Show User Identity in ISE Logging

pagosojayson · ‎07-24-2018

Hi Guys,

I to enable a WLC SSID with the following requirements:

1) Layer 2 security is open.

2) Then users will need to get redirected to a CWA wherein they need to enter their username PW

3) The logs should should should show their usernames as a part of the audit.

Just like to ask if this is possible? If yes can you, kindly lead me guys to how I can do it.

Thanks in advance,

Jayson

Stephen Buck · ‎07-24-2018

Guest portals will do this in ISE. In the logs it lists which guest portal was used and the guest user that was entered during authentication. You configure the SSID with open authentication using MAC filtering and specify Radius server pointing to ISE. Make sure you specify aaa override and ISE NAC under advanced.

pagosojayson · ‎07-24-2018

Hi Stephen,

If I enable MAC filtering on L2 security, where will WLC get the clinet MAC address from? Will it get it from WLC's local DB or will it try to query ISE then for that MAC Address?

Regards,

Jayson

Stephen Buck · ‎07-24-2018

The WLC will get the MAC from the wireless client. No need to enter any MACs on the WLC. When ISE receives the Radius request containing the client's MAC, it looks up the MAC to determine if it's authorized. Authentication will always pass since there is no authentication with MACs. If the MAC isn't preauthorized, typically ISE will return an https redirect to the WLC, which sends the device to an ISE guest portal. Once the user logs in with credentials, this is logged by ISE. This way, you have a way to associate a user to a MAC address.

Jason Kunst · ‎07-25-2018

Did you see this?

https://community.cisco.com/t5/security-documents/ise-guest-access-deployment-guide/ta-p/3640475

pagosojayson · ‎07-29-2018

Hi Jason,

I have not seen this yet but I will go through the documentation. Thanks a lot for this one!