SmartZone 100 and Palo Alto IP address to user name (User-ID) mapping

  • 1
  • Question
  • Updated 3 months ago
  • (Edited)
Hi,

I know that this can be achieved with a ZoneDirector, however I am struggling to make this work with my SmartZone 124 controllers.

I need to be able to forward authentication events that include both the authenticated client's username as well as their IP address to my Palo Alto firewall when a user successfully logs on to our wireless networks.  All authentications are handled via a Network Policy server and 802.1x authentication.

Once the event is sent to the firewall, I need to be able to create a Syslog filter to parse the authentication event so that the user can have their username and IP address mapped via Palo Alto's User-ID functionality.

I have so far been unable to see any event that includes both the user's username as well as IP address while monitoring the events on a Syslog server.  Again, I know that this can be done with a ZoneDirector however I am now using a SmartZone 124 controller.

Has anyone been able to successfully do this?

Thanks in advance!
Photo of PSSD 210

PSSD 210

  • 3 Posts
  • 0 Reply Likes

Posted 3 months ago

  • 1
Photo of PSSD 210

PSSD 210

  • 3 Posts
  • 0 Reply Likes
So after a call with Ruckus, I was informed that this functionality was stripped from the SmartZone 100 controllers "by design" and "all I needed to do" was purchase CloudPath and pay for per-user licensing to get username and IP addresses on client join events.

I am not the only one looking for this functionality, it has apparently been submitted by numerous organizations and is currently classified as a Feature Request.  Given that "all I need to do" is pay for CloudPath and the problem is solved, I highly doubt this Feature Request will ever be implemented in the SmartZone 100 controllers.

A quick look shows CloudPath licensing at around $36.99 per user at full retail price.  This doesn't include the cost to purchase CloudPath licenses and whatever additional costs there may be associated to that.  Needless to say, it is horrendously cost prohibitive when in an environment of around 2000 connected end users at any given time when you already have the systems in place to manage your BYOD and enterprise wifi networks.

This was functionality that was native in the ZoneDirector 3000, which to my understanding the SmartZone controllers are replacing.  By appearances Ruckus now expects us to pay through the nose for this functionality via CloudPath.

Well done Ruckus....  Well done.  <slow clap>
Photo of Lukas

Lukas

  • 24 Posts
  • 4 Reply Likes
Hi,

I was in a similar situation and my local representative recommended me this script (in case you are using Windows Server):
https://github.com/cesanetwan/uid-radius-script-ps/wiki

This script is basicially triggered every time a NPS-login occurs. As the real username and Mac-Address are available in this login-event it searches for a corresponding DHCP release and then tranmits the result to the Palo Alto via the API.
I guess it would be possible to port this script to Linux and get the MAC->IP mapping from the SmartZone API (to make this script universable useable for Ruckus). However in my environment this was not necessary.

Hope it helps. :)
(Edited)
Photo of PSSD 210

PSSD 210

  • 3 Posts
  • 0 Reply Likes

Thanks for the reply Lukas :)


I have tried using this script in the past, and unfortunately due to the number of logon / logoff events happening throughout our organization at any given time - roughly 2000 wireless users, 75% of them BYOD, it brought our DHCP servers to their knees within 5 minutes of enabling the scheduled task.  The XML API is not efficient enough and therefore unsuitable for our environment given that every logon event triggers a search in the DHCP pool to find the corresponding IP address for that MAC address. Perhaps your environment is different but in our environment the XML API is not a viable option.


I am working with Ruckus' System Engineers to try to have this feature re-implemented however I am not holding much hope at this point.


Have a great day!