cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4609
Views
5
Helpful
6
Replies

Syslog generation for Guest network

Asif Akash
Cisco Employee
Cisco Employee

Greetings,

My customer is trying to configure ISE to send events and logs to Solarwinds LEM product which customer has for syslog.  In particular Customer is trying to capture logs / syslog showing when someone (user and endpoints) is put into a guest portal mode and capture information related to the enduser and endpoint.

- Does ISE has capability to generate log when an end user and endpoint connect to the guest network?

- If so, does the logs gets generated at different facility level?

Appreciate your time and cooperation.

1 Accepted Solution

Accepted Solutions

ISE live log shows CWA events for an endpoint and the guest user, when filtering by the endpoint ID (show below).

Screen Shot 2016-02-22 at 6.39.37 PM.png

The same mechanism can be employed at the syslog server side.

Similar to what suggested by jakunst , we have a number of ecosystem partners using syslog or pxGrid to generate better reports, among other things. Splunk, for example, uses syslog but also has custom add-on to help ISE users. See


HowTo-85-Integrating_and_Monitoring_Cisco_ISE_User-Device_C…




View solution in original post

6 Replies 6

Timothy Abbott
Cisco Employee
Cisco Employee

Asif,

You can accomplish this by sending RADIUS syslogs from ISE to Solarwinds.  ISE sends a URL-Redirect AV pair in RADIUS that will have the guest portal used for the user / endpoint.

Regards,

-Tim

Hi Tim,

Thank you for the update. As I understood, sending radius syslog sends the redirect URL. However, I was not able to find a way to co-relate redirect URL with identifying the device which is used by a specific username.

Question is can we differentiate syslog message to identify the end device to a username (either using facility code or any builtin syslog which ISE can generate)?

Highly appreciate your assistance on this matter.

Asif,

You won't be able to determine the username from the URL-redirect portion of the session because in essence, ISE is asking the end user to provide valid credentials via CWA. Once authenticated, ISE can then send the username authenticated which is tied to the calling-station-id (endpoint).

Regards,

Tim

IT maybe also worth your effort to check out cisco stealthwatch reporting mechanisms to see how they can help you with visibility with added integration with pxgrid

ISE live log shows CWA events for an endpoint and the guest user, when filtering by the endpoint ID (show below).

Screen Shot 2016-02-22 at 6.39.37 PM.png

The same mechanism can be employed at the syslog server side.

Similar to what suggested by jakunst , we have a number of ecosystem partners using syslog or pxGrid to generate better reports, among other things. Splunk, for example, uses syslog but also has custom add-on to help ISE users. See


HowTo-85-Integrating_and_Monitoring_Cisco_ISE_User-Device_C…




hslai
Cisco Employee
Cisco Employee

Adding to tiabbott, ISE admin web UI has a message catalog to see the how messages are classified. Then, use logging categories to designate individual categories to the remote syslog target.

Facility Code can be set per logging target.

Screen Shot 2016-02-17 at 12.53.53 PM.png

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: