cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

350
Views
0
Helpful
1
Replies
manasjai
Cisco Employee

ISE PIC - DHCP syslog provider

I am testing syslog parsing and AD provider on ISE-PIC using DHCP syslog and WMI respectively. I have 2 different Providers - WMI and DHCP syslog. When a client logs in, I see a mapping on ISE-PIC for IP and user name as shown attached.

 

Now, if I renew the IP lease on the client machine, ISE-PIC also receives a DHCP syslog and it updates the mapping. After this, It removes the username in the live logs and I see only IP and MAC .

This is because DHCP message doesn't have a username , but shouldn’t it just update the existing WMI based log with MAC address? Is this expected behaviour?

 

This is what I read in the admin guide for ISE-PIC which makes me question if what I am observing is the right behaviour — >

DHCP syslog messages do not contain user names. Therefore, these messages are delivered from the parser with a delay so that can first check users registered in the local session directory (displayed from Live Sessionss) and attempt to match those users by their IP addresses to the IP addresses listed in the DHCP syslog messages received, in order to correctly parse and deliver user identity information. If the data received from a DHCP syslog message cannot be matched to any of the currently logged in users, then the message is not parsed and user identity is not delivered.

 

Is this expected behaviour

1 ACCEPTED SOLUTION

Accepted Solutions
Timothy Abbott
Cisco Employee

If this is a purely passiveID use case, it is not expected behavior.  DHCP syslog was designed to do two things in this sense:

 

1. Provide a layer 2 address in addition to the user to IP mapping learned from AD.  Basically, just extra information.

2. Provide ISE / ISE-PIC the ability to prune the session directory if the IP address previously assigned now belongs to a new layer 2 address.

 

The key thing to understand here is that passiveID (passive authentication) relies on a user to IP mapping to build a session in the directory whereas active authentication (802.1X) requires the MAC address.  Please work with the TAC to troubleshoot why the IP address is being replaced with the MAC address.

 

Regards,

-Tim

View solution in original post

1 REPLY 1
Timothy Abbott
Cisco Employee

If this is a purely passiveID use case, it is not expected behavior.  DHCP syslog was designed to do two things in this sense:

 

1. Provide a layer 2 address in addition to the user to IP mapping learned from AD.  Basically, just extra information.

2. Provide ISE / ISE-PIC the ability to prune the session directory if the IP address previously assigned now belongs to a new layer 2 address.

 

The key thing to understand here is that passiveID (passive authentication) relies on a user to IP mapping to build a session in the directory whereas active authentication (802.1X) requires the MAC address.  Please work with the TAC to troubleshoot why the IP address is being replaced with the MAC address.

 

Regards,

-Tim

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube