Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
587
Views
0
Helpful
6
Replies

CWA on external web server: move endpoint to RegisteredEndpoints

Sergey Sazhin
Cisco Employee
Cisco Employee

‎12-18-2018 05:52 AM

We are going to implement external Web server for guest services, so they will redirect guests to it.

This web server will do self-registration flow as well.

The database of users would be stored on an external web server.

 

The question is:

After new user is registered on a web portal, web server should notify ISE to move user’s endpoint to “RegisteredEndpoints” group (before it sends CoA).

How can external web server get an information about MAC address of endpoint if it only has session id and portal from user’s web request?

 

I don’t think we have existing API call to get MAC address of endpoint by using session id:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/api_ref_guide/api_ref_book/ise_api_ref_ch1.pdf

 

There is one call, but it doesn’t return MAC address of the endpoint:

Searches the database for the latest session that contains the specified audit session ID.

https:///admin/API/mnt/Session/Active/SessionID//0

0 Helpful
6 Replies 6

Timothy Abbott
Cisco Employee
Cisco Employee

‎12-18-2018 07:23 AM

There isn't a method to retrieve the MAC address of an endpoint from the SessionID.  The SessionID is made up of three parts: NAS IP Address, Session Count, and Time Stamp.

 

Regards,

-Tim

0 Helpful

Sergey Sazhin
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎12-18-2018 07:29 AM

Hey Tim!

 

In this case, what is recommended way to achieve of what we need on external web server used for CWA?

How to tell the ISE to place endpoint to another endpoint group or at least tell ISE that endpoint from which guest user is connecting was successfully authenticated?

0 Helpful

Sergey Sazhin
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎12-18-2018 03:33 PM

Hey Jason

 

1. You mean filter active sessions based on endpoint's IP as shown belog?

https://acme123/ise/mnt/api/Session/EndPointIPAddress/A.B.C.D

 

2. Can we just use filter based on audit session id in this case?

https://acme123/admin/API/mnt/Session/Active/SessionID/0A000A770000006B609A13A9/0

 

At least, it should be MAC address of EP in calling-station-id attribute, right?

https://www.cisco.com/c/en/us/td/docs/security/ise/1-3/api_ref_guide/api_ref_book/ise_api_ref_ch2.html#pgfId-1099385

 

Part of example for data returned by Audit Session ID API Call:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<activeSessionList noOfActiveSession="1">
<activeSession>
calling_station_id>00:50:56:10:13:02</calling_station_id>
session_state_bit>0</session_state_bit>
session_source>0</session_source>

 

 

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to Sergey Sazhin

‎12-18-2018 05:12 PM

Sample Data Returned from the Audit Session ID API Call returns XML. Calling-Station-ID is usually the endpoint MAC address for wired and wireless authentications, but please ensure the network devices are sending it that way. For ASA RA-VPN, we should also get the MAC address as the calling-station-id for desktop client OS, such as macOS and windows, with recent AnyConnect 4.x VPN client. We likely get only the public gateway address of the endpoint client running Android or Apple iOS devices as the calling-station-id.

 

0 Helpful
Customers Also Viewed These Support Documents