cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4074
Views
0
Helpful
5
Replies

WLC RADIUS attribute with Cisco ISE

Hi All,

Does anyone get the same result as me when integrating Cisco ISE with Wireless LAN Controller ?

My Authentication Policy :

     Name: IsGuestAuthen

     IF "WLC_Authentication" THEN "Default Network Access" > "Internal Users"

My Authorization Policy :

     Name: IsGuestAuthen

     IF "Guest" THEN "InternetOnly"

When I monitoring on the Live Authentication page, I can see only the MAC address and a guest account that authenticated. I cannot see the IP address of the guest client. Do you get the same result as me ?

Please advise on how to get the IP address of the guest client to show on the Live Authentication Page.

Thanks,

Pongsatorn Maneesud

5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

Hi,

You want the mac address to come through in the access-request because of the radius probe feature. If you change the calling station id to the ip address then you lose the ability to validate the endpoint the client is authenticating through.

However you should be able to go the endpoint database and see the ip address that it was assigned via dhcp.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik,

Can I show both of them in the Live Authentication ?

As I understand, this is the limitation of WLC RADIUS attribute "Frame-IP-Address". Am I right ?

It would be useful if we can see in the same screen due to the correlation information.

Thanks,

Pongsatorn Maneesud

Exactly...here is the list of attributes sent in the access-request from the wlc -

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp1992129

The framed ip address is sent in the accounting packet which doesnt appear in the live authentication report.

If you are up to speed on rest api's here is some reference material on this:

http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1089826

You can also run radius accounting report and filter it based off of account-start packets which will have the username and the ip address along with the mac address.

Thanks,

Tarik Admani
*Please rate helpful posts*

I have the same problem. Also want to see the guest ip address in the live authentication. We need the correlation between MAC-USER-IP for legal reasons. Was hoping that ISE could solve this, but apparently it can't.

HI gnijs,

Any updated regarding your post. I need the same information from ISE.

thanks

AC