11-12-2018 11:36 PM
I am testing syslog parsing and AD provider on ISE-PIC using DHCP syslog and WMI respectively. I have 2 different Providers - WMI and DHCP syslog. When a client logs in, I see a mapping on ISE-PIC for IP and user name as shown attached.
Now, if I renew the IP lease on the client machine, ISE-PIC also receives a DHCP syslog and it updates the mapping. After this, It removes the username in the live logs and I see only IP and MAC .
This is because DHCP message doesn't have a username , but shouldn’t it just update the existing WMI based log with MAC address? Is this expected behaviour?
This is what I read in the admin guide for ISE-PIC which makes me question if what I am observing is the right behaviour — >
DHCP syslog messages do not contain user names. Therefore, these messages are delivered from the parser with a delay so that can first check users registered in the local session directory (displayed from Live Sessionss) and attempt to match those users by their IP addresses to the IP addresses listed in the DHCP syslog messages received, in order to correctly parse and deliver user identity information. If the data received from a DHCP syslog message cannot be matched to any of the currently logged in users, then the message is not parsed and user identity is not delivered.
Is this expected behaviour
Solved! Go to Solution.
11-13-2018 06:41 AM
If this is a purely passiveID use case, it is not expected behavior. DHCP syslog was designed to do two things in this sense:
1. Provide a layer 2 address in addition to the user to IP mapping learned from AD. Basically, just extra information.
2. Provide ISE / ISE-PIC the ability to prune the session directory if the IP address previously assigned now belongs to a new layer 2 address.
The key thing to understand here is that passiveID (passive authentication) relies on a user to IP mapping to build a session in the directory whereas active authentication (802.1X) requires the MAC address. Please work with the TAC to troubleshoot why the IP address is being replaced with the MAC address.
Regards,
-Tim
11-13-2018 06:41 AM
If this is a purely passiveID use case, it is not expected behavior. DHCP syslog was designed to do two things in this sense:
1. Provide a layer 2 address in addition to the user to IP mapping learned from AD. Basically, just extra information.
2. Provide ISE / ISE-PIC the ability to prune the session directory if the IP address previously assigned now belongs to a new layer 2 address.
The key thing to understand here is that passiveID (passive authentication) relies on a user to IP mapping to build a session in the directory whereas active authentication (802.1X) requires the MAC address. Please work with the TAC to troubleshoot why the IP address is being replaced with the MAC address.
Regards,
-Tim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide