I'm trying to get MARS 4.3 and my Cisco ACS 4.2 server working together to display NAC events on MARS. I've added the server which runs CSACS under Security/Monitor Devices, added the reporting application of Cisco Secure ACS 3.x (does this matter that there is no option for 4.x, should this still work?) and have installed the PNLogAgent on the CSACS server and configured it to forward logs to MARS. The problem is that I have users who are being quarantined by NAC and the CSACS server shows these in the logs, yet I dont see any event on the MARS server to reflect this.
Is this an ACS appliance or ACS running on your own Windows server?
Yes there is no problem with ACS 3.x in the GUI, as per the user guide ACS 4.x version should also be added as ACS 3.x. And I just set this up yesterday for a customer using an ACS SE appliance without any issues.
Did you Add the MARS IP and Log files in the PN Log agent?
Don't do a query for incidents. Do a 'real-time' query for 'Raw Events' selecting ONLY the ACS as the reporting device. Then try to generate any ACS related events from NAS/NAC devices, and then observe the output. You can also query for past raw events reported by the ACS Sw-Host.
Source IP field does not need to be changed, you need to change the 'reporting device'. Remove ANY and add ACS only.
Since ACS is supported from Cisco, I would assume they have made some rules for it. Try to generated failed attempts etc. 3-4 times and not just once, maybe Cisco put a 'higher' count than 1 for the rule.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :