Tacacs accounting from cisco ISE report for Palo alto Firewall, F5 devices, Windows server.

kaushalparab · ‎05-02-2021

Hi,

i have few admins users who do authenticate with tacacs on Cisco ISE. i want to monitor all the commands they issued on devices and which devices they access for audit purposes. i can able to get the reports from cisco switches for which users access what devices and executed which commands but i don't get the details of which commands the user executed and which device they access in cisco ISE for F5 LB , palo alto firewall, windows server, etc. can anyone help? thanks.

QusaiBashir · ‎06-09-2022

Hallo sir,

could you please share if you got an answer cuz i am facing the same issue.

best regards

Cgoldman1 · ‎04-17-2024

Does anybody have a Network Device Profile for Palo Alto in ISE?

Our PA devices are authenticating fine w/ ISE via TACACS, however, network device profile = Cisco which drives me nuts. I cannot find any documentation on how to build a NDP in ISE for Palo Alto.

Regards!

Aref Alsouqi · ‎04-17-2024

Go to Policy > Policy Elements > Dictionaries > Radius > RADIUS Vendors and add a new dictionary, you can call it Palo Alto and set the vendor ID to be 25461, and then create a new network device profile and associate the RADIUS dictionary attribute you created.

adamscottmaster2013 · ‎04-17-2024

"but i don't get the details of which commands the user executed and which device they access in cisco ISE for F5 LB , palo alto firewall, windows server, etc."

There are limitations on what you can do with "non" Cisco devices like Palo Alto or F5 devices. The best thing to do is to send PAN or F5 audit logs via syslog to either ElasticSearch or Splunk and you can find them there. Much easier to do than using Cisco ISE.

My 2c.