SmartZone 100 and Palo Alto IP address to user name (User-ID) mapping

  • 1
  • Question
  • Updated 1 month ago
  • Answered
  • (Edited)
Hi,

I know that this can be achieved with a ZoneDirector, however I am struggling to make this work with my SmartZone 124 controllers.

I need to be able to forward authentication events that include both the authenticated client's username as well as their IP address to my Palo Alto firewall when a user successfully logs on to our wireless networks.  All authentications are handled via a Network Policy server and 802.1x authentication.

Once the event is sent to the firewall, I need to be able to create a Syslog filter to parse the authentication event so that the user can have their username and IP address mapped via Palo Alto's User-ID functionality.

I have so far been unable to see any event that includes both the user's username as well as IP address while monitoring the events on a Syslog server.  Again, I know that this can be done with a ZoneDirector however I am now using a SmartZone 124 controller.

Has anyone been able to successfully do this?

Thanks in advance!
Photo of PSSD 210

PSSD 210

  • 4 Posts
  • 1 Reply Like

Posted 3 years ago

  • 1
Photo of PSSD 210

PSSD 210

  • 4 Posts
  • 1 Reply Like
So after a call with Ruckus, I was informed that this functionality was stripped from the SmartZone 100 controllers "by design" and "all I needed to do" was purchase CloudPath and pay for per-user licensing to get username and IP addresses on client join events.

I am not the only one looking for this functionality, it has apparently been submitted by numerous organizations and is currently classified as a Feature Request.  Given that "all I need to do" is pay for CloudPath and the problem is solved, I highly doubt this Feature Request will ever be implemented in the SmartZone 100 controllers.

A quick look shows CloudPath licensing at around $36.99 per user at full retail price.  This doesn't include the cost to purchase CloudPath licenses and whatever additional costs there may be associated to that.  Needless to say, it is horrendously cost prohibitive when in an environment of around 2000 connected end users at any given time when you already have the systems in place to manage your BYOD and enterprise wifi networks.

This was functionality that was native in the ZoneDirector 3000, which to my understanding the SmartZone controllers are replacing.  By appearances Ruckus now expects us to pay through the nose for this functionality via CloudPath.

Well done Ruckus....  Well done.  <slow clap>
Photo of Lukas

Lukas

  • 25 Posts
  • 4 Reply Likes
Hi,

I was in a similar situation and my local representative recommended me this script (in case you are using Windows Server):
https://github.com/cesanetwan/uid-radius-script-ps/wiki

This script is basicially triggered every time a NPS-login occurs. As the real username and Mac-Address are available in this login-event it searches for a corresponding DHCP release and then tranmits the result to the Palo Alto via the API.
I guess it would be possible to port this script to Linux and get the MAC->IP mapping from the SmartZone API (to make this script universable useable for Ruckus). However in my environment this was not necessary.

Hope it helps. :)
(Edited)
Photo of PSSD 210

PSSD 210

  • 4 Posts
  • 1 Reply Like

Thanks for the reply Lukas :)


I have tried using this script in the past, and unfortunately due to the number of logon / logoff events happening throughout our organization at any given time - roughly 2000 wireless users, 75% of them BYOD, it brought our DHCP servers to their knees within 5 minutes of enabling the scheduled task.  The XML API is not efficient enough and therefore unsuitable for our environment given that every logon event triggers a search in the DHCP pool to find the corresponding IP address for that MAC address. Perhaps your environment is different but in our environment the XML API is not a viable option.


I am working with Ruckus' System Engineers to try to have this feature re-implemented however I am not holding much hope at this point.


Have a great day!

Photo of Timothy Cummings

Timothy Cummings

  • 10 Posts
  • 0 Reply Likes
I also would like this feature reinstated, and as a prior customer of cloudpath, we steered away from it, as it was not the best experience for our clients, as well it did not justify the huge cost.
Photo of ICT Corpus Christi College

ICT Corpus Christi College

  • 3 Posts
  • 2 Reply Likes
I have been in contact with Ruckus who have now fixed the syslog bug so it works correctly!

The Palo Alto regex I am using is the following,
Device > User Identification > Palo Alto Networks User-ID Agent Setup(the tiny cog on the top right) > Syslog Filters
Type: Regex Identifier
Event Regex: (?=.*clientInfoUpdate)(.*"ssid"="YourWirelessSSID")(.*"clientIP"=")
Username Regex: "userName"="([a-zA-Z0-9.\-\_\\]+)
Address Regex: "clientIP"="(\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\b)

You can also remove the requirements for a specific SSID you can use the following,
Event Regex: (?=.*clientInfoUpdate)(.*"clientIP"=")

Dont forget to turn on "Allow matching usernames without domains" for the Palo Alto to allow it to digest logins without the domain if you use RADIUS for auth.
on the Palo Alto you turn on the following,
Device > User Identification > Palo Alto Networks User-ID Agent Setup(the tiny cog on the top right) > Cache > Allow matching usernames without domains(tick box)

Server Monitor also needs to be setup,
Add the Device > User Identification > Server Monitor
Type: Syslog Sender
Network Address: IP of the SmartZone controller
Connection: UDP
Add the Ruckus Regex under "Syslog Parse Profile"


The SmartZone Controller has the following settings,
System > General Settings > Syslog
Enable Syslog
Primary Syslog: Palo Alto Management interface IP(the default for user auth)
Port: 514
Protocol: UDP

Event Filter: All Events above a severity
Event Filter Severity: Informational



Photo of Jimmy Ballentine

Jimmy Ballentine

  • 4 Posts
  • 0 Reply Likes
I have been having the same issue and neither support team could help. I tried your solution and I got nada.
I'm using a PA-5250 with 8.1.3
SZ Essentials 5.1.2.0.302

Any other suggestions?
Photo of PSSD 210

PSSD 210

  • 4 Posts
  • 1 Reply Like
I am currently testing ICT's suggestion to see if it more accurately captures UserID events so I have no comment on whether or not it works at this time.

However I did have reasonable success with the following filter.  I am running a PA-3020 on 8.1.12, and a SZ-100 on 3.6.2.0.222.  I have avoided the 5.x release like the plague due to stability issues which is possibly related to the issues you are having, difficult to say.

Regardless, here's what I have used:

Event Regex: @@206,clientAuthorization,

Username Regex: "userName"="([a-zA-Z0-9\-]+\.[a-zA-Z0-9\-]+)(?:@[insert your domain here]\.[insert .com, .ca, whatever your tld is here])?"

Address Regex: "clientIP"="([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})"


Note the bold portions above, insert your domain and your TLD where the bold type is, making sure to not include the opening and closing brace as well

Your mileage with this may vary but if nothing is working for you now it's worth a shot. I know that Ruckus seems to change the event to look for with every firmware release.  This has worked fairly well for me for the entire 3.6x release.
(Edited)
Photo of Jimmy Ballentine

Jimmy Ballentine

  • 4 Posts
  • 0 Reply Likes
I got it!!!
Go to Device > Server Profiles > Syslog
Add a profile and add server within profile with the Facility at LOG_LOCAL0
Then go back to Device > User Identification > Palo Alto Networks User-ID Agent Setup and go to Server Monitor tab.
Change the Syslog listener setting to the service profile you created.
Photo of Jimmy Ballentine

Jimmy Ballentine

  • 4 Posts
  • 0 Reply Likes
Thank you for getting the Regexs!!!! 
Photo of ICT Corpus Christi College

ICT Corpus Christi College

  • 3 Posts
  • 2 Reply Likes
these are my current settings for syslog
I am running 5.1.2.0.302 and its working with ClientInfoUpdate
The clientAuthorization does give the IP and username but when roaming between APs you will occasionally have scenarios where the username is there but no IP address.
just something to watch out for.
,

Photo of Jimmy Ballentine

Jimmy Ballentine

  • 5 Posts
  • 0 Reply Likes
So to update from my last post. 

This works, most of the time. I have noticed that some of my users and not being seen correctly by the firewall from the syslog. I am getting org\\user instead of org\user and the PA drops that past my unknown user to the bottom of the security rules. 

To resolve this I am using both of the suggestions here and it seems to be working better but still seeing the double \\. 

Going to toss this one to PA
(Edited)
Photo of Jimmy Ballentine

Jimmy Ballentine

  • 5 Posts
  • 0 Reply Likes
Update again. Ruckus has been able to replicate this issue internally and have escalated it to engineering. (Bug ID ER-8120).