12-18-2018 05:52 AM
We are going to implement external Web server for guest services, so they will redirect guests to it.
This web server will do self-registration flow as well.
The database of users would be stored on an external web server.
The question is:
After new user is registered on a web portal, web server should notify ISE to move user’s endpoint to “RegisteredEndpoints” group (before it sends CoA).
How can external web server get an information about MAC address of endpoint if it only has session id and portal from user’s web request?
I don’t think we have existing API call to get MAC address of endpoint by using session id:
There is one call, but it doesn’t return MAC address of the endpoint:
Searches the database for the latest session that contains the specified audit session ID.
12-18-2018 07:23 AM
There isn't a method to retrieve the MAC address of an endpoint from the SessionID. The SessionID is made up of three parts: NAS IP Address, Session Count, and Time Stamp.
Regards,
-Tim
12-18-2018 07:29 AM
Hey Tim!
In this case, what is recommended way to achieve of what we need on external web server used for CWA?
How to tell the ISE to place endpoint to another endpoint group or at least tell ISE that endpoint from which guest user is connecting was successfully authenticated?
12-18-2018 03:11 PM
12-18-2018 03:33 PM
Hey Jason
1. You mean filter active sessions based on endpoint's IP as shown belog?
https://acme123/ise/mnt/api/Session/EndPointIPAddress/A.B.C.D
2. Can we just use filter based on audit session id in this case?
https://acme123/admin/API/mnt/Session/Active/SessionID/0A000A770000006B609A13A9/0
At least, it should be MAC address of EP in calling-station-id attribute, right?
Part of example for data returned by Audit Session ID API Call:
12-18-2018 03:37 PM
12-18-2018 05:12 PM
Sample Data Returned from the Audit Session ID API Call returns XML. Calling-Station-ID is usually the endpoint MAC address for wired and wireless authentications, but please ensure the network devices are sending it that way. For ASA RA-VPN, we should also get the MAC address as the calling-station-id for desktop client OS, such as macOS and windows, with recent AnyConnect 4.x VPN client. We likely get only the public gateway address of the endpoint client running Android or Apple iOS devices as the calling-station-id.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide