STIGQter: STIG Summary: Cisco ISE NAC Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

The Cisco ISE must be configured with a secondary log server in case the primary log is unreachable.

DISA Rule

SV-242596r714098_rule

Vulnerability Number

V-242596

Group Title

SRG-NET-000336-NAC-001390

Rule Version

CSCO-NC-000220

Severity

CAT II

CCI(s)

• CCI-001861 - The information system invokes an organization-defined system mode, in the event of organization-defined audit failures, unless an alternate audit capability exists.

Weight

10

Fix Recommendation

Configure Remote Logging Targets.

From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Targets.
2. Select "Secure Syslog" or "TCP Syslog" in the Target Type drop-down.
3. Configure a desired name.
4. Configure the Host/IP address.
5. Check the box for "Buffer Messages When Server Down".
6. If "Secure Syslog" is used, select a CA certificate to use to define what system certificate to use to secure this connection.
7. Choose "Submit".

Note: "LogCollector" and "LogCollector2" represent the monitoring (MnT) nodes defined in the deployment. If there is a primary and a secondary MnT node, then nothing more is needed.

Note: "ProfilerRadiusProbe" or any other target with a "127.0.0.1" address does not count as being a "Remote" Logging Target.

Check Contents

Review the configured Remote Logging Targets to ensure there are, at a minimum, two configured.

From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Targets.
2. Verify that "LogCollector" and "LogCollector2" or an additional target is defined along with being enabled.

If there are not two separate logging targets defined, this is a finding.

Note: "ProfilerRadiusProbe" or any other target with a "127.0.0.1" address does not count as being a "Remote" Logging Target.

Vulnerability Number

V-242596

Documentable

False

Rule Version

CSCO-NC-000220

Severity Override Guidance

Review the configured Remote Logging Targets to ensure there are, at a minimum, two configured.

From the Web Admin portal:
1. Choose Administration >> System >> Logging >> Logging Targets.
2. Verify that "LogCollector" and "LogCollector2" or an additional target is defined along with being enabled.

If there are not two separate logging targets defined, this is a finding.

Note: "ProfilerRadiusProbe" or any other target with a "127.0.0.1" address does not count as being a "Remote" Logging Target.

Check Content Reference

M

Target Key

5383

Comments