Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
1
Replies

ISE PIC - DHCP syslog provider

Go to solution
manasjai
Cisco Employee
Cisco Employee

‎11-12-2018 11:36 PM

I am testing syslog parsing and AD provider on ISE-PIC using DHCP syslog and WMI respectively. I have 2 different Providers - WMI and DHCP syslog. When a client logs in, I see a mapping on ISE-PIC for IP and user name as shown attached.

 

Now, if I renew the IP lease on the client machine, ISE-PIC also receives a DHCP syslog and it updates the mapping. After this, It removes the username in the live logs and I see only IP and MAC .

This is because DHCP message doesn't have a username , but shouldn’t it just update the existing WMI based log with MAC address? Is this expected behaviour?

 

This is what I read in the admin guide for ISE-PIC which makes me question if what I am observing is the right behaviour — >

DHCP syslog messages do not contain user names. Therefore, these messages are delivered from the parser with a delay so that can first check users registered in the local session directory (displayed from Live Sessionss) and attempt to match those users by their IP addresses to the IP addresses listed in the DHCP syslog messages received, in order to correctly parse and deliver user identity information. If the data received from a DHCP syslog message cannot be matched to any of the currently logged in users, then the message is not parsed and user identity is not delivered.

 

Is this expected behaviour

Preview file
427 KB
Preview file
427 KB
Preview file
375 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎11-13-2018 06:41 AM

If this is a purely passiveID use case, it is not expected behavior.  DHCP syslog was designed to do two things in this sense:

 

1. Provide a layer 2 address in addition to the user to IP mapping learned from AD.  Basically, just extra information.

2. Provide ISE / ISE-PIC the ability to prune the session directory if the IP address previously assigned now belongs to a new layer 2 address.

 

The key thing to understand here is that passiveID (passive authentication) relies on a user to IP mapping to build a session in the directory whereas active authentication (802.1X) requires the MAC address.  Please work with the TAC to troubleshoot why the IP address is being replaced with the MAC address.

 

Regards,

-Tim

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎11-13-2018 06:41 AM

If this is a purely passiveID use case, it is not expected behavior.  DHCP syslog was designed to do two things in this sense:

 

1. Provide a layer 2 address in addition to the user to IP mapping learned from AD.  Basically, just extra information.

2. Provide ISE / ISE-PIC the ability to prune the session directory if the IP address previously assigned now belongs to a new layer 2 address.

 

The key thing to understand here is that passiveID (passive authentication) relies on a user to IP mapping to build a session in the directory whereas active authentication (802.1X) requires the MAC address.  Please work with the TAC to troubleshoot why the IP address is being replaced with the MAC address.

 

Regards,

-Tim

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents