Re: [WIRELESS-LAN] WLC 5508 logging authentications

On 3 Mar 2016, at 18:12, Matthew Newton wrote: I’ve found some posts that indicate that info is only available through SNMP traps, but I haven’t been able to find the OIDs. Has anyone been able to log auths without using PI? I feed the whole lot to snmptrapd which just syslogs them, then push

Re: [WIRELESS-LAN] WLC 5508 logging authentications

John, A long time ago, I used splunk universal forwarder to export logs from a windows server to my syslog server. I am not sure if it is still possible, but it was always free to do and worked well. I haven't touched it in 4 years since I stopped collecting windows logs, so I am unsure if that

RE: WLC 5508 logging authentications

Ah, one of my problems was that I didn’t have accounting properly configured on the Windows NPS box. It only logs to SQL or a text file tho, no syslog (at least without a 3rd party client.) Perhaps I could schedule a task with PowerShell… From: The EDUCAUSE Wireless Issues Constituent Group

Re: [WIRELESS-LAN] WLC 5508 logging authentications

It depends on what Radius logs you are looking at. In Radius authentication logs, yes CallingStationID field contains client MAC address(because WLC does not know client's IP address at this stage). But if you look at Radius accounting logs, you should see client IP addresses in

RE: WLC 5508 logging authentications

Cool! Maybe I can do this with my SIEM… From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Manon Lessard Sent: Thursday, March 3, 2016 3:16 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLC 5508 logging

RE: WLC 5508 logging authentications

John, Have you by any chance looked at this document? https://supportforums.cisco.com/document/9869811/cisco-wlc-snmp-historical-user-statistics-monitoring-w-syslog-or-splunk I don’t know if it works on 5508s but I tested on a WISM2 and MIB 1.3.6.1.4.1.14179.2.1.4.1.3 yields usernames among

RE: WLC 5508 logging authentications

Thanks, this is helpful! From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Wier, Timothy A. Sent: Thursday, March 3, 2016 3:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] WLC 5508 logging

RE: WLC 5508 logging authentications

I have the stuff in a SIEM, but not correlated ;-( My Windows NPS logs have the IP of the WLC in the ClientIPAddress field. Rats. Client MAC is in CallingStationID, though. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of

RE: WLC 5508 logging authentications

Depending on your firewall hardware you may be able to get the details from the WLC into the firewall logs. We use a Palo Alto and there is a document on how to use the SNMP traps to associate a user at the firewall. See

Re: [WIRELESS-LAN] WLC 5508 logging authentications

We have the similar process here. But I think once you get the inside IP and time, you can lookup the username from the Radius auth logs(skip the DHCP lookup). We are currently implanting SIEM. We hope by dumping logs to SIEM from all systems, we can just do a simple lookup from SIEM.

RE: WLC 5508 logging authentications

We have Win NPS running Radius. It takes several lookups to get what I want and I was hoping to shorten the process. A typical one goes like this: Receive: outside IP, port, and time Lookup in firewall NAT logs Output: inside IP, time Lookup IP in DHCP logs Output: MAC address, time Lookup

Re: [WIRELESS-LAN] Wireless Service Improvement Plan

Remember the majority of your wireless uses are students and students will not use a formal reporting process. Just hold several focus groups with your users (students and faculty) and they will be more than willing to let you know where you have problems. Defaulting to analytic tools and

Re: [WIRELESS-LAN] WLC 5508 logging authentications

RADIUS logs are chock full of info... Lee Badman (mobile) On Mar 3, 2016, at 11:30 AM, John York > wrote: Hi We have one 5508 (soon to be a failover pair) and don't run PI. Our users connect either through 802.1x or an open SSID with a webauth portal from

Re: [WIRELESS-LAN] WLC 5508 logging authentications

On Thu, Mar 03, 2016 at 04:29:56PM +, John York wrote: > I’m finding that 5508 syslog outputs a huge amount of stuff, but > doesn’t include successful authentications. WLC syslogs aren't particularly useful for a lot of stuff IMO... > I’ve found some posts that indicate that info is only

Re: [WIRELESS-LAN] WLC 5508 logging authentications

Hi John, You are right that WLCs do not log authentication sessions in syslog. Do you have Radius servers to authenticate wireless users? Radius server is the better place to collect authentication logs. Regards, Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing

Wireless Service Improvement Plan

We routinely participate in the TechQual survey and in the last one we started to show some erosion of satisfaction with our wireless services from our community. Commentary from the survey is too vague to do much with but the overall stats from the survey suggest that we need to improve things.

Re: [WIRELESS-LAN] Open Networks in Resnet

To date we haven't had many issues without the portal, not surprising that our help desk has stated that support tickets for access to wireless have gone down. This semester is a trail period for not having a portal and our staff will be reviewing and making a decision to either add it back or

RE: Open Networks in Resnet

Any concerns since you got rid of the portal? Thanks- Lee Lee Badman | Network Architect (CWNA, CWSP, Mobility+) Information Technology Services 206 Machinery Hall 120 Smith Drive Syracuse, New York 13244 t 315.443.3003 f 315.443.4325 e lhbad...@syr.edu w

RE: Open Networks in Resnet

I should also say, the following policy is applied to our Guest SSID Bandwidth is limited based on policies applied on our Radware LinkProof appliance (VLan Priority, Time of Day limits and App priority). No access to our internal networks except for a few student application (Blackboard and

RE: Open Networks in Resnet

We run two SSID campus wide including in our Resnet building. Secure-SSID (Authenticated) Open-SSID (Guest) Edward Ip Algonquin College | 1385 Woodroffe Avenue | Room C316 | Ottawa | Ontario | K2G 1V8 | Canada algonquincollege.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv

Re: [WIRELESS-LAN] Open Networks in Resnet

If the captive portal is DHCP/IP-based, doesn't that just move the problem to a different DHCP scope? We had to make our scope large enough to handle drive/walk-bys. We have: WPI-Wireless - EAP-TLS eduroam - EAP-TLS WPI-Wireless-Setup - Open, Portal for onboarding the two above, with limited

RE: 802.1x causing Android phone to reboot

Possible Android debugging help here: https://code.google.com/p/android/issues/detail?id=188867 What RADIUS server do you use? This could be related to TLS 1.2 enforcement. Some RADIUS servers implemented the standard incorrectly. I know FreeRADIUS has updated versions that work correctly.

RE: Open Networks in Resnet

Interesting… Without a captive portal, how do you stop “drive-by” devices that probe all open networks for Internet access, consuming ip addresses needlessly? We found we needed a captive portal to discourage those, mainly mobile, devices from exhausting our Guest DHCP scopes. ​ Bruce

RE: Open Networks in Resnet

Our guest network is open but bandwidth limited with a self-registration captive portal (currently, just email address). Our network for non-802.1X devices & 802.1X registration is open, but with a captive portal unless the device has been mac registered. We block some internal services (web