cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3477
Views
5
Helpful
6
Replies
Highlighted
Cisco Employee

Syslog generation for Guest network

Greetings,

My customer is trying to configure ISE to send events and logs to Solarwinds LEM product which customer has for syslog.  In particular Customer is trying to capture logs / syslog showing when someone (user and endpoints) is put into a guest portal mode and capture information related to the enduser and endpoint.

- Does ISE has capability to generate log when an end user and endpoint connect to the guest network?

- If so, does the logs gets generated at different facility level?

Appreciate your time and cooperation.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

ISE live log shows CWA events for an endpoint and the guest user, when filtering by the endpoint ID (show below).

Screen Shot 2016-02-22 at 6.39.37 PM.png

The same mechanism can be employed at the syslog server side.

Similar to what suggested by jakunst , we have a number of ecosystem partners using syslog or pxGrid to generate better reports, among other things. Splunk, for example, uses syslog but also has custom add-on to help ISE users. See


HowTo-85-Integrating_and_Monitoring_Cisco_ISE_User-Device_C…




View solution in original post

6 REPLIES 6
Highlighted
Cisco Employee

Asif,

You can accomplish this by sending RADIUS syslogs from ISE to Solarwinds.  ISE sends a URL-Redirect AV pair in RADIUS that will have the guest portal used for the user / endpoint.

Regards,

-Tim

Highlighted

Hi Tim,

Thank you for the update. As I understood, sending radius syslog sends the redirect URL. However, I was not able to find a way to co-relate redirect URL with identifying the device which is used by a specific username.

Question is can we differentiate syslog message to identify the end device to a username (either using facility code or any builtin syslog which ISE can generate)?

Highly appreciate your assistance on this matter.

Highlighted

Asif,

You won't be able to determine the username from the URL-redirect portion of the session because in essence, ISE is asking the end user to provide valid credentials via CWA. Once authenticated, ISE can then send the username authenticated which is tied to the calling-station-id (endpoint).

Regards,

Tim

Highlighted

IT maybe also worth your effort to check out cisco stealthwatch reporting mechanisms to see how they can help you with visibility with added integration with pxgrid

Highlighted

ISE live log shows CWA events for an endpoint and the guest user, when filtering by the endpoint ID (show below).

Screen Shot 2016-02-22 at 6.39.37 PM.png

The same mechanism can be employed at the syslog server side.

Similar to what suggested by jakunst , we have a number of ecosystem partners using syslog or pxGrid to generate better reports, among other things. Splunk, for example, uses syslog but also has custom add-on to help ISE users. See


HowTo-85-Integrating_and_Monitoring_Cisco_ISE_User-Device_C…




View solution in original post

Highlighted
Cisco Employee

Adding to tiabbott, ISE admin web UI has a message catalog to see the how messages are classified. Then, use logging categories to designate individual categories to the remote syslog target.

Facility Code can be set per logging target.

Screen Shot 2016-02-17 at 12.53.53 PM.png

Content for Community-Ad