topic 802.1x WLAN auth not showing client ip in win 2008 AD security log in Network Access Control

802.1x WLAN auth not showing client ip in win 2008 AD security log

hallvard.solem — Mon, 11 Mar 2019 02:14:31 GMT

Hello.

I have a ongoing project configuring a cisco wlan with 802.1x, where microsoft network policy server is used for radius authentication.

Configuring the SSID on the WLC, and the 802.1x on wlc/radius server works fine, users type in their username and password on a smartphone/ipad etc and get access to the network.

The problem im facing is that I want to log the clients ip-address on the radius-server security log, so I can use cisco active directory agent to find the ip against username mapping in ironport.

The active directory agent checks the domain controllers security log to see what ip-address belongs to which user. In this scenario the user is mapped to the wlc ip, not the smartphone/ipad. The result is a lot of users mapped to the wlc ip-address, and the logs in cisco ADA/ironport is worthless.

Is there any way to configure wlc/802.1x to send the actual client ip-address to the authentication server, and not the WLC?

802.1x WLAN auth not showing client ip in win 2008 AD security l

Jatin Katyal — Tue, 26 Jun 2012 19:19:17 GMT

Please configure radius accounting on the WLC to have the required logs on the NPS server.

On the WLC, make sure we have radius accounting server configured under security > AAA > radius > accounting

After that Go to WLAN, edit the WLAN > security > AAA server and enable radius accounting.

Radius accounting on NPS logs

http://technet.microsoft.com/en-us/library/dd197475%28v=ws.10%29.aspx

Regards,

Jatin

802.1x WLAN auth not showing client ip in win 2008 AD security l

hallvard.solem — Wed, 27 Jun 2012 18:58:08 GMT

Thank you for replying Jatin,

After enabling accounting, I can now see the client ip-address in the nps logfile.

However cisco active directory client cannot map the ip against username unless it's in the windows security event log. Im also afraid it has to be a kerberos authentication, not 802.1x for it to work.

Any suggestions how to fix this issue? Cisco ADA is in my opinion worthless not supporting 802.1x.--

802.1x WLAN auth not showing client ip in win 2008 AD security l

Jatin Katyal — Wed, 27 Jun 2012 22:45:50 GMT

I was actually reading this for your above question.

http://tools.cisco.com/squish/bdc553

802.1x WLAN auth not showing client ip in win 2008 AD security l

richardbergen — Mon, 07 Jan 2013 16:08:36 GMT

I'm also having the same dilemma, just curious what if anything you have done to get this to work?

CDA can also act as a syslog

Santhoshkumar Duraiswamy — Wed, 15 Jul 2015 00:17:21 GMT

CDA can also act as a syslog server when one or more syslog clients are added. It can connect to Cisco Identity Services Engine (ISE) and Cisco Secure Access Control System (ACS) and receive syslog messages. You can check live logs to see the syslog messages received. The advantage is to integrate CDA with 802.1x deployment and support other devices that are not necessarily authenticated by Microsoft domain controller.

CDA supports ISE 1.1.x and 1.2 and ACS 5.3, and 5.4 only.