Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

802.1x WLAN auth not showing client ip in win 2008 AD security log

Hello.

I have a ongoing project configuring a cisco wlan with 802.1x, where microsoft network policy server is used for radius authentication.

Configuring the SSID on the WLC, and the 802.1x on wlc/radius server works fine, users type in their username and password on a smartphone/ipad etc and get access to the network.

The problem im facing is that I want to log the clients ip-address on the radius-server security log, so I can use cisco active directory agent to find the ip against username mapping in ironport.

The active directory agent checks the domain controllers security log to see what ip-address belongs to which user. In this scenario the user is mapped to the wlc ip, not the smartphone/ipad. The result is a lot of users mapped to the wlc ip-address, and the logs in cisco ADA/ironport is worthless.

Is there any way to configure wlc/802.1x to send the actual client ip-address to the authentication server, and not the WLC?

5 REPLIES
Cisco Employee

802.1x WLAN auth not showing client ip in win 2008 AD security l

Please configure radius accounting on the WLC to have the required logs on the NPS server.

On the WLC, make sure we have radius accounting server configured under security > AAA > radius > accounting

After that Go to WLAN, edit the WLAN > security > AAA server and enable radius accounting.

Radius accounting on NPS logs

http://technet.microsoft.com/en-us/library/dd197475%28v=ws.10%29.aspx

Regards,

Jatin

~BR Jatin Katyal **Do rate helpful posts**
New Member

802.1x WLAN auth not showing client ip in win 2008 AD security l

Thank you for replying Jatin,

After enabling accounting, I can now see the client ip-address in the nps logfile.

However cisco active directory client cannot map the ip against username unless it's in the windows security event log. Im also afraid it has to be a kerberos authentication, not 802.1x for it to work.

Any suggestions how to fix this issue? Cisco ADA is in my opinion worthless not supporting 802.1x.--

Cisco Employee

802.1x WLAN auth not showing client ip in win 2008 AD security l

I was actually reading this for your above question.

http://tools.cisco.com/squish/bdc553

~BR Jatin Katyal **Do rate helpful posts**

CDA can also act as a syslog

CDA can also act as a syslog server when one or more syslog clients are added. It can connect to Cisco Identity Services Engine (ISE) and Cisco Secure Access Control System (ACS) and receive syslog messages. You can check live logs to see the syslog messages received. The advantage is to integrate CDA with 802.1x deployment and support other devices that are not necessarily authenticated by Microsoft domain controller.

CDA supports ISE 1.1.x and 1.2 and ACS 5.3, and 5.4 only.

New Member

802.1x WLAN auth not showing client ip in win 2008 AD security l

I'm also having the same dilemma, just curious what if anything you have done to get this to work?

2119
Views
0
Helpful
5
Replies
CreatePlease to create content