How to integrate between Ruckus and Palo Alto

  • 2
  • Question
  • Updated 3 years ago
Hi everyone,

I have some problem about how to integrate between Ruckus and Palo Alto.

The Palo Alto need the Ruckus syslog message which contain the IP and username for creating the policy but I tried to set Ruckus to send the syslog to Palo Alto but in the syslog messages are contain username and MAC address.

Do you have any idea how to set the Ruckus to send IP and username in syslog message of if you have any way for integration, please advice me.
Photo of Teeraphol Sukprapaipat

Teeraphol Sukprapaipat

  • 3 Posts
  • 0 Reply Likes
  • confused

Posted 3 years ago

  • 2
Photo of Miko

Miko

  • 20 Posts
  • 9 Reply Likes
I actually looked into this a while ago and I believe the correct solution would be to have Palo Alto implement Radius accounting SSO. We have a Sonicwall that does this and several other vendors offer similar capabilities but Palo Alto does not :-(. When I was in talks with them they said that the only way this would be possible was to have a one of their solutions providers come up with a solution. I am guessing they would just come up with a Radius accounting to syslog translator which you can most likely do yourself if you want using Freeradius.

I would recommend asking Palo Alto to implement Radius accounting SSO. Hopefully if enough people ask they will add that feature. If they ask you can tell them that this is one of the reasons why we stopped looking at them.
Photo of Bill Burns

Bill Burns, AlphaDog

  • 203 Posts
  • 38 Reply Likes
Teeraphol:

I'm not aware (offhand) of a way for a PaloAlto firewall to consume syslog information.

What are you trying to achieve?
PaloAlto has Active Directory (and other?) integration features that help it determine what user is using which computer.
(in case you want to use PaloAlto user-based ACLs?)

Are your users not using Active Directory?
If that's the case, you may be able to configure the Ruckus for Radius authentication and use an AD machine as your radius server.

If that doesn't solve your problem, please provide more detail re: what your goals are.
Photo of Nick Khor

Nick Khor

  • 4 Posts
  • 0 Reply Likes
I believed his goal is to find out the Domain User Authenticated device, not the Domain Hardware Authenticated device.

For example, a domain user's Android is authenticated, he is in the network and got an IP. But ZD doesn't know the Android's IP and PanOS can't recognize the Android's username.
Photo of Odilo Junior

Odilo Junior

  • 15 Posts
  • 2 Reply Likes
It is really simple actually.
After 9.8 you are able to get the user login and IP from the syslog information. So you just need to forward the syslog from ZD to PA management IP (remember enable the Syslog listener on the iface) or to a machine running the Palo Alto User-ID agent. In case of 802.1x.

In case you are using AD auth, you can simply install and run the PA User-ID on your AD server.

Of course, both cases you need to configure your PA to receive information from the agents or SysLog events filters.

It works pretty good!
Photo of Nick Khor

Nick Khor

  • 4 Posts
  • 0 Reply Likes
Helo, I forwarded the syslog from ZD to PA's Management IP (the syslog listener was enabled), but where to configure the syslog event filter?
Photo of Nick Khor

Nick Khor

  • 4 Posts
  • 0 Reply Likes
I don think the ZD recognize the radius authenticated user's IP.
ZD only recognize the MAC address and Username, the Username is tie to the MAC address even in the event logs, cli command "show current-active-client" doesn't tell you any information about the IP address.

While the radius authentication is happening, in that context, there is no IP recognition involve between client, ZD and radius server.

So, my point is, if ZD itself can't recognize the authenticated user's IP and provided insufficient information, how can the PanOS recognize it?

Please correct/advise me if i'm wrong. Feel free to email me too, [email protected].
Thanks.
Photo of Odilo Junior

Odilo Junior

  • 15 Posts
  • 2 Reply Likes
Hey Nick,

Actually after 9.8 if you enabled on the "Debug Logs" the Client Association option, the ZD start to log the client association with some messages with the client login information and IP even if it uses Radius or Captive Portal.


Don't forget to enable syslog forwarding on ZD to the PA's MGMT IP or User-ID agent IP.


I don't recall the exactly message, but I discovered it using an external syslog (on linux) receiving the messages. Do a grep filtering for "sta_name" or "operation=add"

At PA you need to enabled the MGMT interface to receive the message and then create a syslog filter on "Device" -> "User Identification" -> tab "User Mapping" click on the little engine on the right corner, and then the tab syslog filters (hidden right?)

There you can create a regex filter to recognize those messages.
Here we created a filter like this:
Type: Regex Identifier
Event Regex: operation=(update|add){1}
Username Regex: sta_name(?:=.*\\|=)([0-9]+); (our users login are just numbers)
Address Regex: sta_ip=(10\.[0-9]+\.[0-9]+\.[0-9]+);

And you need to add a Server Monitoring on PA's as well for the ZD, just right bellow on the User Mapping tab.


It worked for us configuring on PA but we want it better.

As I said, after we tested that, we were sure that PA was identifying the user authentication.. we implemented an external PA User-ID agent to receive the message from the Zone Director and configured the same filter on it, with that our PA's mgmt interface don't need to be listen to all those syslog message and just get the information the PA need already filtered by the agent.

Cheers.
ps: Sorry for the delay, I was on vacation!
Photo of Nick Khor

Nick Khor

  • 4 Posts
  • 0 Reply Likes
Helo Odilo,

Thanks for that tips. Late is better than never ;)

I found this out from the syslog
"Jan 14 08:43:47 stamgr: stamgr_send_log_v4():operation=add;seq=3;sta_ip=192.168.XX.XX;sta_mac=a0:88:69:XX:XX:XX;zd/ap=6c:aa:b3:XX:XX:XX/84:18:3a:XX:XX:XX;sta_ostype=Windows 7/Vista;sta_name=host/LP-XXX.Domain.local;stamgr_handle_remote_ipc "

operation=add;
sta_ip=192.168.XX.XXX;
sta_name=host/LP-XXX.Domain.local;
---

That was a Computer Authentication log, the user authentication log was not appear in the syslog, i will need some times to check it out.
Btw, thanks for your guide!
Photo of Odilo Junior

Odilo Junior

  • 15 Posts
  • 2 Reply Likes
Good!

We did some filter on radius as well, to permit only user + pass authentication, so we don't have our domain machines authenticating there. That way we can "assure" (ok maybe 99.99% of the time) that the user authenticating is the real user not just a machine that could be used by other one.

No problem, glad I can help :)
Good luck!

Cheers.