Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3781
Views
10
Helpful
6
Replies

Why do we see different MAC address format from ISE

Go to solution
samarthashetty
Level 1
Level 1

‎10-28-2021 07:19 AM

Hi team,

We are seeing a strange issue where logs from ISE are showing different MAC address format in Splunk. If we notice the logs on splunk we see few machines are with xx-xx-xx-xx format however few are xx:xx:xx:xx format. Could any let me know why is this?

 

regards

Sam

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to samarthashetty

‎11-30-2021 04:16 PM

ISE can take in MAC addresses of different formats and normalize them.

However, there is no option to uniformly format all MAC addresses in the ISE GUI and and logs to a single, consistent format.

You may submit this as a feature request / enhancement along with your details of the specific logs that you have found that are inconsistent and how it causes problems.

I would think Splunk would easily be able to parse and match MAC addresses with any delimiter.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎10-28-2021 10:09 AM - edited ‎10-28-2021 10:12 AM

This format is an indicator of the Radius attribute 31 known as the Calling-Station-ID.  In ISE radius live logs you can see this in action.  This attribute is seen/used in Access-Request packets during onboarding.  Note that you can also reference this in certain policies within ISE as a condition.  HTH!

Go to solution
samarthashetty
Level 1
Level 1
In response to Mike.Cifelli

‎10-28-2021 10:48 AM

Hi Mike,

 

thank you for information. SO you mean to say calling station ID mac address format in syslog will be xx-xx-xx-xx. Please correct me if i am wrong. thanks!

 

Regards

Sam

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to samarthashetty

‎11-08-2021 07:05 PM

The NAD might have an option to send a specific format. For example, in IOS-XE,

radius-server attribute 31 mac format ietf upper-case

 

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee

‎11-02-2021 12:47 PM

It is possible that different logs output MAC addresses with different delimiters: - or : or nothing at all.

What is the real issue?

0 Helpful

Go to solution
samarthashetty
Level 1
Level 1
In response to thomas

‎11-11-2021 06:40 AM

Hi thomas.. I understand that we may see the MAC address with different format across. All we need is to have uniformity across ISE logging where we can. Please let me know how can we achieve this. 

 

Regards

Samarth

0 Helpful

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to samarthashetty

‎11-30-2021 04:16 PM

ISE can take in MAC addresses of different formats and normalize them.

However, there is no option to uniformly format all MAC addresses in the ISE GUI and and logs to a single, consistent format.

You may submit this as a feature request / enhancement along with your details of the specific logs that you have found that are inconsistent and how it causes problems.

I would think Splunk would easily be able to parse and match MAC addresses with any delimiter.

0 Helpful
Customers Also Viewed These Support Documents