Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2672
Views
0
Helpful
3
Replies

ISE Guest Traffic Log

Go to solution
ipagliani
Level 1
Level 1

‎04-02-2019 12:51 PM

Ciao,

I'd like to know if the are any other option (referred to https://www.cisco.com/c/en/us/support/docs/security/nac-appliance-clean-access/110304-integrated-url-log.html#wlcc), in order to correlate logs coming from ISE Guest login (USERNAME, SRC IP) with Firewall Internet Access logs (DEST IP, DEST PORT).

Any experience with 3th party solutions ?

 

Thanks in advance

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-02-2019 01:44 PM - edited ‎04-05-2019 08:41 AM

You can use similar to this
https://www.cisco.com/c/en/us/support/docs/security/nac-appliance-clean-access/110304-integrated-url-log.html
https://www.ciscolive.com/global/on-demand-library.html?search=Federico%20Ziliotto#/session/1532112828591001teh9

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01111.html#reference_054796F788224D9B8615E7B4B6E0EDBB

 

The Master Guest report combines data from various reports into a single view enabling you to export data from different reporting sources. You can add more data columns and remove the ones you do not want to view or export. This report is available at Operations > Reports > Guest Access Reports > Master Guest. It now includes information that used to be in the deprecated Guest Activity Report.

This report collects all guest activity and provides details about the websites that guest users visit. You can use this report for security auditing purposes to see when guest users accessed the network and what they did on it. To view the guests’ Internet activity, such as the URLs of the websites that they visited, you must first:

  • Enable the passed authentications logging category. Choose AdministrationSystem > Logging > Logging Categories and select Passed authentications.
  • Enable these options on the firewall used for guest traffic:
    • Inspect HTTP traffic and send data to Cisco ISE Monitoring node. Cisco ISE requires only the IP address and accessed URL for the Guest Activity report; so, limit the data to include just this information, if possible.
    • Send syslogs to Cisco ISE Monitoring node.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-02-2019 01:44 PM - edited ‎04-05-2019 08:41 AM

You can use similar to this
https://www.cisco.com/c/en/us/support/docs/security/nac-appliance-clean-access/110304-integrated-url-log.html
https://www.ciscolive.com/global/on-demand-library.html?search=Federico%20Ziliotto#/session/1532112828591001teh9

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01111.html#reference_054796F788224D9B8615E7B4B6E0EDBB

 

The Master Guest report combines data from various reports into a single view enabling you to export data from different reporting sources. You can add more data columns and remove the ones you do not want to view or export. This report is available at Operations > Reports > Guest Access Reports > Master Guest. It now includes information that used to be in the deprecated Guest Activity Report.

This report collects all guest activity and provides details about the websites that guest users visit. You can use this report for security auditing purposes to see when guest users accessed the network and what they did on it. To view the guests’ Internet activity, such as the URLs of the websites that they visited, you must first:

  • Enable the passed authentications logging category. Choose AdministrationSystem > Logging > Logging Categories and select Passed authentications.
  • Enable these options on the firewall used for guest traffic:
    • Inspect HTTP traffic and send data to Cisco ISE Monitoring node. Cisco ISE requires only the IP address and accessed URL for the Guest Activity report; so, limit the data to include just this information, if possible.
    • Send syslogs to Cisco ISE Monitoring node.
0 Helpful

Go to solution
ipagliani
Level 1
Level 1
In response to Jason Kunst

‎04-03-2019 09:15 AM - edited ‎04-03-2019 09:16 AM

HI, and thanks for replay.

Do you know how the non HTTP traffic will be logged ? For example HTTPS or mail traffic..

And what about the scalability, do you any limitation in term of number of entries ?

 

Thanks

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to ipagliani

‎04-05-2019 08:30 AM - edited ‎04-05-2019 08:45 AM

However it wouldn't include SMTP because its not http. If you're looking for that then recommend adding splunk or another SIEM to log more detailed information as this is a basic facility. Also not sure if it works with https as well as it says send http per the guide. You can try that out

 

Researching more.

0 Helpful
Customers Also Viewed These Support Documents