cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2911
Views
0
Helpful
5
Replies
Highlighted

WLC RADIUS attribute with Cisco ISE

Hi All,

Does anyone get the same result as me when integrating Cisco ISE with Wireless LAN Controller ?

My Authentication Policy :

     Name: IsGuestAuthen

     IF "WLC_Authentication" THEN "Default Network Access" > "Internal Users"

My Authorization Policy :

     Name: IsGuestAuthen

     IF "Guest" THEN "InternetOnly"

When I monitoring on the Live Authentication page, I can see only the MAC address and a guest account that authenticated. I cannot see the IP address of the guest client. Do you get the same result as me ?

Please advise on how to get the IP address of the guest client to show on the Live Authentication Page.

Thanks,

Pongsatorn Maneesud

Everyone's tags (5)
5 REPLIES 5
Highlighted
Advocate

WLC RADIUS attribute with Cisco ISE

Hi,

You want the mac address to come through in the access-request because of the radius probe feature. If you change the calling station id to the ip address then you lose the ability to validate the endpoint the client is authenticating through.

However you should be able to go the endpoint database and see the ip address that it was assigned via dhcp.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Highlighted

WLC RADIUS attribute with Cisco ISE

Tarik,

Can I show both of them in the Live Authentication ?

As I understand, this is the limitation of WLC RADIUS attribute "Frame-IP-Address". Am I right ?

It would be useful if we can see in the same screen due to the correlation information.

Thanks,

Pongsatorn Maneesud

Highlighted
Advocate

WLC RADIUS attribute with Cisco ISE

Exactly...here is the list of attributes sent in the access-request from the wlc -

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp1992129

The framed ip address is sent in the accounting packet which doesnt appear in the live authentication report.

If you are up to speed on rest api's here is some reference material on this:

http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1089826

You can also run radius accounting report and filter it based off of account-start packets which will have the username and the ip address along with the mac address.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*
Highlighted
Enthusiast

WLC RADIUS attribute with Cisco ISE

I have the same problem. Also want to see the guest ip address in the live authentication. We need the correlation between MAC-USER-IP for legal reasons. Was hoping that ISE could solve this, but apparently it can't.

Highlighted
ajc Frequent Contributor
Frequent Contributor

HI gnijs,Any updated

HI gnijs,

Any updated regarding your post. I need the same information from ISE.

thanks

AC