https://community.cisco.com/t5/network-access-control/username-attributes-sent-from-ise-to-pa-fw-for-url-filtering/m-p/3430281#M524297 <HTML><HEAD></HEAD><BODY><P>Tim,</P><P></P><P>I will validate that if they are doing BYOD flow they aren't using 802.1x or EAP-TLS. If they aren't then your response makes perfect sense.</P><P></P><P>Thanks for the quick response. </P><P></P><P>Rob</P></BODY></HTML> Thu, 15 Jun 2017 19:33:48 GMT rroulhac 2017-06-15T19:33:48Z https://community.cisco.com/t5/network-access-control/username-attributes-sent-from-ise-to-pa-fw-for-url-filtering/m-p/3430279#M524294 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 10pt;">All,</SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">I have this request from a partner that is facing a </SPAN><SPAN style="font-size: 10pt;">scenario where there is a school that is using ISE to allow students to register their devices, up to three, to get access to the network. Once they register there is no re-registration process. They are attempting to send user information to their Palo Alto which they use for URL filtering and only provides </SPAN><SPAN style="font-size: 10pt;">IP</SPAN><SPAN style="font-size: 10pt;"> addresses. They had integrated with ISE to pull the identity information but for the self-registered </SPAN><SPAN style="font-size: 10pt;">devices</SPAN><SPAN style="font-size: 10pt;">, they are only receiving the mac address and not the </SPAN><SPAN style="font-size: 10pt;">student's</SPAN><SPAN style="font-size: 10pt;"> name. According to the below, for wireless devices, Cisco ISE sends the user-id information only on the Authentication logs. Since the students are not forced to re-register it sounds like the log overwrites and there is no username.</SPAN></P><P></P><P>They are currently running ISE 1.4 so wanted to know if this behavior has changed in the newer versions or if there is another option to pull data from somewhere other than the log.</P><P></P><P><A class="jive-link-external-small" href="https://live.paloaltonetworks.com/t5/Integration-Articles/Integrating-Cisco-ISE-Guest-Authentication-with-PAN-OS/ta-p/98295" rel="nofollow" target="_blank">https://live.paloaltonetworks.com/t5/Integration-Articles/Integrating-Cisco-ISE-Guest-Authentication-with-PAN-OS/ta-p/98295</A></P><P></P><P>-- </P><P></P><P>Grace and Peace,</P><P></P><P>Robert E Roulhac Jr</P><P>Virtual Systems Engineer II</P><P>Cisco TSN (Technical Solutions Network)</P><P><A class="jive-link-email-small" href="mailto:rroulhac@cisco.com">rroulhac@cisco.com</A></P><P>Office: 919.5745455</P></BODY></HTML> Thu, 15 Jun 2017 19:25:23 GMT https://community.cisco.com/t5/network-access-control/username-attributes-sent-from-ise-to-pa-fw-for-url-filtering/m-p/3430279#M524294 rroulhac 2017-06-15T19:25:23Z https://community.cisco.com/t5/network-access-control/username-attributes-sent-from-ise-to-pa-fw-for-url-filtering/m-p/3430280#M524296 <HTML><HEAD></HEAD><BODY><P>Robert,</P><P></P><P>I don't think so.&nbsp; It sounds like the authentication type is MAB.&nbsp; With a MAB authentication, you will only get the L2 address.&nbsp; To get the username, you would need to do 802.1X which would include the username.</P><P></P><P>Regards,</P><P>-Tim</P></BODY></HTML> Thu, 15 Jun 2017 19:30:30 GMT https://community.cisco.com/t5/network-access-control/username-attributes-sent-from-ise-to-pa-fw-for-url-filtering/m-p/3430280#M524296 Timothy Abbott 2017-06-15T19:30:30Z https://community.cisco.com/t5/network-access-control/username-attributes-sent-from-ise-to-pa-fw-for-url-filtering/m-p/3430281#M524297 <HTML><HEAD></HEAD><BODY><P>Tim,</P><P></P><P>I will validate that if they are doing BYOD flow they aren't using 802.1x or EAP-TLS. If they aren't then your response makes perfect sense.</P><P></P><P>Thanks for the quick response. </P><P></P><P>Rob</P></BODY></HTML> Thu, 15 Jun 2017 19:33:48 GMT https://community.cisco.com/t5/network-access-control/username-attributes-sent-from-ise-to-pa-fw-for-url-filtering/m-p/3430281#M524297 rroulhac 2017-06-15T19:33:48Z https://community.cisco.com/t5/network-access-control/username-attributes-sent-from-ise-to-pa-fw-for-url-filtering/m-p/3430282#M524298 <HTML><HEAD></HEAD><BODY><P>Makes sense that this might not be possible to achieve using syslog.</P><P>I think with ISE APIs you can fetch the username from the MAC address which is populated in &lt;PortalUser&gt; field. </P></BODY></HTML> Mon, 19 Jun 2017 15:45:18 GMT https://community.cisco.com/t5/network-access-control/username-attributes-sent-from-ise-to-pa-fw-for-url-filtering/m-p/3430282#M524298 umahar 2017-06-19T15:45:18Z