cancel
Showing results for 
Search instead for 
Did you mean: 

SmartZone 100 and Palo Alto IP address to user name (User-ID) mapping

pssd_210
New Contributor II
Hi,

I know that this can be achieved with a ZoneDirector, however I am struggling to make this work with my SmartZone 124 controllers.

I need to be able to forward authentication events that include both the authenticated client's username as well as their IP address to my Palo Alto firewall when a user successfully logs on to our wireless networks.  All authentications are handled via a Network Policy server and 802.1x authentication.

Once the event is sent to the firewall, I need to be able to create a Syslog filter to parse the authentication event so that the user can have their username and IP address mapped via Palo Alto's User-ID functionality.

I have so far been unable to see any event that includes both the user's username as well as IP address while monitoring the events on a Syslog server.  Again, I know that this can be done with a ZoneDirector however I am now using a SmartZone 124 controller.

Has anyone been able to successfully do this?

Thanks in advance!
12 REPLIES 12

these are my current settings for syslog
I am running 5.1.2.0.302 and its working with ClientInfoUpdate
The clientAuthorization does give the IP and username but when roaming between APs you will occasionally have scenarios where the username is there but no IP address.
just something to watch out for.
Image_ images_messages_5f91c48a135b77e247adc42e_5c98f40d700f081879bb514fe7de3fb4_RackMultipart202001126719012nz-32c6850a-09ec-4d78-923c-882efe4d0e24-290641102.png1578871703,

jimmy_ballentin
New Contributor II
So to update from my last post. 

This works, most of the time. I have noticed that some of my users and not being seen correctly by the firewall from the syslog. I am getting org\\user instead of org\user and the PA drops that past my unknown user to the bottom of the security rules. 

To resolve this I am using both of the suggestions here and it seems to be working better but still seeing the double \\. 

Going to toss this one to PA

Update again. Ruckus has been able to replicate this issue internally and have escalated it to engineering. (Bug ID ER-8120).