cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
969
Views
4
Helpful
5
Replies

ISE-PIC user tracking WLC and VPN

jpmorrison
Level 1
Level 1

I have ISE-PIC 2.6 with AD agents installed on domain controllers. 

I am able to see WiFi/WLC and ASA VPN client IP addresses in the ISE-PIC Live sessions but often session info is missing or inaccurate when I compare with the active sessions on the WLC or the ASA.

WiFi and VPN both authenticate to AD with Microsoft NPS - is this enough for ISE-PIC to identify all users? I was under the impression that the agent only picked up domain machines and it would not find other devices even though they use AD credentials for WiFi and VPN.

I tried adding the ASA syslog template but I don't see any additional information - Live session shows all sources as agent. The ASA syslogs look a little different from the ISE docs so maybe ISE is too old to work with newer ASAs.

Do I need to forward NPS logs to ISE-PIC syslog to get complete user/IP info? Will this work better if we switch from NPS to ISE/Radius?

 

1 Accepted Solution

Accepted Solutions

jpmorrison
Level 1
Level 1

I finally managed to get syslog user/IP from ASA and WLC into ISE-PIC

- The ASA needed logging device-id hostname

- I had to setup a custom syslog header in ISE - the example with space delimiter and hostname in position 5 worked for me

The WLC was trickier:

- First enable client logging: config logging syslog facility client authentication

- WLC can only use port 514 and there's all kinds of problems with the WLC output. WLC syslogs have extra spaces which mess up ISE's host detection. There's other junk in its syslogs, not sure if this confuses ISE or not.

ISE-PIC and WLC can't change their syslog ports, so I had to forward to one that can receive from WLC and forward to ISE on the correct port but this is only half the battle! ISE requires an FQDN in the syslog entry (Why?!?) but what isn't documented is that it also inspects the actual syslog entry for the hostname you configured, and discards any that don't match.

After that it's just some regexps to match the WLC to catch the username, ip, domain etc.

nc -u ise-address 40514 is great for testing - you can spoof a syslog from your server. If it works the live sessions will show it within a few seconds with a source of Syslog.

In the end I was able to fixup the WLC syslogs in rsyslogd (open source) to compensate for ISE's lame syslog handling.

This rsyslogd template fixed up the WLC

/etc/rsyslog.d/wlc.conf
# yoursyslogserver: hostname you want to use instead of the real WLC name, needs to match the host in the fqdn you setup in ISE
# %rawmsg:22  skip chars 1-21 of the syslog message to get rid of the real WLC hostname. YMMV
# x.x.x.x IP of the WLC (primary) this helps with duplicates since the standby WLC sends the same logs
# $msg contains - optional - only send logs for the SSID you want

$template newmsg,"<%pri%>%timestamp% yoursyslogserver %rawmsg:22:$%\n"
if ($fromhost-ip=="x.x.x.x" and $msg contains 'SSID:Whatever' ) then @ISE-pic:40514; newmsg

View solution in original post

5 Replies 5

Nancy Saini
Cisco Employee
Cisco Employee

Hi,

ISE-PIC monitors any passive logins with Active Directory using WMI agent. If you have AD instance on ISE configured for Passive ID then you should see active session information on ISE-PIC. Please refer : https://community.cisco.com/t5/security-knowledge-base/configure-ise-pic-to-monitor-ad-using-wmi/ta-p/3638652

Also, ISE-PIC supports creation of custom syslog templates, so you can configure template as per ASA syslog.

I would suggest opening a TAC case to check for missing active sessions on ISE-PIC.

jpmorrison
Level 1
Level 1

Thanks but what I'm not clear about is whether a RADIUS authentication is counted as a login 

I do see WiFi/radius authenticated users in ISE-PIC but is it because it sees the RADIUS auth or is it only seeing Windows clients that also connect to netbios?

jpmorrison
Level 1
Level 1

I finally managed to get syslog user/IP from ASA and WLC into ISE-PIC

- The ASA needed logging device-id hostname

- I had to setup a custom syslog header in ISE - the example with space delimiter and hostname in position 5 worked for me

The WLC was trickier:

- First enable client logging: config logging syslog facility client authentication

- WLC can only use port 514 and there's all kinds of problems with the WLC output. WLC syslogs have extra spaces which mess up ISE's host detection. There's other junk in its syslogs, not sure if this confuses ISE or not.

ISE-PIC and WLC can't change their syslog ports, so I had to forward to one that can receive from WLC and forward to ISE on the correct port but this is only half the battle! ISE requires an FQDN in the syslog entry (Why?!?) but what isn't documented is that it also inspects the actual syslog entry for the hostname you configured, and discards any that don't match.

After that it's just some regexps to match the WLC to catch the username, ip, domain etc.

nc -u ise-address 40514 is great for testing - you can spoof a syslog from your server. If it works the live sessions will show it within a few seconds with a source of Syslog.

In the end I was able to fixup the WLC syslogs in rsyslogd (open source) to compensate for ISE's lame syslog handling.

This rsyslogd template fixed up the WLC

/etc/rsyslog.d/wlc.conf
# yoursyslogserver: hostname you want to use instead of the real WLC name, needs to match the host in the fqdn you setup in ISE
# %rawmsg:22  skip chars 1-21 of the syslog message to get rid of the real WLC hostname. YMMV
# x.x.x.x IP of the WLC (primary) this helps with duplicates since the standby WLC sends the same logs
# $msg contains - optional - only send logs for the SSID you want

$template newmsg,"<%pri%>%timestamp% yoursyslogserver %rawmsg:22:$%\n"
if ($fromhost-ip=="x.x.x.x" and $msg contains 'SSID:Whatever' ) then @ISE-pic:40514; newmsg