Depending on your firewall hardware you may be able to get the details from the WLC into the firewall logs. We use a Palo Alto and there is a document on how to use the SNMP traps to associate a user at the firewall. See https://supportforums.cisco.com/sites/default/files/attachments/discussion/cisco_wlc_-_palo_alto_networks_config_guide.pdf. It is a little out of data as we are running the 7.x PA code but I was able to make it work. I’m using snmptrapd, syslog-ng, and sec for my stack.
It may also help you decode the SNMP traps. I used this as my guide to use sec, simple event correlator, to create a text log of which users were on which APs at what time. We have Prime but the text file is easier to keep for a long time compared with the Prime association history logs. Tim Wier Network Manager Concordia University Chicago tim.w...@cuchicago.edu<mailto:tim.w...@cuchicago.edu> 708-209-3565 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John York Sent: Thursday, March 3, 2016 1:54 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications We have Win NPS running Radius. It takes several lookups to get what I want and I was hoping to shorten the process. A typical one goes like this: Receive: outside IP, port, and time Lookup in firewall NAT logs Output: inside IP, time Lookup IP in DHCP logs Output: MAC address, time Lookup MAC in NPS logs Output: username From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu Sent: Thursday, March 3, 2016 12:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications Hi John, You are right that WLCs do not log authentication sessions in syslog. Do you have Radius servers to authenticate wireless users? Radius server is the better place to collect authentication logs. Regards, Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca<mailto:d...@uoguelph.ca> www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> ________________________________ From: "John York" <yo...@brcc.edu<mailto:yo...@brcc.edu>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Sent: Thursday, March 3, 2016 11:29:56 AM Subject: [WIRELESS-LAN] WLC 5508 logging authentications Hi We have one 5508 (soon to be a failover pair) and don’t run PI. Our users connect either through 802.1x or an open SSID with a webauth portal from the 5508. I need to be able to log authentications so I can track down users who have annoyed DMCA or our security department. I’m finding that 5508 syslog outputs a huge amount of stuff, but doesn’t include successful authentications. I’ve found some posts that indicate that info is only available through SNMP traps, but I haven’t been able to find the OIDs. Has anyone been able to log auths without using PI? Thanks John ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
