AnyConnect Secure Mobility Client version 3.1 - Untrusted VPN Server blocked »

Configuring Cisco ISE 1.2 and StealthWatch Integration


Configuring Cisco ISE 1.2 and StealthWatch Integration

Due to changes in the integration of Cisco Identity Services Engine (ISE) and StealthWatch the following must be completed to reliably receive user and device information.  The key change is that StealthWatch now receives data via Syslog instead of solely through the ISE API.  This allows the system to scale and greatly improves the reliability of the user and device information.

Configuring ISE Services:

It is necessary to configure the Cisco Identity Services Engine to send specific syslog messages to the StealthWatch system, specifically to the SMC.  The following procedures are required on the ISE server.

  • Target Type:  UDP Syslog
  • Status: Enabled
  • Name: Required
  • IP Address:  IP Address of SMC
  • Port:  Specific port (Recommended is 3514)
  • Max Length:  I usally do 4096 due to profile and additional information.  This may not be required but it does not hurt anything.






Next setup the following logging categories to send information to StealthWatch:

  • Radius Accounting
  • Administrative and Operational Audit
  • Profiler









Configuring StealthWatch Services:

The configuration of StealthWatch it is very straightforward for configuring ISE. The following procedures are required to complete the integration of ISE:

  • Name:  <pick a name>
  • Collection Port:  The same you used above, 3514 is the default
  • User Name:  Admin or another user on ISE.  Suggest a dedicated account.
  • Password:  The very complex password configured for the user above.

Now you need to add the different nodes in the deployment to the cluster.  It is recommended that you add ALL nodes to the cluster:

Name:  Name of the node
IP Address:  IP Address of the node















This completes the required configuration of ISE. Now the user and device identity will be sent via syslog and can be seen in the Identity and Device Table within StealthWatch. (As seen below)



The certificate for ISE must be trusted by StealthWatch. You may need to import the certificates into the two systems for the trust to exist. Better yet all ISE and StealthWatch servers should be part of the internal PKI infrastructure to inherently allow this trust.

Priveon, Inc.

Today's complex security and networking solutions require a great deal of knowledge to successfully support and operate. Priveon uses the field experience of its expert staff to develop and maintain a positive reinforcement loop between business practices and to provide the latest information to our customers. The information posted here is supported by Priveon subject-matter experts.


XML Feeds