ISE 1.3 Guest Activity

Hello,
is in the ise version 1.3 a possiblity that I can display the Guest Activity and export it via FTP?
What I'd like to see is: Which user opens which website/service. What kind of activity is the guest doing during he is using our guest wifi.
Regards
Filip

Hello Filip. No such an option is available in ISE. Moreover, only the Guest authentication traffic hits ISE. Once the guest user is authenticated the traffic no longer flows through ISE, thus, ISE has no visibility to what the user is actually doing on the network. 
This sort of information would be best collected by your web security appliance. So for instance, if you have Cisco WSA/CWSA.
Thank you for rating helpful posts!

Similar Messages

  • ISE Guest Activity Report not working (1.2.0.899)

    Recently I upgraded an ISE to 1.2.0.899. I found the Guest Activity Report is not working. Before the upgrade it was working properly (with the limitation of 5000 records by report). Nothing in the ASA was modified, but nothing is reported in the ISE; also I use the tcpdump integrated in the ISE to validate the syslog messages are arriving from the ASA to the ISE. I already enable the Passed Authentication logging category.
    Do I need to modify something else,to have the report?

    Hi
    Please make sure these steps has configured correctly:
    Step 1 Create an alarm, as described in Creating, Editing, and Deleting Alarm Schedules.
    Step 2  Specify a rule for Passed Authentication, Failed Authentications, or Authentication Inactivity for all users of                 type guest, as described in Creating and Assigning an Alarm Rule.
    Step 3 Calculate guest user activity by Monitoring Live Authentications.

  • ISE Guest activity reports configuration

    Hi All,
    I am trying to obtain guest activity report pertaining to the websites accessed by the guests. I have a standalone ISE deployement (1.1.2) running all personas. I am following the instructions on this document in a way:
    http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#asac
    I have configured the sysloging on my ASA gateway this way:
    logging on
    logging list WebLogging message 304001
    logging trap WebLogging
    logging facility 21
    logging host inside <ISE-ip-address> 17/20514
    I also configured http inspection:
    policy-map global_policy
    class inspection_default
      inspect http
    service-policy global_policy global
    Accounting is configured on the WLC and pointing to the ISE node.
    I am using CWA for guest access. This is working as expected. The Sponsor creates the account then the guest logs in successfully using the account created. I only need to have the guest activity reported. So far no luck and the activity report is empty. Any pointers are greatly appreciated.
    Fadi

    Hi Fashour:
    I will began test to generate this kind of reports soon (I need to wait por authorization to get access to ASA and change current config) I have some questions:
    Did you configure something in the ISE to enable it as syslog server?
    Can it be possible that you paste an image with the report results as a sample? I like to show my company and my customer what kind of reports we should expect ..
    Regards.

  • Guest Activity on Cisco ISE

    Is it possible to monitor the web pages visited for a guest using cisco ISE?                  

    Hi Gino,
    Yes, you can use the Guest Activity option. The Guest Activity report provides details about the websites that guest users are visiting. You can use this report for security auditing purposes to demonstrate when guest users accessed the network and what they did on it.
    This report is available at: Operations > Reports > Endpoints and Users > Guest Activity.
    To use this report you must first:
    •Enable the passed authentications logging category. Choose Administration > Logging > Logging Categories and select Passed authentications.
    •Enable these options on the firewall used for guest traffic:
    –Inspect HTTP traffic and send data to Cisco ISE Monitoring node. Cisco ISE only requires the the IP address and accessed URL for the Guest Activity report so, if possible, limit the data to include just this information.
    –Send syslogs to Cisco ISE Monitoring node
    Please check the below link for further information,
    http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_guest_pol.html#wp1056645

  • ISE 1.2 Guest Report based on specific Guest IP Address

    Hi
    I have a simple requirement which I am not able to find the way. Maybe someone can help me out.
    I have a WLC / WiSM2 (7.5) Guest Controller and ISE 1.2 (Patch5) in production with only CWA for Guest Access.
    Since I should create a query based on the Guest's IP Address, I tried to find a way to do so. But the "Guest Activity" report is empty (I do not have a cisco ASA with URL logging in place).
    If I do a "Guest Accounting" Report, I am able to see the IP Address attribute per user (so the data is there). But there is no way to filter on that coloum (neither thorugh the filter button which only allows to filter on Endpoint ID and/or Identity, nor is there an option like in ACS 5.x to do an Interactive search).
    Any help?
    The Authentication tab would do the job as well, but there are no filterable time ranges....
    Thanks!

    If anybody get into the same isse, I got an answer from cisco to this, what I found out as well as a possible, but not very handy way:
    "A workaround is to configure a remote syslog target to capture logging category Administrative and Operational Audit and filter and parse the logs accordingly."

  • ISE 1.2 Guest Portal Profiling Certainty Factor not Increase

    Hi I have configure ISE 1.2 Guest Portal and check for profiling which device login but I found that endpoint profile not match after user succesful authenticate
    Profiling Configure and Endpoint Detail in attachment below

    Hi salodh
    as you can see in attach file all profiling are configure correctly and condition should be match according to User-Agent Contain Andriod (profile3.png) and Certainty Factor must increase (profile2.png) in this case but Total Certainty Factor still 0 in endpoint profile (profile1.png)

  • WLC to ISE authentication for Guest

    Hi Experts,
    Hope if you could guide me with our setup for Guest users. Below is what we are doing
    a)     Guest connects to SSID
    b)     WLC is being used to redirect Guest HTTP to WLC internal Portal
    c)     WLC forwards guest authentication details to cisco ISE [ISE and WLC radius]
    The guest connects to SSID and does get WLC portal for authentication, when the username and password entered on Cisco ISE i see error message as
    'User Identity not found in any of Identity Store' though it is going through correct Store and the Guest name is certainly configured on Cisco ISE. ISE version is 1.2 and WLC is 7.4, please let me know if i am missing anything here.
    Appreciate your help

    The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
    Please follow below guide for step by step configuration:
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

  • ISE 1.3 Guest API - using custom fields for guest creation?

    I am currently working with the new ISE 1.3 guest api, i have most everything working, i can create guests fine, with the basic information entered into the guest account like first name, last name, company, email, phone and so on. Now i need some more fields to enter other information in for that guest, and i have created 5 extra custom fields called option1-option5, and enabled them for the "Known Guests" page on my sponsor portal. I can however not figure out how they should be adressed in the xml input sent in the api request...anyone tried this ?
    Regards
    Jan

    Hi Johan,
    Sure i can lead on the way, the stuff i am doing is part of a complete system i build and sell, that integrates with ISE to give customers the ability to create guest accounts using a number of different social media facebook, google and so on, to self-provision accounts for guest acces (and many other things :-)
    I mainly use PHP for this, and for simplicity you can use a curl command line executed by any scripting you prefer, or use any curl library you might have available to you.
    So, you need an ise sponsor account that has the "api usage flag" allowed in the sponsor group it is a member of. Then you need to know a few things about the ise setup, that needs to be sent with your request to ise, to allow the creation of a guest account.
    If you need some code examples, send me a pm and we can figure something out
    API Reference :
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/api_ref_guide/api_ref_book/ise_api_ref_guest.html

  • Cisco ISE or NAC Guest with web security (IronPort) integration

    All,
    We have a scenario where guests will be authenticated against the ISE or NAC Guest server, and customer will place an IronPort to provide web security, however, we can not find referentes whether IronPort can or cannot integrate with Guest Server, so that guests are not requested to be authenticated twice, one by the Guest Server, a one by the proxy. The idea is to keep it transparent for the guests with a single authentication.
    Has anyone there implemented such scenario?
    Thank you!

    I see. So, lets say we disable proxy authentication for the guest segment, can I still provide content filter for the segment, even though there is no proxy authentication? I assume customer will lose the reportinga and tracking granularity, but the scenario will work withou proxy authentication. This may be some sort of "man in the middle" only, but with content filter. Does it make sense?
    Thank you!

  • ISE Guest Activity Report

    In accord with the user guide, ISE should be able to report what URLs a guest had visited. For this functionality to work "you must enable guest access syslogging configuration on the NAD that inspects guest traffic in your Cisco ISE network".
    How can I do that if my guest users only have access through wireless? I mean what should I config in the WLC?
    Thanks in advance

    In Cisco ISE, system logs are collected at locations called logging targets. Targets refer to the IP addresses of the servers that collect and store logs.
    ISE has the following default targets, which are dynamically configured in the loopback addresses of the local system:
    •LogCollector—Default syslog target for the Log Collector.
    •ProfilerRadiusProbe—Default syslog target for the Profiler Radius Probe.
    You can generate and store logs locally, or you can use the FTP facility to transfer them to an external server.
    Please check the following link,
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_logging.html#wp1076091

  • ISE 1.2 - Guest Services

    Hi All,
    I'm planning to setup Cisco ISE - GNAC services and I want to know how the licenses work for this service. Will ISE count a license for each guest user connected?
    also I have another question regarding WAN latency between personas. What's the MAX?
    Thanks in advance,
    Elyinn.-

    Elyinn,
    Yes, each Guest User counts against the license.  Here is a snippet from the link that was given earlier:
    "License Count
    The Cisco ISE license is counted as follows:
    A Base or Advanced license is consumed based on the feature that is utilized.
    An endpoint with multiple network connections can consume more than one license per MAC address. For example, a laptop connected to wired and also to wireless at the same time. Licenses for VPN connections are based on the IP address.
    Licenses are counted against concurrent, active sessions. An active session is one for which a RADIUS Accounting Start is received but RADIUS Accounting Stop has not yet been received."
    As you can see, a single device can consume more than 1 license depending on the features you have set on your network.
    As far as Max Latency between WAN Links, that number is 200ms.  Anything longet than than can result in drops or corruption in packets.
    I hope this helps.
    Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
    Charles Moreton

  • Cisco ISE - cannot reach Guest Portal

    Hi all,
    I have a Cisco ISE server, which is installed on a VMWare plattform. On the ISE server, I configured 2 network cards. One for the Corporate network ( Gigabit Ethernet 0) and one for the Guests (Gigabit Ethernet 1). Because I had problems, I put a client into the Guest VLAN (Wired) and tried to access the guest portal which was not working.
    I recognized that the port 8443 for the guest portal is blocked. But I was able to ping the address, and the port 443 and 22 are open as well. On the Gigabit Ethernet 0 network everything works.
    All interfaces are activated at the Web Portal Management Settings, for the ports 8443 and 8444.
    Anybody an idea??
    T&R
    Frank

    Please use the below ISE- guest URL redirection tshoot doc. below
    http://www.cisco.com/en/US/docs/security/ise/1.2/troubleshooting_guide/ise_tsg.html

  • ISE 1.3 Guest account Activate

    Hi,
    Has anyone worked with ISE 1.3 with creating guest accounts using sponsor portal.?.
    Our issue is that whenever we create new guest account using sponsor portal the account is shown as "Created" not as "Active". When we try to use the same account in guest portal it gives authentication failed and shows as "account is not yet active" in ISE report. (please see the attached file)
    Can anyone tell how to make new account active or why it shown as "created" not as "active"?
    thanks in advance.

    Hi there,
    I am having the exact same problem with my ISE 1.3 deployment after upgrading from 1.2 to 1.3 .
    The issue seems to relate to timezones (as a lot of ISE problems do!) .
    The issue relates to settings under Guest Access -> Settings ->Guest Locations and SSID . You should have defined a location local to you, for me it is 'Southampton, Europe/ London', the San Jose entry cannot be removed.
    There should be an option to select timezone in the Sponsor Portal but it is missing so defaults to 'San Jose'. This causes a time-zone mis-match between between the account itself and the SSID location.
    However if you create a guest account using the admin GUI: Guest Access -> Manage Accounts, although you still cannot select the timezone it will choose the correct one for the SSID and you will then be able to use the account via the Guest Portal. I don't know what would happen if you had a second SSID and alternative location, it would probably be totally broken!
    I have raised this issue with TAC three weeks ago, and had a webex with the Business Unit last week. They saw the issue and took some debug logs, all very helpful people, but the problem is still unresolved.
    cheers,
    Seb.

  • Cisco ISE 1.1 Guest Portal Services

    Do you have to have separate ISE appliances or VM clusters to have have 2 separate "Guest Portal" services?
    I have two sites that have their own equipment (Arizona / Illinois):
    - Cisco ISE Server
    - Cisco Wireless LAN Controller
    - Cisco Wireless Anchor Controller
    - Cisco ASA
    My understanding is that I'd need to have the ISE boxes running in "STAND ALONE" mode in order to have two separate "Guest Networks / Portal".
    Thanks in advance!!!

    Hi,
    Each Cisco ISE policy services node can run a guest portal also if they run in one deployment.
    Depending on the way you mean "separate", your requirement can be met in one deployment or in two stand alone deployments.
    Depending on your approach you need four Cisco ISE machines to build the in "one deployment" option.
    2 Admin/Monitoring Nodes (Admin is Active/Standby, Monitoring is Active/Active) and two Policy Services Nodes (RADIUS Servers).  Both Policy Services Nodes can run the guestportal. The configuration of the WLC determines which Policy Services Node is being used. ISE use RADIUS URL redirect is used to redirect to it's own guest portal.
    Hope that helps.

  • Cisco ISE Process Flow with Active Directory

    Hi guys,
    Today I did a lab and see this note at Authentication Policy Interface. This note is:
    Note: For authentications using PEAP, LEAP, EAP-FAST or RADIUS MSCHAP it is not possible to continue processing when authentication fails or user is not found. If continue option is selected in these cases, requests will be rejected.
    Then I thought that the best way to configure authetication policy for Flex Auth: Dot1x (with Active Directory) > MAB (Internal Endpoint) > CWA (Guest and other user) will be using EAP-TLS authentication protocol.
    Is this possible using another protocol instead of EAP-TLS (which is required client certificate has already been installed)? Would you mind helping me to reslove the problem? And the network authentication method at end user side will be?
    Any help will be much appreciated.

    Please refer the Supported Authentication Protocols ( including PEAP )  , database and authentication types from below
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_auth_pol.html#pgfId-1266680

Maybe you are looking for