u/BaconEatingChamp

Cisco 9800 WLC + ISE

We are missing most syslog events to scrape user<>IP mappings in our firewall for our TEAP wifi network.

We see a Cisco Live slide showing to enable Interim Accounting on the WLC with a value of 0 under Security > AAA > AAA Advanced, but it will not accept 0 as a value. We do have Interim Accounting enabled per individual policy under Tags & Profiles > Policy.

https://i.imgur.com/wR40AbY.png

Is there a current recommended best practice? WLC v17.15.4b

u/BaconEatingChamp — 6 days ago

▲ 5 r/Cisco

We have ISE 3.4 up and want to scrape syslogs for user <> IP mappings with our TEAP wifi network (9800 WLC with Interim Accounting enabled). Our Palo is currently missing the majority of mappings as well as occasionally grabbing machine names. Anyone have this setup and regex to share?

https://i.imgur.com/qLdtdTd.png

Event Regex: ([A-Za-z0-9].*CISE_Passed_Authentications.*Framed-IP-Address=.*)|([A-Za-z0-9].*CISE_RADIUS_Accounting.*Framed-IP-Address=.*)  

Username Regex: UserName=(?![a-fA-F0-9]{12},)([a-zA-Z0-9._%-]+@[a-zA-Z0-9._-]+|[a-zA-Z0-9._]+),  

Address Regex: Framed-IP-Address=([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})

u/BaconEatingChamp — 13 days ago