cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

783
Views
1
Helpful
4
Replies
bricrock
Cisco Employee

pxGrid, EAPOL, and Session Directory information

My understanding is that Stealthwatch consumes Session Directory information from ISE via pxGrid to obtain IP Address, user name, and device information; however, in a wired dot1x environment where only EAPOL is allowed on unauthenticated ports, the endpoint doesn't have an IP address when the session begins.  Thus, Stealthwatch seems to be missing the desired information for these connections.

Is my understanding correct or am I missing something?  If I'm not, is there a way to work around this?

Thank you,

Brian

1 ACCEPTED SOLUTION

Accepted Solutions

If I'm not mistaken, it should be via RADIUS accounting.

Regards,

-Tim

View solution in original post

4 REPLIES 4
hslai
Cisco Employee

If the endpoints have no IP addresses, then they would not be able to go anywhere. Thus, why would we need their info in StealthWatch?

Thanks, hslai; but the client receives an IP address only after successful EAP authentication.  So the question is when/how does Session Directory information get updated?

If I'm not mistaken, it should be via RADIUS accounting.

Regards,

-Tim

Tim is correct that NAD sends RADIUS interim accounting updates to notify ISE the client's IP has changed. For ISE 2.1+, we see such updates in the RADIUS accounting reports (CSCuz47260).

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube