06-22-2019 04:37 AM
Hey Folks,
I have a question regarding ISE accounting report, in the account authentication why some of them are showing RADIUS and some are remote, and why the RADIUS one is showing the username in the identity section while the remote one is showing the MAC address in the identity.
screenshot attached.
Many thanks.
Solved! Go to Solution.
06-24-2019 06:25 PM
That is a very interesting observation - I missed that in your original posting. I just had a look at my lab and I see the same thing. I only have a singe NAS (Cisco WLC) that is sending RADIUS Accounting.
I cannot be 100% sure (because ISE Reports don't contain that data) but it seems that if the RADIUS Authentication was a host lookup (e.g. MAB) then the resulting accounting records will be flagged as 'RADIUS'. If however the authentication was made by AD or such like, then the accounting Report shows "Remote" as the Account Authentication.
06-23-2019 08:30 PM
Let me guess ... this is for a guest solution? If so, then the behaviour is expected because MAB authentication in ISE will never return the guest identity in the Access-Accept to the NAS. It returns the MAC address contained in the original Access-Request.
If you are using ISE 2.4 then you will likely see the correct guest user's name in the Live Logs and in the Authentication reports. But at the RADIUS protocol level, we're dealing with MAC addresses all the time. And this is of course reflected in the RADIUS Accounting :-(
06-24-2019 04:22 AM
06-24-2019 05:19 PM
Hi All, thanks for the reply, did you look at the screenshot ? what is the different between RADIUS and remote ? as in the account authentication field.
Thanks
06-24-2019 06:25 PM
That is a very interesting observation - I missed that in your original posting. I just had a look at my lab and I see the same thing. I only have a singe NAS (Cisco WLC) that is sending RADIUS Accounting.
I cannot be 100% sure (because ISE Reports don't contain that data) but it seems that if the RADIUS Authentication was a host lookup (e.g. MAB) then the resulting accounting records will be flagged as 'RADIUS'. If however the authentication was made by AD or such like, then the accounting Report shows "Remote" as the Account Authentication.
06-29-2019 05:02 PM
Arne Bier is spot on. See RFC 2866 Section 5.6
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide