04-03-2014 04:29 PM - edited 02-21-2020 05:09 AM
To whom who may help me :)
Problem Description: Mapping IP addresses to users are not happening.
Scenario: Two pairs of ISE 1.2 with patch 7 and using a CDA patch 2 in order to map users that do not directly login into Active Directory. I´m using the CDA as a syslog server, receiving the syslog messages from ISE and trying to populates the mapping table.
Tests that i´ve conducted so far:
- Reload the ISE and CDA.
- Changed the security levels of the syslogs
- Removed the Active Directory Servers from CDA so that I could have only one variable, the syslogs messages, to troubleshoot.
- Reconfigured ISE to send the syslog messages to a Solarwinds server to troubleshoot the messages ( at this point so far so good, I can see the messages sent from ISE to the external syslog server )
- Troubleshooted the ports open at CDA and ISE
- Changed from UDP to TCP , and vice versa, the syslog client protocol
- Followed the "Installation and Configuration Guide for Cisco Context Directory Agent, Release 1.0" doc
but nothing that i´ve done to this point I can see the mappings from users to IP addresses. Does anyone have any clue for this?
I´ve attached a couple of screenshoots for you to see!
DS
04-24-2014 12:17 PM
Is anyone having any luck with TAC or getting this running? I'm still seeing the same issues.
04-25-2014 06:50 AM
I also have the same issue and during tshooting I was pointed to Bug CSCun74460
https://tools.cisco.com/quickview/bug/CSCun74460
It means that mapping could not work due to Timezone issue on ISE side. Looks like ISE sends Radius accounting with incorrect timestamp.
Workaround is switch to non-DayLight Savings Timezone
04-25-2014 03:00 PM
Interesting... I tried changing the timezone and it corrected the daylight savings issue in that both the CDA and ISE Syslog timestamp offset now much... but it's still not creating the mapping. Did the fix work for you?
04-29-2014 12:23 AM
Hi, I also changed timezone and looked through support bundle logs and everything looks ok but mapping still doesn't work.
Does someone have any luck with mapping?
04-26-2014 11:48 AM
Nothing so far from TAC. They have captured some log and screenshots and are analysing this issue.
07-16-2014 10:24 AM
Hi,
CDA checks for the Radius passed authentication and accounting logs to create a mapping.
1). Make sure the WLC/Switch is sending the accounting logs:
WLC
- radius-server vsa send accounting
- radius-server vsa send authentication
switch
- aaa accounting dot1x default start-stop group radius
- aaa accounting network default start-stop group radius
2). Make sure CDA is added as a syslog and ISE is configured to send passed authentication logs to CDA (as a syslog server).
Do rate if Helpful
Regards,
Kush
12-10-2014 06:58 AM
Just a new update,
I´m troubleshooting this case with Cisco.
BR,
12-10-2014 08:35 AM
Hello Everyone,
A couple of months ago we upgraded to the latest ACS version which directly has a fix for CDA. After the upgrade we were able to see the logs coming and processed correctly on the CDA IP Mappings.
Main issue was that ACS was sending an incorrect time at the syslog message.
03-12-2023 11:12 AM
Hi,
Here is a solution to integrate new ISE versions with CDA: https://www.isecdabroker.com
It really works!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide