Hey /r/Networking
I'm hoping there are some Cisco ISE gurus in here that might be able to help me with an interesting problem I'm experiencing not with ISE itself but the authentication back end.
Scenario is pretty simply, there is a guest wifi that authenticates through ISE, drops the user on to the appropriate VLAN based on AD group membership. Simultaneously I'm collecting Active Directory logon events with a FortiNet FSSO collection agent which gathers logs from all AD servers in the environment. The user identity is used for logging/reporting.
The issue seems to be that although ISE authenticates these users to the domain, there are no logon events being generated in Active Directory. I beleive ISE is tied into AD through radius but that should still produce a logon event when checking a password/user name against the directory (unless I'm wrong here?)
The other solution to this problem would be to use Radius accounting and have ISE blast accounting messages at the FSSO agent and learn user identity/IP pairings that way, but according to several articles that can't be done and I would have to have the physical WLCs send said radius accounting messages, which is nuts!
If someone could point me in the right direction or slap me if I'm on the wrong track it would be much appreciated!
Thanks in advance!
* There is a feature request on ISE:
Enhancement request for Cisco ISE to send RADIUS accounting messages (CSCvd83297) to Fortigate
No comments:
Post a Comment