Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
293
Views
0
Helpful
7
Replies

Getting IP Address of Authenticating Device

paul
Level 10
Level 10

‎07-02-2018 12:25 PM

I am trying to figure out the most efficient to get an IP address of a devices that are authenticating programmatically.

The RADIUS authentication report which I have a macro to process doesn't contain IP addresses.  The RADIUS accounting report may not show IPs of devices that have been on the network for a long period of time as we do "newinfo" only RADIUS accounting.  You can't get any decent information from Rest API from the endpoints. 

I was able to get the IP information via Rest calls to the M&T API, but the session lookup for a MAC address takes a long time.  I did a test of about 15 MAC addresses and it took around10 minutes to process those 15 MAC addresses doing M&T last session lookups.

Is there any other way to get this information?  I can't think of any other way.

Thanks.

0 Helpful
7 Replies 7

hslai
Cisco Employee
Cisco Employee

‎07-02-2018 12:37 PM

Why not pxGrid?

ISE 2.4 has a complete implementation of pxGrid 2.0 so it seems a good thing for you to try out.

Screen Shot 2018-07-02 at 12.34.40 PM.png

0 Helpful

paul
Level 10
Level 10
In response to hslai

‎07-02-2018 12:50 PM

That would be for more persistent data gathering wouldn’t it. I am processing RADIUS authentication report CSVs with an Excel macro to look for MAC addresses hitting my Catch All MAB rule. Once I find those MAC addresses I want to find their associated IP without having to manually go into Context Visibility and find each MAC address. There could be 100s of MAC addresses hitting the Catch All rule in the early stages of the ISE project. I have XML calls working in Excel to the M&T Rest API to gather the IP, but that call takes a long time.

I have confirmed with Postman that the call does take a long time.

https://@<M&T IP>/ise/mnt/Session/MACAddress/<MACAddress>

It takes about 8-12 seconds per call on a busy M&T. I guess my initial timing wasn’t as bad as I thought. I just timed the 15 MACs again and it was around 2 minutes This may be the best I can do.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to paul

‎07-02-2018 01:52 PM

How about running a report on current active sessions and exporting that result to a CSV in a repo?

0 Helpful

paul
Level 10
Level 10
In response to hslai

‎07-02-2018 01:57 PM

That could work, but usually I am running a report for the last 7 days looking for stuff hitting my Catch All. The active sessions would only show me devices currently on the network.

The M&T API will probably work okay. I just added it to my macro and processed 150 Catch All hits. It took some time but I got the IP for each of the MACs.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to paul

‎07-02-2018 02:03 PM

Not the live sessions one.

Screen Shot 2018-07-02 at 2.00.12 PM.png

0 Helpful

paul
Level 10
Level 10
In response to hslai

‎07-02-2018 02:11 PM

Yes but doesn’t active sessions mean there hasn’t been a RADIUS stop message for a given MAC? If there has been a RADIUS stop message for a MAC, i.e. the device is no longer on the network it shouldn’t be in that report. I need to see all devices on the network and devices that have left the network, because they could come back.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to paul

‎07-02-2018 02:17 PM

M&T Session API also needs the sessions still active. For inactive sessions, then we need to scrap the RADIUS auth and accounting reports like you did earlier.

0 Helpful
Customers Also Viewed These Support Documents