Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3542
Views
0
Helpful
5
Replies

WLC RADIUS attribute with Cisco ISE

Pongsatorn Maneesud
Level 1
Level 1

‎08-26-2012 09:18 PM - edited ‎03-10-2019 07:27 PM

Hi All,

Does anyone get the same result as me when integrating Cisco ISE with Wireless LAN Controller ?

My Authentication Policy :

     Name: IsGuestAuthen

     IF "WLC_Authentication" THEN "Default Network Access" > "Internal Users"

My Authorization Policy :

     Name: IsGuestAuthen

     IF "Guest" THEN "InternetOnly"

When I monitoring on the Live Authentication page, I can see only the MAC address and a guest account that authenticated. I cannot see the IP address of the guest client. Do you get the same result as me ?

Please advise on how to get the IP address of the guest client to show on the Live Authentication Page.

Thanks,

Pongsatorn Maneesud

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Tarik Admani
VIP Alumni
VIP Alumni

‎08-26-2012 09:23 PM

Hi,

You want the mac address to come through in the access-request because of the radius probe feature. If you change the calling station id to the ip address then you lose the ability to validate the endpoint the client is authenticating through.

However you should be able to go the endpoint database and see the ip address that it was assigned via dhcp.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Pongsatorn Maneesud
Level 1
Level 1
In response to Tarik Admani

‎08-26-2012 09:36 PM

Tarik,

Can I show both of them in the Live Authentication ?

As I understand, this is the limitation of WLC RADIUS attribute "Frame-IP-Address". Am I right ?

It would be useful if we can see in the same screen due to the correlation information.

Thanks,

Pongsatorn Maneesud

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Pongsatorn Maneesud

‎08-26-2012 09:59 PM

Exactly...here is the list of attributes sent in the access-request from the wlc -

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_security_sol.html#wp1992129

The framed ip address is sent in the accounting packet which doesnt appear in the live authentication report.

If you are up to speed on rest api's here is some reference material on this:

http://www.cisco.com/en/US/docs/security/ise/1.1/api_ref_guide/ise_api_ref_ch2.html#wp1089826

You can also run radius accounting report and filter it based off of account-start packets which will have the username and the ip address along with the mac address.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

gnijs
Level 4
Level 4
In response to Tarik Admani

‎11-29-2012 05:43 AM

I have the same problem. Also want to see the guest ip address in the live authentication. We need the correlation between MAC-USER-IP for legal reasons. Was hoping that ISE could solve this, but apparently it can't.

0 Helpful

ajc
Level 7
Level 7
In response to gnijs

‎11-05-2014 01:19 PM

HI gnijs,

Any updated regarding your post. I need the same information from ISE.

thanks

AC

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents