cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9600
Views
0
Helpful
23
Replies

[ISE + CDA ] IP Mappings

David Santos
Level 1
Level 1

 

 To whom who may help me :)

 

 Problem Description: Mapping IP addresses to users are not happening.

 

 Scenario: Two pairs of ISE 1.2 with patch 7 and using a CDA patch 2 in order to map users that do not directly login into Active Directory. I´m using the CDA as a syslog server, receiving the syslog messages from ISE and trying to populates the mapping table.

 

Tests that i´ve conducted so far:

 

 - Reload the ISE and CDA.

 - Changed the security levels of the syslogs

 - Removed the Active Directory Servers from CDA so that I could have only one variable, the syslogs messages, to troubleshoot.

 - Reconfigured ISE to send the syslog messages to a Solarwinds server to troubleshoot the messages ( at this point so far so good, I can see the messages sent from ISE to the external syslog server )

 - Troubleshooted the ports open at CDA and ISE

 - Changed from UDP to TCP , and vice versa,  the syslog client protocol

 - Followed the "Installation and Configuration Guide for Cisco Context Directory Agent, Release 1.0" doc

 

 but nothing that i´ve done to this point I can see the mappings from users to IP addresses. Does anyone have any clue for this?

 

I´ve attached a couple of screenshoots for you to see!

 

DS

 

23 Replies 23

Is anyone having any luck with TAC or getting this running? I'm still seeing the same issues.

I also have the same issue and during tshooting I was pointed to Bug CSCun74460
https://tools.cisco.com/quickview/bug/CSCun74460 


It means that mapping could not work due to Timezone issue on ISE side. Looks like ISE sends Radius accounting with incorrect timestamp.
Workaround is switch to non-DayLight Savings Timezone

 

Interesting... I tried changing the timezone and it corrected the daylight savings issue in that both the CDA and ISE Syslog timestamp offset now much... but it's still not creating the mapping. Did the fix work for you?

Hi, I also changed timezone and looked through support bundle logs and everything looks ok but mapping still doesn't work.

Does someone have any luck with mapping?

 

 

Nothing so far from TAC. They have captured some log and screenshots and are analysing this issue.

 

 

kushsriva
Level 1
Level 1

Hi,

 

CDA checks for the Radius passed authentication and accounting logs to create a mapping. 

 

1). Make sure the WLC/Switch is sending the accounting logs:

WLC
- radius-server vsa send accounting 
- radius-server vsa send authentication

switch
- aaa accounting dot1x default start-stop group radius
- aaa accounting network default start-stop group radius

 

2). Make sure CDA is added as a syslog and ISE is configured to send passed authentication logs to CDA (as a syslog server).

 

 

Do rate if Helpful

 

 

Regards,

Kush

 

David Santos
Level 1
Level 1

Just a new update,

 

I´m troubleshooting this case with Cisco.

 

BR,

 

 

Hello Everyone,

A couple of months ago we upgraded to the latest ACS version which directly has a fix for CDA.  After the upgrade we were able to see the logs coming and processed correctly on the CDA IP Mappings. 

Main issue was that ACS was sending an incorrect time at the syslog message. 

Maksim Tikunov
Level 1
Level 1

Hi,

Here is a solution to integrate new ISE versions with CDA: https://www.isecdabroker.com 
It really works!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: