Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4967
Views
5
Helpful
8
Replies

Cisco ISE and Umbrella integration. Would like user info to populate in Umbrella

Go to solution
r_wideman
Level 4
Level 4

‎10-24-2018 08:56 AM

I have successfully integrated Umbrella into my environment (ISE 2.3, WLC5520) and it appears to be working as expected.  Umbrella is scraping the domain controller logs looking for events to correlate usernames with IP addresses and this works, even for wireless users that domain users on domain joined devices that have unrestricted access to the inside network.  When I have domain users sign in on non domain joined devices, no user information in populated in Umbrella.  My question is, how do I get ISE authentications to generate umbrella friendly event IDs on the domain controller?

 

https://support.umbrella.com/hc/en-us/articles/230902448-Which-Window-Events-EventIDs-is-the-Connector-service-looking-for-

 

EventID 

Description
 4624

 

Event 4624 documents each and every successful attempt to logon to the local computer regardless of logon type, location of the user or type of account

 
 528

 

Event 528 is logged whenever an account logs on to the local computer, except for in the event of network logons. Event 528 is logged whether the account used for logon is a local SAM account or a domain account. 

 
 540

 

Event 540 gets logged when a user elsewhere on the network connects to a resource (e.g. shared folder) provided by the Server service on this computer. 

 
 538

 

Event 538 is logged whenever a user logs off, whether from a network connection, interactive logon, or other logon type. (See event 528 for a chart of logon types)

 
 4647

 

This event signals the end of a logon session and can be correlated back to the logon event 4624 using the Logon ID 

 
 4634

 

This event also signals the end of a logon session and can be correlated back to the logon event 4624 using the Logon ID.

 
 4768

 

This event is logged on domain controllers only and both success and failure instances of this event are logged. 

 
 4769

 

Windows uses this event ID for both successful and failed service ticket requests.
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-24-2018 09:40 AM

This would be a feature request.

If you would like to formulate a solution on your own, please take a look at the sessions topic of ISE pxGrid.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
hslai
Cisco Employee
Cisco Employee

‎10-24-2018 09:40 AM

This would be a feature request.

If you would like to formulate a solution on your own, please take a look at the sessions topic of ISE pxGrid.

0 Helpful

Go to solution
r_wideman
Level 4
Level 4
In response to hslai

‎10-29-2018 08:00 AM

I was hoping for more of a collaborative experience here.  I was not even offered the option of deciding if this was an accepted solution. It was simply declared to be accepted with no discussion.  what use is this? Seems a little heavy handed Cisco.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to r_wideman

‎10-29-2018 03:43 PM

@r_wideman I also don't agree with the unanimous accepting a solution when the solution has not been solved.  It's fair enough to point us to the PM/Feedback Page - but that doesn't make it an accepted solution.  One day when the aliens find this forum they will think "wow, all their questions were answered!" ... little do they know ... ;-)

 

I don't know anything about Umbrella but it has sparked some interest. 

 

If you need a link to submit your feature request then try this

https://www.ciscofeedback.vovici.com/se.ashx?s=6A5348A7707FD7A6

Go to solution
hariholla
Cisco Employee
Cisco Employee
In response to r_wideman

‎10-31-2018 10:45 AM

Hi,

 

I would like to understand more about the use cases you are trying to solve with ISE and Umbrella integration. Would you be willing to get on a Webex meeting to discuss this?

 

Cheers,

Hari

0 Helpful

Go to solution
r_wideman
Level 4
Level 4
In response to hariholla

‎11-06-2018 04:57 AM

Yes Hari, I would love to discuss this via webex. I really think Cisco has an opportunity to improve integration between these two platforms.

0 Helpful

Go to solution
telecomunicaciones
Level 1
Level 1
In response to r_wideman

‎08-01-2019 12:44 PM

Good afternoon! Sorry to see you, but could you solve the issue of logins with out-of-domain computers?
I am in the same problem.
The events generated by 802.1X for authentication, the umbrella connector does not see them.

Thank you very much for the help!

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to telecomunicaciones

‎08-01-2019 12:53 PM

Hi @telecomunicaciones 

 

Logged in users must be part of the AD domain, user information for non-domain joined computers or BYOD devices is not supported. Reference here.

 

HTH

0 Helpful

Go to solution
riwakefi
Level 1
Level 1
In response to Rob Ingram

‎08-06-2019 08:01 PM

Trying to use the WLC OpenDNS feature isn't working either, apparently it expects that your clients will be hitting the external IPs (208.67.222.222, 208.67.220.220) or should be redirected to the external IPs. However, most of my customers run local Umbrella Virtual Appliances so they can split their DNS, like this:

https://docs.umbrella.com/deployment-umbrella/docs/6-local-dns-forwarding

 

Seems like that paints us back into a corner for all non-AD joined machines, having to do VLAN pushes to different subnets to apply differentiated OpenDNS policies. Quite the disappointment given the promise of the OpenDNS WLC integration feature.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents