cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1750
Views
1
Helpful
3
Replies

Username Attributes sent from ISE to PA FW for URL Filtering

rroulhac
Cisco Employee
Cisco Employee

All,


I have this request from a partner that is facing a scenario where there is a school that is using ISE to allow students to register their devices, up to three, to get access to the network. Once they register there is no re-registration process. They are attempting to send user information to their Palo Alto which they use for URL filtering and only provides IP addresses. They had integrated with ISE to pull the identity information but for the self-registered devices, they are only receiving the mac address and not the student's name. According to the below, for wireless devices, Cisco ISE sends the user-id information only on the Authentication logs. Since the students are not forced to re-register it sounds like the log overwrites and there is no username.

They are currently running ISE 1.4 so wanted to know if this behavior has changed in the newer versions or if there is another option to pull data from somewhere other than the log.

https://live.paloaltonetworks.com/t5/Integration-Articles/Integrating-Cisco-ISE-Guest-Authentication-with-PAN-OS/ta-p/98295

--

Grace and Peace,

Robert E Roulhac Jr

Virtual Systems Engineer II

Cisco TSN (Technical Solutions Network)

rroulhac@cisco.com

Office: 919.5745455

1 Accepted Solution

Accepted Solutions

Timothy Abbott
Cisco Employee
Cisco Employee

Robert,

I don't think so.  It sounds like the authentication type is MAB.  With a MAB authentication, you will only get the L2 address.  To get the username, you would need to do 802.1X which would include the username.

Regards,

-Tim

View solution in original post

3 Replies 3

Timothy Abbott
Cisco Employee
Cisco Employee

Robert,

I don't think so.  It sounds like the authentication type is MAB.  With a MAB authentication, you will only get the L2 address.  To get the username, you would need to do 802.1X which would include the username.

Regards,

-Tim

Tim,

I will validate that if they are doing BYOD flow they aren't using 802.1x or EAP-TLS. If they aren't then your response makes perfect sense.

Thanks for the quick response.

Rob

Makes sense that this might not be possible to achieve using syslog.

I think with ISE APIs you can fetch the username from the MAC address which is populated in <PortalUser> field.