This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have successfully integrated Umbrella into my environment (ISE 2.3, WLC5520) and it appears to be working as expected. Umbrella is scraping the domain controller logs looking for events to correlate usernames with IP addresses and this works, even for wireless users that domain users on domain joined devices that have unrestricted access to the inside network. When I have domain users sign in on non domain joined devices, no user information in populated in Umbrella. My question is, how do I get ISE authentications to generate umbrella friendly event IDs on the domain controller?
Event 4624 documents each and every successful attempt to logon to the local computer regardless of logon type, location of the user or type of account
Event 528 is logged whenever an account logs on to the local computer, except for in the event of network logons. Event 528 is logged whether the account used for logon is a local SAM account or a domain account.
Event 540 gets logged when a user elsewhere on the network connects to a resource (e.g. shared folder) provided by the Server service on this computer.
Event 538 is logged whenever a user logs off, whether from a network connection, interactive logon, or other logon type. (See event 528 for a chart of logon types)
This event signals the end of a logon session and can be correlated back to the logon event 4624 using the Logon ID
This event also signals the end of a logon session and can be correlated back to the logon event 4624 using the Logon ID.
This event is logged on domain controllers only and both success and failure instances of this event are logged.
Windows uses this event ID for both successful and failed service ticket requests.
Solved! Go to Solution.
I was hoping for more of a collaborative experience here. I was not even offered the option of deciding if this was an accepted solution. It was simply declared to be accepted with no discussion. what use is this? Seems a little heavy handed Cisco.
@r_wideman I also don't agree with the unanimous accepting a solution when the solution has not been solved. It's fair enough to point us to the PM/Feedback Page - but that doesn't make it an accepted solution. One day when the aliens find this forum they will think "wow, all their questions were answered!" ... little do they know ... ;-)
I don't know anything about Umbrella but it has sparked some interest.
If you need a link to submit your feature request then try this
I would like to understand more about the use cases you are trying to solve with ISE and Umbrella integration. Would you be willing to get on a Webex meeting to discuss this?
Yes Hari, I would love to discuss this via webex. I really think Cisco has an opportunity to improve integration between these two platforms.
Good afternoon! Sorry to see you, but could you solve the issue of logins with out-of-domain computers?
I am in the same problem.
The events generated by 802.1X for authentication, the umbrella connector does not see them.
Thank you very much for the help!
Trying to use the WLC OpenDNS feature isn't working either, apparently it expects that your clients will be hitting the external IPs (18.104.22.168, 22.214.171.124) or should be redirected to the external IPs. However, most of my customers run local Umbrella Virtual Appliances so they can split their DNS, like this:
Seems like that paints us back into a corner for all non-AD joined machines, having to do VLAN pushes to different subnets to apply differentiated OpenDNS policies. Quite the disappointment given the promise of the OpenDNS WLC integration feature.