cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3231
Views
10
Helpful
6
Replies

Why do we see different MAC address format from ISE

samarthashetty
Level 1
Level 1

Hi team,

We are seeing a strange issue where logs from ISE are showing different MAC address format in Splunk. If we notice the logs on splunk we see few machines are with xx-xx-xx-xx format however few are xx:xx:xx:xx format. Could any let me know why is this?

 

regards

Sam

 

1 Accepted Solution

Accepted Solutions

ISE can take in MAC addresses of different formats and normalize them.

However, there is no option to uniformly format all MAC addresses in the ISE GUI and and logs to a single, consistent format.

You may submit this as a feature request / enhancement along with your details of the specific logs that you have found that are inconsistent and how it causes problems.

I would think Splunk would easily be able to parse and match MAC addresses with any delimiter.

View solution in original post

6 Replies 6

Mike.Cifelli
VIP Alumni
VIP Alumni

This format is an indicator of the Radius attribute 31 known as the Calling-Station-ID.  In ISE radius live logs you can see this in action.  This attribute is seen/used in Access-Request packets during onboarding.  Note that you can also reference this in certain policies within ISE as a condition.  HTH!

Hi Mike,

 

thank you for information. SO you mean to say calling station ID mac address format in syslog will be xx-xx-xx-xx. Please correct me if i am wrong. thanks!

 

Regards

Sam

The NAD might have an option to send a specific format. For example, in IOS-XE,

radius-server attribute 31 mac format ietf upper-case

 

thomas
Cisco Employee
Cisco Employee

It is possible that different logs output MAC addresses with different delimiters: - or : or nothing at all.

What is the real issue?

Hi thomas.. I understand that we may see the MAC address with different format across. All we need is to have uniformity across ISE logging where we can. Please let me know how can we achieve this. 

 

Regards

Samarth

ISE can take in MAC addresses of different formats and normalize them.

However, there is no option to uniformly format all MAC addresses in the ISE GUI and and logs to a single, consistent format.

You may submit this as a feature request / enhancement along with your details of the specific logs that you have found that are inconsistent and how it causes problems.

I would think Splunk would easily be able to parse and match MAC addresses with any delimiter.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: