Solved: Syslog generation for Guest network

Asif Akash · ‎02-10-2016

Greetings,

My customer is trying to configure ISE to send events and logs to Solarwinds LEM product which customer has for syslog. In particular Customer is trying to capture logs / syslog showing when someone (user and endpoints) is put into a guest portal mode and capture information related to the enduser and endpoint.

- Does ISE has capability to generate log when an end user and endpoint connect to the guest network?

- If so, does the logs gets generated at different facility level?

Appreciate your time and cooperation.

hslai · ‎02-22-2016

ISE live log shows CWA events for an endpoint and the guest user, when filtering by the endpoint ID (show below).

The same mechanism can be employed at the syslog server side.

Similar to what suggested by jakunst , we have a number of ecosystem partners using syslog or pxGrid to generate better reports, among other things. Splunk, for example, uses syslog but also has custom add-on to help ISE users. See

HowTo-85-Integrating_and_Monitoring_Cisco_ISE_User-Device_C…

View solution in original post

Timothy Abbott · ‎02-12-2016

Asif,

You can accomplish this by sending RADIUS syslogs from ISE to Solarwinds. ISE sends a URL-Redirect AV pair in RADIUS that will have the guest portal used for the user / endpoint.

Regards,

-Tim

Asif Akash · ‎02-19-2016

Hi Tim,

Thank you for the update. As I understood, sending radius syslog sends the redirect URL. However, I was not able to find a way to co-relate redirect URL with identifying the device which is used by a specific username.

Question is can we differentiate syslog message to identify the end device to a username (either using facility code or any builtin syslog which ISE can generate)?

Highly appreciate your assistance on this matter.

Timothy Abbott · ‎02-19-2016

Asif,

You won't be able to determine the username from the URL-redirect portion of the session because in essence, ISE is asking the end user to provide valid credentials via CWA. Once authenticated, ISE can then send the username authenticated which is tied to the calling-station-id (endpoint).

Regards,

Tim

Jason Kunst · ‎02-20-2016

IT maybe also worth your effort to check out cisco stealthwatch reporting mechanisms to see how they can help you with visibility with added integration with pxgrid

hslai · ‎02-22-2016

ISE live log shows CWA events for an endpoint and the guest user, when filtering by the endpoint ID (show below).

The same mechanism can be employed at the syslog server side.

Similar to what suggested by jakunst , we have a number of ecosystem partners using syslog or pxGrid to generate better reports, among other things. Splunk, for example, uses syslog but also has custom add-on to help ISE users. See

HowTo-85-Integrating_and_Monitoring_Cisco_ISE_User-Device_C…

hslai · ‎02-17-2016

Adding to tiabbott, ISE admin web UI has a message catalog to see the how messages are classified. Then, use logging categories to designate individual categories to the remote syslog target.

Facility Code can be set per logging target.