cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1438
Views
0
Helpful
3
Replies

Not Getting user IP for Wireless Users in Syslog Msgs from ISE

Admin Eastland
Level 1
Level 1

I'm trying to configure user mappings for a Palo Alto PA3020 and I have selected to have ISE send Authentication Passed Syslogs to the PA3020, but the policies were not be applied. I checked on Solarwinds to see what the Syslog message really looks like and found that the Framed-IP-Address is not in the Syslog message. Do I have the right log selected to send the IP of wireless users. If not what message do I configure, and if I do, what is the deal with this missing information? I've configured the RADIUS Accounting message too, but that seems to only apply to wired users.

EDIT: Running ISE 2.0

Thanks

Jeff

3 Replies 3

Admin Eastland
Level 1
Level 1

Lol...looks like I came to the wrong place to ask this question.

Rahul Govindan
VIP Alumni
VIP Alumni

You should receive it in the Radius accounting logs. I just tested this with my WLC 8.2 and ISE 2.1 patch 3 for a dot1x session and this is the syslog I see:

03-14-2017    13:44:40    Local7.Notice    192.168.200.75    Mar 14 17:44:40 ise CISE_RADIUS_Accounting 0000000006 2 0 2017-03-14 17:44:40.915 +00:00 0000524142 3000 NOTICE Radius-Accounting: RADIUS Accounting start request, ConfigVersionId=143, Device IP Address=192.168.105.9, RequestLatency=2, NetworkDeviceName=Corp-wlc, User-Name=Rahul.govindan, NAS-IP-Address=192.168.105.9, NAS-Port=13, Framed-IP-Address=192.168.105.202, Class=CACS:c0a869090000542858c82c06:ise/277799795/28710, Called-Station-ID=192.168.105.9, Calling-Station-ID=6c-72-e7-c8-5d-bc, NAS-Identifier=WLC, Acct-Status-Type=Start, Acct-Session-Id=58c82c06/6c:72:e7:c8:5d:bc/53664, Acct-Authentic=RADIUS, Event-Timestamp=1489513480, NAS-Port-Type=Wireless - IEEE 802.11, Framed-IPv6-Prefix=fe80::/64, cisco-av-pair=audit-session-id=c0a869090000542858c82c06, Airespace-Wlan-Id=10, AcsSessionID=ise/277799795/28711, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=15006, Step=11005, NetworkDeviceGroups=Location#All Locations,

So inadvertently your post provided the solution to part of my problem. When I saw you tied to the RADIUS accounting log I went back to ISE and filtered all of my wireless policies in the RADIUS livelog, and then I had my answer. None of my wireless users were reporting IP's (after I added that column). From there it was a simple task of disabling the accounting messages to my DC on my WLC (has a higher index than ISE) so that ISE would be the primary target for accounting messages.

Our old WSA integrated with NPS to AuthZ RADIUS users so I had to send those messages to the DC that hosted NPS. Being that the WLC sends those accounting messages top down, but I believe it stops at the first one it can communicate with that is why I was not getting the Syslogs I needed. I wish the WLC would send those messages like "ip dhcp relay address" and send a copy to all hosted listed in the accounting servers list.

Thanks

Jeff