RE: WLC 5508 logging authentications

[John York]

Ah, one of my problems was that I didn’t have accounting properly configured on 
the Windows NPS box.  It only logs to SQL or a text file tho, no syslog (at 
least without a 3rd party client.)  Perhaps I could schedule a task with 
PowerShell…

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Thursday, March 3, 2016 3:49 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

It depends on what Radius logs you are looking at. In Radius authentication 
logs, yes CallingStationID field contains client MAC address(because WLC does 
not know client's IP address at this stage). But if you look at Radius 
accounting logs, you should see client IP addresses in CallingStationID. We 
search in accounting logs because those give us the session start and stop 
times.



Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs


From: "John York" >
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, March 3, 2016 3:28:42 PM
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

I have the stuff in a SIEM, but not correlated ;-(

My Windows NPS logs have the IP of the WLC in the ClientIPAddress field.  Rats. 
 Client MAC is in CallingStationID, though.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Thursday, March 3, 2016 3:04 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

We have the similar process here. But I think once you get the inside IP and 
time, you can lookup the username from the Radius auth logs(skip the DHCP 
lookup).

We are currently implanting SIEM. We hope by dumping logs to SIEM from all 
systems, we can just do a simple lookup from SIEM.


Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs


From: "John York" >
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, March 3, 2016 2:53:57 PM
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

We have Win NPS running Radius.  It takes several lookups to get what I want 
and I was hoping to shorten the process.  A typical one goes like this:

Receive:  outside IP, port, and time
Lookup in firewall NAT logs
Output:  inside IP, time
Lookup IP in DHCP logs
Output:   MAC address, time
Lookup MAC in NPS logs
Output:  username

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Thursday, March 3, 2016 12:08 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

Hi John,

You are right that WLCs do not log authentication sessions in syslog. Do you 
have Radius servers to authenticate wireless users? Radius server is the better 
place to collect authentication logs.

Regards,

Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs


From: "John York" >
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, March 3, 2016 11:29:56 AM
Subject: [WIRELESS-LAN] WLC 5508 logging authentications

Hi
We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508.  I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department.  I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
 I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs.  Has anyone been able to log 
auths without using PI?
Thanks
John
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 

RE: WLC 5508 logging authentications

[John York]

Cool!  Maybe I can do this with my SIEM…

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Manon Lessard
Sent: Thursday, March 3, 2016 3:16 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

John,


Have you by any chance looked at this document?

https://supportforums.cisco.com/document/9869811/cisco-wlc-snmp-historical-user-statistics-monitoring-w-syslog-or-splunk

I don’t know if it works on 5508s but I tested on a WISM2 and MIB 
1.3.6.1.4.1.14179.2.1.4.1.3 yields usernames among other things.


Just an idea…

Manon Lessard
Technicienne en développement de systèmes CCNP
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada

418 656-2131, poste 12853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca

Avis relatif à la confidentialité | Notice of 
Confidentiality



[Description : Description : Description : Description : Description : 
Description : Description : Description : Description : Description : 
Description : Description : Description : Description : Description : 
Description : Description : Description : Description : Logo de l'Université 
Laval]



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John York
Sent: 3 mars 2016 11:30
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WLC 5508 logging authentications

Hi
We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508.  I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department.  I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
 I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs.  Has anyone been able to log 
auths without using PI?
Thanks
John
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: WLC 5508 logging authentications

[Manon Lessard]

John,


Have you by any chance looked at this document?

https://supportforums.cisco.com/document/9869811/cisco-wlc-snmp-historical-user-statistics-monitoring-w-syslog-or-splunk

I don’t know if it works on 5508s but I tested on a WISM2 and MIB 
1.3.6.1.4.1.14179.2.1.4.1.3 yields usernames among other things.


Just an idea…

Manon Lessard
Technicienne en développement de systèmes CCNP
Direction des technologies de l'information
Pavillon Louis-Jacques-Casault
1055, avenue du Séminaire
Bureau 0403
Université Laval, Québec (Québec)
G1V 0A6, Canada

418 656-2131, poste 12853
Télécopieur : 418 656-7305
manon.less...@dti.ulaval.ca
www.dti.ulaval.ca

Avis relatif à la confidentialité | Notice of 
Confidentiality



[Description : Description : Description : Description : Description : 
Description : Description : Description : Description : Description : 
Description : Description : Description : Description : Description : 
Description : Description : Description : Description : Logo de l'Université 
Laval]



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John York
Sent: 3 mars 2016 11:30
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] WLC 5508 logging authentications

Hi
We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508.  I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department.  I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
 I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs.  Has anyone been able to log 
auths without using PI?
Thanks
John
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: WLC 5508 logging authentications

[John York]

Thanks, this is helpful!

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Wier, Timothy A.
Sent: Thursday, March 3, 2016 3:10 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

Depending on your firewall hardware you may be able to get the details from the 
WLC into the firewall logs. We use a Palo Alto and there is a document on how 
to use the SNMP traps to associate a user at the firewall. See 
https://supportforums.cisco.com/sites/default/files/attachments/discussion/cisco_wlc_-_palo_alto_networks_config_guide.pdf.
 It is a little out of data as we are running the 7.x PA code but I was able to 
make it work. I’m using snmptrapd, syslog-ng, and sec for my stack.

It may also help you decode the SNMP traps. I used this as my guide to use sec, 
simple event correlator, to create a text log of which users were on which APs 
at what time. We have Prime but the text file is easier to keep for a long time 
compared with the Prime association history logs.

Tim Wier
Network Manager
Concordia University Chicago
tim.w...@cuchicago.edu
708-209-3565

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John York
Sent: Thursday, March 3, 2016 1:54 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

We have Win NPS running Radius.  It takes several lookups to get what I want 
and I was hoping to shorten the process.  A typical one goes like this:

Receive:  outside IP, port, and time
Lookup in firewall NAT logs
Output:  inside IP, time
Lookup IP in DHCP logs
Output:   MAC address, time
Lookup MAC in NPS logs
Output:  username

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Thursday, March 3, 2016 12:08 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

Hi John,

You are right that WLCs do not log authentication sessions in syslog. Do you 
have Radius servers to authenticate wireless users? Radius server is the better 
place to collect authentication logs.

Regards,

Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs


From: "John York" >
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, March 3, 2016 11:29:56 AM
Subject: [WIRELESS-LAN] WLC 5508 logging authentications

Hi
We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508.  I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department.  I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
 I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs.  Has anyone been able to log 
auths without using PI?
Thanks
John
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: WLC 5508 logging authentications

[John York]

I have the stuff in a SIEM, but not correlated ;-(

My Windows NPS logs have the IP of the WLC in the ClientIPAddress field.  Rats. 
 Client MAC is in CallingStationID, though.

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Thursday, March 3, 2016 3:04 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

We have the similar process here. But I think once you get the inside IP and 
time, you can lookup the username from the Radius auth logs(skip the DHCP 
lookup).

We are currently implanting SIEM. We hope by dumping logs to SIEM from all 
systems, we can just do a simple lookup from SIEM.


Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs


From: "John York" >
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, March 3, 2016 2:53:57 PM
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

We have Win NPS running Radius.  It takes several lookups to get what I want 
and I was hoping to shorten the process.  A typical one goes like this:

Receive:  outside IP, port, and time
Lookup in firewall NAT logs
Output:  inside IP, time
Lookup IP in DHCP logs
Output:   MAC address, time
Lookup MAC in NPS logs
Output:  username

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Thursday, March 3, 2016 12:08 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

Hi John,

You are right that WLCs do not log authentication sessions in syslog. Do you 
have Radius servers to authenticate wireless users? Radius server is the better 
place to collect authentication logs.

Regards,

Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs


From: "John York" >
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, March 3, 2016 11:29:56 AM
Subject: [WIRELESS-LAN] WLC 5508 logging authentications

Hi
We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508.  I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department.  I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
 I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs.  Has anyone been able to log 
auths without using PI?
Thanks
John
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: WLC 5508 logging authentications

[Wier, Timothy A.]

Depending on your firewall hardware you may be able to get the details from the 
WLC into the firewall logs. We use a Palo Alto and there is a document on how 
to use the SNMP traps to associate a user at the firewall. See 
https://supportforums.cisco.com/sites/default/files/attachments/discussion/cisco_wlc_-_palo_alto_networks_config_guide.pdf.
 It is a little out of data as we are running the 7.x PA code but I was able to 
make it work. I’m using snmptrapd, syslog-ng, and sec for my stack.

It may also help you decode the SNMP traps. I used this as my guide to use sec, 
simple event correlator, to create a text log of which users were on which APs 
at what time. We have Prime but the text file is easier to keep for a long time 
compared with the Prime association history logs.

Tim Wier
Network Manager
Concordia University Chicago
tim.w...@cuchicago.edu
708-209-3565

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John York
Sent: Thursday, March 3, 2016 1:54 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

We have Win NPS running Radius.  It takes several lookups to get what I want 
and I was hoping to shorten the process.  A typical one goes like this:

Receive:  outside IP, port, and time
Lookup in firewall NAT logs
Output:  inside IP, time
Lookup IP in DHCP logs
Output:   MAC address, time
Lookup MAC in NPS logs
Output:  username

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Thursday, March 3, 2016 12:08 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

Hi John,

You are right that WLCs do not log authentication sessions in syslog. Do you 
have Radius servers to authenticate wireless users? Radius server is the better 
place to collect authentication logs.

Regards,

Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs


From: "John York" >
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, March 3, 2016 11:29:56 AM
Subject: [WIRELESS-LAN] WLC 5508 logging authentications

Hi
We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508.  I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department.  I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
 I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs.  Has anyone been able to log 
auths without using PI?
Thanks
John
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: WLC 5508 logging authentications

[John York]

We have Win NPS running Radius.  It takes several lookups to get what I want 
and I was hoping to shorten the process.  A typical one goes like this:

Receive:  outside IP, port, and time
Lookup in firewall NAT logs
Output:  inside IP, time
Lookup IP in DHCP logs
Output:   MAC address, time
Lookup MAC in NPS logs
Output:  username

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dennis Xu
Sent: Thursday, March 3, 2016 12:08 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WLC 5508 logging authentications

Hi John,

You are right that WLCs do not log authentication sessions in syslog. Do you 
have Radius servers to authenticate wireless users? Radius server is the better 
place to collect authentication logs.

Regards,

Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
d...@uoguelph.ca
www.uoguelph.ca/ccs


From: "John York" >
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Sent: Thursday, March 3, 2016 11:29:56 AM
Subject: [WIRELESS-LAN] WLC 5508 logging authentications

Hi
We have one 5508 (soon to be a failover pair) and don’t run PI. Our users 
connect either through 802.1x or an open SSID with a webauth portal from the 
5508.  I need to be able to log authentications so I can track down users who 
have annoyed DMCA or our security department.  I’m finding that 5508 syslog 
outputs a huge amount of stuff, but doesn’t include successful authentications. 
 I’ve found some posts that indicate that info is only available through SNMP 
traps, but I haven’t been able to find the OIDs.  Has anyone been able to log 
auths without using PI?
Thanks
John
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.