URL Logging for Guest Traffic using Guest Anchor and ISE

Answered Question
Apr 18th, 2012

Hi there all,

I'm looking for a solution whereby I can log URL information for wireless guest users to ISE. The anchor WLC sits in a DMZ behind an ASA and the ISE is on the internal network. I found this document (see URL below) which is similar but using a NAC Guest Server and not an ISE.

I'm wondering if anyone has managed to do this using ISE?

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#wlcc

I have this problem too.
0 votes
Correct Answer by Eduardo Aliaga about 3 years 3 months ago

Hello. I have that scenario working succesfully. The only thing different from the config of the link provided is that you need to specify the UDP port 20514. Please see the following line :

logging host inside 192.168.215.16 17/20514

Here the number 17 means UDP and the number 20514 is the port number.

Please rate if it helps

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Correct Answer
Eduardo Aliaga Fri, 04/20/2012 - 22:41

Hello. I have that scenario working succesfully. The only thing different from the config of the link provided is that you need to specify the UDP port 20514. Please see the following line :

logging host inside 192.168.215.16 17/20514

Here the number 17 means UDP and the number 20514 is the port number.

Please rate if it helps

marioderosa2008 Fri, 05/04/2012 - 07:14

Hi guys,

i'm really interested in knowing more about this.

How is the information displayed in the ISE? By following that document are you able to produce reports in ISE so that you can see USER ID, IP ADDRESS, TIME & DATE, URL Requested ??? For all guest users?

thanks

Mario

marioderosa2008 Fri, 09/14/2012 - 02:13

Hi, Sorry for the late reply, I have been busy with a Proof Of Concept with the ISE.

I have tried your suggestion and I cannot get the same results as you.

I notice that the logs in your report were generated by an ASA. Do you know whether the same can be done with a switch dACL?

i have this configuration...

dACL

3k-access#sh ip access-list int fa0/1

     permit udp host 10.1.10.103 any eq domain

     permit icmp host 10.1.10.103 any

     permit tcp host 10.1.10.103 host 10.1.100.21 eq 8443

     permit tcp host 10.1.10.103 host 10.1.252.10 eq www log-input

     deny ip host 10.1.10.103 10.1.0.0 0.0.255.255

     permit ip host 10.1.10.103 any

Logging config...

logging esm config

logging trap debugging

logging origin-id ip

logging host 10.1.100.21 transport udp port 20514

with the above onfiguration, I get a report which shows the syslog messages of successful authentication and download of the dACL, but then when I access a URL, i do not see any events about the URL that was accessed or even the IP that was accessed.

DO you know if this can be done? maybe I am looking at the wrong report? Can you help?

Mario

Actions

This Discussion