Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1507
Views
1
Helpful
3
Replies

Username Attributes sent from ISE to PA FW for URL Filtering

Go to solution
rroulhac
Cisco Employee
Cisco Employee

‎06-15-2017 12:25 PM

All,


I have this request from a partner that is facing a scenario where there is a school that is using ISE to allow students to register their devices, up to three, to get access to the network. Once they register there is no re-registration process. They are attempting to send user information to their Palo Alto which they use for URL filtering and only provides IP addresses. They had integrated with ISE to pull the identity information but for the self-registered devices, they are only receiving the mac address and not the student's name. According to the below, for wireless devices, Cisco ISE sends the user-id information only on the Authentication logs. Since the students are not forced to re-register it sounds like the log overwrites and there is no username.

They are currently running ISE 1.4 so wanted to know if this behavior has changed in the newer versions or if there is another option to pull data from somewhere other than the log.

https://live.paloaltonetworks.com/t5/Integration-Articles/Integrating-Cisco-ISE-Guest-Authentication-with-PAN-OS/ta-p/98295

--

Grace and Peace,

Robert E Roulhac Jr

Virtual Systems Engineer II

Cisco TSN (Technical Solutions Network)

rroulhac@cisco.com

Office: 919.5745455

1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎06-15-2017 12:30 PM

Robert,

I don't think so.  It sounds like the authentication type is MAB.  With a MAB authentication, you will only get the L2 address.  To get the username, you would need to do 802.1X which would include the username.

Regards,

-Tim

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎06-15-2017 12:30 PM

Robert,

I don't think so.  It sounds like the authentication type is MAB.  With a MAB authentication, you will only get the L2 address.  To get the username, you would need to do 802.1X which would include the username.

Regards,

-Tim

0 Helpful

Go to solution
rroulhac
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎06-15-2017 12:33 PM

Tim,

I will validate that if they are doing BYOD flow they aren't using 802.1x or EAP-TLS. If they aren't then your response makes perfect sense.

Thanks for the quick response.

Rob

0 Helpful

Go to solution
umahar
Cisco Employee
Cisco Employee
In response to rroulhac

‎06-19-2017 08:45 AM

Makes sense that this might not be possible to achieve using syslog.

I think with ISE APIs you can fetch the username from the MAC address which is populated in <PortalUser> field.

0 Helpful
Customers Also Viewed These Support Documents