topic Re: How to integrate between Ruckus and Palo Alto in ZoneDirector

How to integrate between Ruckus and Palo Alto

teeraphol_sukpr — Sat, 11 Oct 2014 16:23:03 GMT

Hi everyone,

I have some problem about how to integrate between Ruckus and Palo Alto.

The Palo Alto need the Ruckus syslog message which contain the IP and username for creating the policy but I tried to set Ruckus to send the syslog to Palo Alto but in the syslog messages are contain username and MAC address.

Do you have any idea how to set the Ruckus to send IP and username in syslog message of if you have any way for integration, please advice me.

Re: How to integrate between Ruckus and Palo Alto

michael_brown_5 — Sun, 12 Oct 2014 22:43:16 GMT

I actually looked into this a while ago and I believe the correct solution would be to have Palo Alto implement Radius accounting SSO. We have a Sonicwall that does this and several other vendors offer similar capabilities but Palo Alto does not :-(. When I was in talks with them they said that the only way this would be possible was to have a one of their solutions providers come up with a solution. I am guessing they would just come up with a Radius accounting to syslog translator which you can most likely do yourself if you want using Freeradius.

I would recommend asking Palo Alto to implement Radius accounting SSO. Hopefully if enough people ask they will add that feature. If they ask you can tell them that this is one of the reasons why we stopped looking at them.

Re: How to integrate between Ruckus and Palo Alto

bill_burns_6069 — Tue, 14 Oct 2014 16:36:01 GMT

Teeraphol:

I'm not aware (offhand) of a way for a PaloAlto firewall to consume syslog information.

What are you trying to achieve?
PaloAlto has Active Directory (and other?) integration features that help it determine what user is using which computer.
(in case you want to use PaloAlto user-based ACLs?)

Are your users not using Active Directory?
If that's the case, you may be able to configure the Ruckus for Radius authentication and use an AD machine as your radius server.

If that doesn't solve your problem, please provide more detail re: what your goals are.

Re: How to integrate between Ruckus and Palo Alto

dilojunior — Fri, 05 Dec 2014 19:25:57 GMT

It is really simple actually.
After 9.8 you are able to get the user login and IP from the syslog information. So you just need to forward the syslog from ZD to PA management IP (remember enable the Syslog listener on the iface) or to a machine running the Palo Alto User-ID agent. In case of 802.1x.

In case you are using AD auth, you can simply install and run the PA User-ID on your AD server.

Of course, both cases you need to configure your PA to receive information from the agents or SysLog events filters.

It works pretty good!

Re: How to integrate between Ruckus and Palo Alto

nick_khor — Mon, 22 Dec 2014 04:24:24 GMT

Helo, I forwarded the syslog from ZD to PA's Management IP (the syslog listener was enabled), but where to configure the syslog event filter?

Re: How to integrate between Ruckus and Palo Alto

nick_khor — Tue, 23 Dec 2014 01:30:41 GMT

I don think the ZD recognize the radius authenticated user's IP.
ZD only recognize the MAC address and Username, the Username is tie to the MAC address even in the event logs, cli command "show current-active-client" doesn't tell you any information about the IP address.

While the radius authentication is happening, in that context, there is no IP recognition involve between client, ZD and radius server.

So, my point is, if ZD itself can't recognize the authenticated user's IP and provided insufficient information, how can the PanOS recognize it?

Please correct/advise me if i'm wrong. Feel free to email me too, nick_khor@hotmail.com.
Thanks.

Re: How to integrate between Ruckus and Palo Alto

nick_khor — Tue, 23 Dec 2014 01:48:54 GMT

I believed his goal is to find out the Domain User Authenticated device, not the Domain Hardware Authenticated device.

For example, a domain user's Android is authenticated, he is in the network and got an IP. But ZD doesn't know the Android's IP and PanOS can't recognize the Android's username.

Re: How to integrate between Ruckus and Palo Alto

dilojunior — Tue, 13 Jan 2015 16:11:22 GMT

Hey Nick,

Actually after 9.8 if you enabled on the "Debug Logs" the Client Association option, the ZD start to log the client association with some messages with the client login information and IP even if it uses Radius or Captive Portal.

Don't forget to enable syslog forwarding on ZD to the PA's MGMT IP or User-ID agent IP.

I don't recall the exactly message, but I discovered it using an external syslog (on linux) receiving the messages. Do a grep filtering for "sta_name" or "operation=add"

At PA you need to enabled the MGMT interface to receive the message and then create a syslog filter on "Device" -> "User Identification" -> tab "User Mapping" click on the little engine on the right corner, and then the tab syslog filters (hidden right?)

There you can create a regex filter to recognize those messages.
Here we created a filter like this:
Type: Regex Identifier
Event Regex: operation=(update|add){1}
Username Regex: sta_name(?:=.*\\|=)([0-9]+); (our users login are just numbers)
Address Regex: sta_ip=(10\.[0-9]+\.[0-9]+\.[0-9]+);

And you need to add a Server Monitoring on PA's as well for the ZD, just right bellow on the User Mapping tab.

It worked for us configuring on PA but we want it better.

As I said, after we tested that, we were sure that PA was identifying the user authentication.. we implemented an external PA User-ID agent to receive the message from the Zone Director and configured the same filter on it, with that our PA's mgmt interface don't need to be listen to all those syslog message and just get the information the PA need already filtered by the agent.

Cheers.
ps: Sorry for the delay, I was on vacation!

Re: How to integrate between Ruckus and Palo Alto

nick_khor — Wed, 14 Jan 2015 01:31:10 GMT

Helo Odilo,

Thanks for that tips. Late is better than never ;)

I found this out from the syslog
"Jan 14 08:43:47 stamgr: stamgr_send_log_v4():operation=add;seq=3;sta_ip=192.168.XX.XX;sta_mac=a0:88:69:XX:XX:XX;zd/ap=6c:aa:b3:XX:XX:XX/84:18:3a:XX:XX:XX;sta_ostype=Windows 7/Vista;sta_name=host/LP-XXX.Domain.local;stamgr_handle_remote_ipc "

operation=add;
sta_ip=192.168.XX.XXX;
sta_name=host/LP-XXX.Domain.local;
---

That was a Computer Authentication log, the user authentication log was not appear in the syslog, i will need some times to check it out.
Btw, thanks for your guide!

Re: How to integrate between Ruckus and Palo Alto

dilojunior — Wed, 14 Jan 2015 15:20:06 GMT

Good!

We did some filter on radius as well, to permit only user + pass authentication, so we don't have our domain machines authenticating there. That way we can "assure" (ok maybe 99.99% of the time) that the user authenticating is the real user not just a machine that could be used by other one.

No problem, glad I can help :)
Good luck!

Cheers.