Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
712
Views
4
Helpful
5
Replies

ISE-PIC user tracking WLC and VPN

Go to solution
jpmorrison
Level 1
Level 1

‎04-01-2023 10:37 AM

I have ISE-PIC 2.6 with AD agents installed on domain controllers. 

I am able to see WiFi/WLC and ASA VPN client IP addresses in the ISE-PIC Live sessions but often session info is missing or inaccurate when I compare with the active sessions on the WLC or the ASA.

WiFi and VPN both authenticate to AD with Microsoft NPS - is this enough for ISE-PIC to identify all users? I was under the impression that the agent only picked up domain machines and it would not find other devices even though they use AD credentials for WiFi and VPN.

I tried adding the ASA syslog template but I don't see any additional information - Live session shows all sources as agent. The ASA syslogs look a little different from the ISE docs so maybe ISE is too old to work with newer ASAs.

Do I need to forward NPS logs to ISE-PIC syslog to get complete user/IP info? Will this work better if we switch from NPS to ISE/Radius?

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jpmorrison
Level 1
Level 1

‎04-07-2023 01:03 PM

I finally managed to get syslog user/IP from ASA and WLC into ISE-PIC

- The ASA needed logging device-id hostname

- I had to setup a custom syslog header in ISE - the example with space delimiter and hostname in position 5 worked for me

The WLC was trickier:

- First enable client logging: config logging syslog facility client authentication

- WLC can only use port 514 and there's all kinds of problems with the WLC output. WLC syslogs have extra spaces which mess up ISE's host detection. There's other junk in its syslogs, not sure if this confuses ISE or not.

ISE-PIC and WLC can't change their syslog ports, so I had to forward to one that can receive from WLC and forward to ISE on the correct port but this is only half the battle! ISE requires an FQDN in the syslog entry (Why?!?) but what isn't documented is that it also inspects the actual syslog entry for the hostname you configured, and discards any that don't match.

After that it's just some regexps to match the WLC to catch the username, ip, domain etc.

nc -u ise-address 40514 is great for testing - you can spoof a syslog from your server. If it works the live sessions will show it within a few seconds with a source of Syslog.

In the end I was able to fixup the WLC syslogs in rsyslogd (open source) to compensate for ISE's lame syslog handling.

This rsyslogd template fixed up the WLC

/etc/rsyslog.d/wlc.conf
# yoursyslogserver: hostname you want to use instead of the real WLC name, needs to match the host in the fqdn you setup in ISE
# %rawmsg:22  skip chars 1-21 of the syslog message to get rid of the real WLC hostname. YMMV
# x.x.x.x IP of the WLC (primary) this helps with duplicates since the standby WLC sends the same logs
# $msg contains - optional - only send logs for the SSID you want

$template newmsg,"<%pri%>%timestamp% yoursyslogserver %rawmsg:22:$%\n"
if ($fromhost-ip=="x.x.x.x" and $msg contains 'SSID:Whatever' ) then @ISE-pic:40514; newmsg

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Nancy Saini
Cisco Employee
Cisco Employee

‎04-01-2023 11:20 AM

Hi,

ISE-PIC monitors any passive logins with Active Directory using WMI agent. If you have AD instance on ISE configured for Passive ID then you should see active session information on ISE-PIC. Please refer : https://community.cisco.com/t5/security-knowledge-base/configure-ise-pic-to-monitor-ad-using-wmi/ta-p/3638652

Also, ISE-PIC supports creation of custom syslog templates, so you can configure template as per ASA syslog.

I would suggest opening a TAC case to check for missing active sessions on ISE-PIC.

Go to solution
jpmorrison
Level 1
Level 1

‎04-03-2023 10:27 AM

Thanks but what I'm not clear about is whether a RADIUS authentication is counted as a login 

I do see WiFi/radius authenticated users in ISE-PIC but is it because it sees the RADIUS auth or is it only seeing Windows clients that also connect to netbios?

0 Helpful

Go to solution
jpmorrison
Level 1
Level 1

‎04-07-2023 01:03 PM

I finally managed to get syslog user/IP from ASA and WLC into ISE-PIC

- The ASA needed logging device-id hostname

- I had to setup a custom syslog header in ISE - the example with space delimiter and hostname in position 5 worked for me

The WLC was trickier:

- First enable client logging: config logging syslog facility client authentication

- WLC can only use port 514 and there's all kinds of problems with the WLC output. WLC syslogs have extra spaces which mess up ISE's host detection. There's other junk in its syslogs, not sure if this confuses ISE or not.

ISE-PIC and WLC can't change their syslog ports, so I had to forward to one that can receive from WLC and forward to ISE on the correct port but this is only half the battle! ISE requires an FQDN in the syslog entry (Why?!?) but what isn't documented is that it also inspects the actual syslog entry for the hostname you configured, and discards any that don't match.

After that it's just some regexps to match the WLC to catch the username, ip, domain etc.

nc -u ise-address 40514 is great for testing - you can spoof a syslog from your server. If it works the live sessions will show it within a few seconds with a source of Syslog.

In the end I was able to fixup the WLC syslogs in rsyslogd (open source) to compensate for ISE's lame syslog handling.

This rsyslogd template fixed up the WLC

/etc/rsyslog.d/wlc.conf
# yoursyslogserver: hostname you want to use instead of the real WLC name, needs to match the host in the fqdn you setup in ISE
# %rawmsg:22  skip chars 1-21 of the syslog message to get rid of the real WLC hostname. YMMV
# x.x.x.x IP of the WLC (primary) this helps with duplicates since the standby WLC sends the same logs
# $msg contains - optional - only send logs for the SSID you want

$template newmsg,"<%pri%>%timestamp% yoursyslogserver %rawmsg:22:$%\n"
if ($fromhost-ip=="x.x.x.x" and $msg contains 'SSID:Whatever' ) then @ISE-pic:40514; newmsg

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents