Solved: Re: pxGrid, EAPOL, and Session Directory information

bricrock · ‎08-04-2017

My understanding is that Stealthwatch consumes Session Directory information from ISE via pxGrid to obtain IP Address, user name, and device information; however, in a wired dot1x environment where only EAPOL is allowed on unauthenticated ports, the endpoint doesn't have an IP address when the session begins. Thus, Stealthwatch seems to be missing the desired information for these connections.

Is my understanding correct or am I missing something? If I'm not, is there a way to work around this?

Thank you,

Brian

Timothy Abbott · ‎08-07-2017

If I'm not mistaken, it should be via RADIUS accounting.

Regards,

-Tim

View solution in original post

hslai · ‎08-05-2017

If the endpoints have no IP addresses, then they would not be able to go anywhere. Thus, why would we need their info in StealthWatch?

bricrock · ‎08-07-2017

Thanks, hslai; but the client receives an IP address only after successful EAP authentication. So the question is when/how does Session Directory information get updated?

Timothy Abbott · ‎08-07-2017

If I'm not mistaken, it should be via RADIUS accounting.

Regards,

-Tim

hslai · ‎08-07-2017

Tim is correct that NAD sends RADIUS interim accounting updates to notify ISE the client's IP has changed. For ISE 2.1+, we see such updates in the RADIUS accounting reports (CSCuz47260).