Dear Team,

We have deployed an ISE PIC solution for passive ID in our customer network for wired and wireless users. Here are the providers that we are using:

• WMI
• Syslog for DHCP
• Dot1x for wireless – Active authentication.

Here are the use cases, for which the user mapping should work flawless:

• Wired user moves from one VLAN to another VLAN ( DHCP scope changes)
• Wireless user moves from one AP to another AP ( DHCP scope changes)
• Wired user moves to wireless - good.
• Wireless user moves to wired.

We are having a lot of issues, particularly due to very sparse documentation available around ISE PIC. Here are our concerns:

• Only one custom header can be created. We want to use custom headers for both AP syslog and DHCP syslog. We are unable to use native DHCP parser because we are using NXLOG to send the syslogs.
• We are unable to get the scenario working where wireless user moves to wired. Since no new Kerberos ticket is opened, how will the mapping change? Here are the steps:
  • Using wireless dot1x, user-IP-MAC mapping is created for wireless.
  • Now the user moves to wired ; no logon event will be generated because the user never logged off.
  • if we decide to use DHCP as well for this mapping, following are the issues:
    • wireless MAC address would be different from wired NIC MAC, ISE PIC won’t know which mapping to replace
    • even if we assume that there is an old mapping for wired in ISE PIC, and decide to use DHCP for mapping updation, as soon as a DHCP message is received, the username gets knocked off from the mapping as there is no username in DHCP syslog. Ideally, it would just add the additional info to the mapping instead of removing user all together. I think it’s a buggy behaviour.
  • For Wired to Wired / Wireless - to - Wireless it looks like the same as we are trying to use DHCP for mapping updation but the username is getting removed by DHCP syslog.

Regards,

Milin.