Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3842
Views
0
Helpful
5
Replies

802.1x WLAN auth not showing client ip in win 2008 AD security log

hallvard.solem
Level 1
Level 1

‎06-26-2012 11:54 AM - edited ‎03-10-2019 07:14 PM

Hello.

I have a ongoing project configuring a cisco wlan with 802.1x, where microsoft network policy server is used for radius authentication.

Configuring the SSID on the WLC, and the 802.1x on wlc/radius server works fine, users type in their username and password on a smartphone/ipad etc and get access to the network.

The problem im facing is that I want to log the clients ip-address on the radius-server security log, so I can use cisco active directory agent to find the ip against username mapping in ironport.

The active directory agent checks the domain controllers security log to see what ip-address belongs to which user. In this scenario the user is mapped to the wlc ip, not the smartphone/ipad. The result is a lot of users mapped to the wlc ip-address, and the logs in cisco ADA/ironport is worthless.

Is there any way to configure wlc/802.1x to send the actual client ip-address to the authentication server, and not the WLC?

Labels:
0 Helpful
5 Replies 5

Jatin Katyal
Cisco Employee
Cisco Employee

‎06-26-2012 12:19 PM

Please configure radius accounting on the WLC to have the required logs on the NPS server.

On the WLC, make sure we have radius accounting server configured under security > AAA > radius > accounting

After that Go to WLAN, edit the WLAN > security > AAA server and enable radius accounting.

Radius accounting on NPS logs

http://technet.microsoft.com/en-us/library/dd197475%28v=ws.10%29.aspx

Regards,

Jatin

~Jatin
0 Helpful

hallvard.solem
Level 1
Level 1
In response to Jatin Katyal

‎06-27-2012 11:58 AM

Thank you for replying Jatin,

After enabling accounting, I can now see the client ip-address in the nps logfile.

However cisco active directory client cannot map the ip against username unless it's in the windows security event log. Im also afraid it has to be a kerberos authentication, not 802.1x for it to work.

Any suggestions how to fix this issue? Cisco ADA is in my opinion worthless not supporting 802.1x.--

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to hallvard.solem

‎06-27-2012 03:45 PM

I was actually reading this for your above question.

http://tools.cisco.com/squish/bdc553

~Jatin
0 Helpful

Santhoshkumar Duraiswamy
Level 1
Level 1
In response to hallvard.solem

‎07-14-2015 05:17 PM

CDA can also act as a syslog server when one or more syslog clients are added. It can connect to Cisco Identity Services Engine (ISE) and Cisco Secure Access Control System (ACS) and receive syslog messages. You can check live logs to see the syslog messages received. The advantage is to integrate CDA with 802.1x deployment and support other devices that are not necessarily authenticated by Microsoft domain controller.

CDA supports ISE 1.1.x and 1.2 and ACS 5.3, and 5.4 only.

0 Helpful

richardbergen
Level 1
Level 1
In response to Jatin Katyal

‎01-07-2013 08:08 AM

I'm also having the same dilemma, just curious what if anything you have done to get this to work?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents