I have the stuff in a SIEM, but not correlated ;-( My Windows NPS logs have the IP of the WLC in the ClientIPAddress field. Rats. Client MAC is in CallingStationID, though.
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu Sent: Thursday, March 3, 2016 3:04 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications We have the similar process here. But I think once you get the inside IP and time, you can lookup the username from the Radius auth logs(skip the DHCP lookup). We are currently implanting SIEM. We hope by dumping logs to SIEM from all systems, we can just do a simple lookup from SIEM. Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca<mailto:d...@uoguelph.ca> www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> ________________________________ From: "John York" <yo...@brcc.edu<mailto:yo...@brcc.edu>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Sent: Thursday, March 3, 2016 2:53:57 PM Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications We have Win NPS running Radius. It takes several lookups to get what I want and I was hoping to shorten the process. A typical one goes like this: Receive: outside IP, port, and time Lookup in firewall NAT logs Output: inside IP, time Lookup IP in DHCP logs Output: MAC address, time Lookup MAC in NPS logs Output: username From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu Sent: Thursday, March 3, 2016 12:08 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications Hi John, You are right that WLCs do not log authentication sessions in syslog. Do you have Radius servers to authenticate wireless users? Radius server is the better place to collect authentication logs. Regards, Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca<mailto:d...@uoguelph.ca> www.uoguelph.ca/ccs<http://www.uoguelph.ca/ccs> ________________________________ From: "John York" <yo...@brcc.edu<mailto:yo...@brcc.edu>> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Sent: Thursday, March 3, 2016 11:29:56 AM Subject: [WIRELESS-LAN] WLC 5508 logging authentications Hi We have one 5508 (soon to be a failover pair) and don’t run PI. Our users connect either through 802.1x or an open SSID with a webauth portal from the 5508. I need to be able to log authentications so I can track down users who have annoyed DMCA or our security department. I’m finding that 5508 syslog outputs a huge amount of stuff, but doesn’t include successful authentications. I’ve found some posts that indicate that info is only available through SNMP traps, but I haven’t been able to find the OIDs. Has anyone been able to log auths without using PI? Thanks John ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
