cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1170
Views
5
Helpful
8
Replies
Enthusiast

Cisco ISE and Umbrella integration. Would like user info to populate in Umbrella

I have successfully integrated Umbrella into my environment (ISE 2.3, WLC5520) and it appears to be working as expected.  Umbrella is scraping the domain controller logs looking for events to correlate usernames with IP addresses and this works, even for wireless users that domain users on domain joined devices that have unrestricted access to the inside network.  When I have domain users sign in on non domain joined devices, no user information in populated in Umbrella.  My question is, how do I get ISE authentications to generate umbrella friendly event IDs on the domain controller?

 

https://support.umbrella.com/hc/en-us/articles/230902448-Which-Window-Events-EventIDs-is-the-Connector-service-looking-for-

 

EventID 

Description

 4624

 

Event 4624 documents each and every successful attempt to logon to the local computer regardless of logon type, location of the user or type of account

 

 528

 

Event 528 is logged whenever an account logs on to the local computer, except for in the event of network logons. Event 528 is logged whether the account used for logon is a local SAM account or a domain account. 

 

 540

 

Event 540 gets logged when a user elsewhere on the network connects to a resource (e.g. shared folder) provided by the Server service on this computer. 

 

 538

 

Event 538 is logged whenever a user logs off, whether from a network connection, interactive logon, or other logon type. (See event 528 for a chart of logon types)

 

 4647

 

This event signals the end of a logon session and can be correlated back to the logon event 4624 using the Logon ID 

 

 4634

 

This event also signals the end of a logon session and can be correlated back to the logon event 4624 using the Logon ID.

 

 4768

 

This event is logged on domain controllers only and both success and failure instances of this event are logged. 

 

 4769

 

Windows uses this event ID for both successful and failed service ticket requests.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cisco ISE and Umbrella integration. Would like user info to populate in Umbrella

This would be a feature request.

If you would like to formulate a solution on your own, please take a look at the sessions topic of ISE pxGrid.

8 REPLIES 8
Cisco Employee

Re: Cisco ISE and Umbrella integration. Would like user info to populate in Umbrella

This would be a feature request.

If you would like to formulate a solution on your own, please take a look at the sessions topic of ISE pxGrid.

Enthusiast

Re: Cisco ISE and Umbrella integration. Would like user info to populate in Umbrella

I was hoping for more of a collaborative experience here.  I was not even offered the option of deciding if this was an accepted solution. It was simply declared to be accepted with no discussion.  what use is this? Seems a little heavy handed Cisco.

VIP Engager

Re: Cisco ISE and Umbrella integration. Would like user info to populate in Umbrella

@r_wideman I also don't agree with the unanimous accepting a solution when the solution has not been solved.  It's fair enough to point us to the PM/Feedback Page - but that doesn't make it an accepted solution.  One day when the aliens find this forum they will think "wow, all their questions were answered!" ... little do they know ... ;-)

 

I don't know anything about Umbrella but it has sparked some interest. 

 

If you need a link to submit your feature request then try this

https://www.ciscofeedback.vovici.com/se.ashx?s=6A5348A7707FD7A6

Highlighted
Cisco Employee

Re: Cisco ISE and Umbrella integration. Would like user info to populate in Umbrella

Hi,

 

I would like to understand more about the use cases you are trying to solve with ISE and Umbrella integration. Would you be willing to get on a Webex meeting to discuss this?

 

Cheers,

Hari

Enthusiast

Re: Cisco ISE and Umbrella integration. Would like user info to populate in Umbrella

Yes Hari, I would love to discuss this via webex. I really think Cisco has an opportunity to improve integration between these two platforms.

Re: Cisco ISE and Umbrella integration. Would like user info to populate in Umbrella

Good afternoon! Sorry to see you, but could you solve the issue of logins with out-of-domain computers?
I am in the same problem.
The events generated by 802.1X for authentication, the umbrella connector does not see them.

Thank you very much for the help!

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Cisco ISE and Umbrella integration. Would like user info to populate in Umbrella

Hi @telecomunicaciones 

 

Logged in users must be part of the AD domain, user information for non-domain joined computers or BYOD devices is not supported. Reference here.

 

HTH

Beginner

Re: Cisco ISE and Umbrella integration. Would like user info to populate in Umbrella

Trying to use the WLC OpenDNS feature isn't working either, apparently it expects that your clients will be hitting the external IPs (208.67.222.222, 208.67.220.220) or should be redirected to the external IPs. However, most of my customers run local Umbrella Virtual Appliances so they can split their DNS, like this:

https://docs.umbrella.com/deployment-umbrella/docs/6-local-dns-forwarding

 

Seems like that paints us back into a corner for all non-AD joined machines, having to do VLAN pushes to different subnets to apply differentiated OpenDNS policies. Quite the disappointment given the promise of the OpenDNS WLC integration feature.