03-19-2018 02:39 AM - edited 02-21-2020 07:31 AM
Hi,
From our Firewall PALO ALTO, I try to get informations from ISE SNMP logs in order to identify users connected to ISE, to give them access to ressources.... I need to be able to link Username and IP address...
Then, I get info from this log : (for example)
CISE_RADIUS_Accounting 0000018222 2 0 2018-03-19 10:29:14.575 +01:00 0000939068 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=114, Device IP Address=10.10.10.241, RequestLatency=2, NetworkDeviceName=NAD_10.10.10.241, User-Name=EUROPE\\TESTUSER, NAS-IP-Address=10.10.10.241, NAS-Port=13, Framed-IP-Address=10.20.202.7, Class=CACS:0a4058f100000cbe5aaf7bf8:SJLISE01/309110859/18792, Called-Station-ID=00-a2-89-b9-d9-60, Called-Station-ID=70-6b-b9-7d-3f-80:Boardriders-Employee, Calling-Station-ID=e4-a4-71-50-29-2c, NAS-Identifier=EU-SJL-WLC2504-CA1-1-241, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=1643432, Acct-Output-Octets=9346103, Acct-Session-Id=5aaf7bf8/e4:a4:71:50:29:2c/7968, Acct-Authentic=RADIUS, Acct-Session-Time=1774, Acct-Input-Packets=7687, Acct-Output-Packets=8562, Acct-Input-Gigawords=0, Acct-Output-Gigawords=0, Event-Timestamp=1521451754, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN,
I can link "User-Name=" with "Framed-IP-Address="
But, as we need to treat users with their domains, I need to get the info :
User-Name=EUROPE\TESTUSER, with only 1 backslash !!!
I tried to get the right info with regex manipulations in our Firewall, but no success.
The only way is to get the right info from ISE. Can we change the log form in ISE, removing 1 backslash ?
Please Help!
Thanks