cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2991
Views
0
Helpful
5
Replies

URL Logging for Guest Traffic using Guest Anchor and ISE

rhodrijenkins
Level 1
Level 1

Hi there all,

I'm looking for a solution whereby I can log URL information for wireless guest users to ISE. The anchor WLC sits in a DMZ behind an ASA and the ISE is on the internal network. I found this document (see URL below) which is similar but using a NAC Guest Server and not an ISE.

I'm wondering if anyone has managed to do this using ISE?

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#wlcc

1 Accepted Solution

Accepted Solutions

Eduardo Aliaga
Level 4
Level 4

Hello. I have that scenario working succesfully. The only thing different from the config of the link provided is that you need to specify the UDP port 20514. Please see the following line :

logging host inside 192.168.215.16 17/20514

Here the number 17 means UDP and the number 20514 is the port number.

Please rate if it helps

View solution in original post

5 Replies 5

Eduardo Aliaga
Level 4
Level 4

Hello. I have that scenario working succesfully. The only thing different from the config of the link provided is that you need to specify the UDP port 20514. Please see the following line :

logging host inside 192.168.215.16 17/20514

Here the number 17 means UDP and the number 20514 is the port number.

Please rate if it helps

Many thanks Ed for your input.

Regards

Rhopd

Hi guys,

i'm really interested in knowing more about this.

How is the information displayed in the ISE? By following that document are you able to produce reports in ISE so that you can see USER ID, IP ADDRESS, TIME & DATE, URL Requested ??? For all guest users?

thanks

Mario

Hello Mario.

Here's a screenshot of the report . Hope it helps

Hi, Sorry for the late reply, I have been busy with a Proof Of Concept with the ISE.

I have tried your suggestion and I cannot get the same results as you.

I notice that the logs in your report were generated by an ASA. Do you know whether the same can be done with a switch dACL?

i have this configuration...

dACL

3k-access#sh ip access-list int fa0/1

     permit udp host 10.1.10.103 any eq domain

     permit icmp host 10.1.10.103 any

     permit tcp host 10.1.10.103 host 10.1.100.21 eq 8443

     permit tcp host 10.1.10.103 host 10.1.252.10 eq www log-input

     deny ip host 10.1.10.103 10.1.0.0 0.0.255.255

     permit ip host 10.1.10.103 any

Logging config...

logging esm config

logging trap debugging

logging origin-id ip

logging host 10.1.100.21 transport udp port 20514

with the above onfiguration, I get a report which shows the syslog messages of successful authentication and download of the dACL, but then when I access a URL, i do not see any events about the URL that was accessed or even the IP that was accessed.

DO you know if this can be done? maybe I am looking at the wrong report? Can you help?

Mario

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: