04-18-2012 09:12 AM - edited 03-10-2019 07:01 PM
Hi there all,
I'm looking for a solution whereby I can log URL information for wireless guest users to ISE. The anchor WLC sits in a DMZ behind an ASA and the ISE is on the internal network. I found this document (see URL below) which is similar but using a NAC Guest Server and not an ISE.
I'm wondering if anyone has managed to do this using ISE?
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#wlcc
Solved! Go to Solution.
04-20-2012 10:41 PM
Hello. I have that scenario working succesfully. The only thing different from the config of the link provided is that you need to specify the UDP port 20514. Please see the following line :
logging host inside 192.168.215.16 17/20514
Here the number 17 means UDP and the number 20514 is the port number.
Please rate if it helps
04-20-2012 10:41 PM
Hello. I have that scenario working succesfully. The only thing different from the config of the link provided is that you need to specify the UDP port 20514. Please see the following line :
logging host inside 192.168.215.16 17/20514
Here the number 17 means UDP and the number 20514 is the port number.
Please rate if it helps
04-23-2012 12:20 PM
Many thanks Ed for your input.
Regards
Rhopd
05-04-2012 07:14 AM
Hi guys,
i'm really interested in knowing more about this.
How is the information displayed in the ISE? By following that document are you able to produce reports in ISE so that you can see USER ID, IP ADDRESS, TIME & DATE, URL Requested ??? For all guest users?
thanks
Mario
05-12-2012 08:42 PM
Hello Mario.
Here's a screenshot of the report . Hope it helps
09-14-2012 02:13 AM
Hi, Sorry for the late reply, I have been busy with a Proof Of Concept with the ISE.
I have tried your suggestion and I cannot get the same results as you.
I notice that the logs in your report were generated by an ASA. Do you know whether the same can be done with a switch dACL?
i have this configuration...
dACL
3k-access#sh ip access-list int fa0/1
permit udp host 10.1.10.103 any eq domain
permit icmp host 10.1.10.103 any
permit tcp host 10.1.10.103 host 10.1.100.21 eq 8443
permit tcp host 10.1.10.103 host 10.1.252.10 eq www log-input
deny ip host 10.1.10.103 10.1.0.0 0.0.255.255
permit ip host 10.1.10.103 any
Logging config...
logging esm config
logging trap debugging
logging origin-id ip
logging host 10.1.100.21 transport udp port 20514
with the above onfiguration, I get a report which shows the syslog messages of successful authentication and download of the dACL, but then when I access a URL, i do not see any events about the URL that was accessed or even the IP that was accessed.
DO you know if this can be done? maybe I am looking at the wrong report? Can you help?
Mario
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide