Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
966
Views
0
Helpful
1
Replies

Switch administration with ISE radius..missing info in live logs

Go to solution
raj-toor
Level 1
Level 1

‎01-22-2020 02:59 PM

I configured ISE to authenticate users in an AD group for vty access. It is working but in live logs i don't see endpoint info like for the users connecting through wireless devices on a separate policy below. It doesn't even show mac address/IP info. What i am missing. In the detailed report it does show device IP on which login was done.

 

Can ISE/switch be configured to tell from what workstaion/IP this login initiated to the switch. How.

We have 3850 switch model and ISE is 2.4

Capture.PNG

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-22-2020 08:41 PM

RADIUS does not capture the IP address of the device initiating the admin connection to the switch. Connections initiated to the VTY lines are considered a NAS Port Type of Virtual.

The Endpoint IP Address is only available for endpoint authentications and is not gathered directly by the RADIUS protocol but rather by a combination of features on the switch including DHCP Snooping and IP Device Tracking.

 

TACACS+, however, does capture the IP address of the device initiating an admin connection to the switch (the attribute is 'Remote Address') and is the recommended protocol for Device Admin on devices that support it. In addition to capturing the Remote Address information, TACACS+ separates the Authentication, Authorisation, and Accounting processes, uses TCP for transport, and encrypts the payload.

 

More information on Device Admin for ISE can be found here:

Cisco ISE Device Administration Prescriptive Deployment Guide 

 

Cheers,

Greg

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎01-22-2020 08:41 PM

RADIUS does not capture the IP address of the device initiating the admin connection to the switch. Connections initiated to the VTY lines are considered a NAS Port Type of Virtual.

The Endpoint IP Address is only available for endpoint authentications and is not gathered directly by the RADIUS protocol but rather by a combination of features on the switch including DHCP Snooping and IP Device Tracking.

 

TACACS+, however, does capture the IP address of the device initiating an admin connection to the switch (the attribute is 'Remote Address') and is the recommended protocol for Device Admin on devices that support it. In addition to capturing the Remote Address information, TACACS+ separates the Authentication, Authorisation, and Accounting processes, uses TCP for transport, and encrypts the payload.

 

More information on Device Admin for ISE can be found here:

Cisco ISE Device Administration Prescriptive Deployment Guide 

 

Cheers,

Greg

0 Helpful
Customers Also Viewed These Support Documents