usernames, and a Cisco ISE option in the Other menu in reports to see which user has generated specific traffic.

By collecting the username data using the configuration outlined above, we can correlate the details provided by Cisco ISE with the NetFlow, IPFIX, and even sFlow data exported by the hardware that is supporting the traffic from the devices authenticating onto the network.

Correlating logged in usernames to any address in the network provides a great tool for investigating network issues. Contact our support team if you want to learn more about these integrations, or need help with configurations.