This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SmartZone 100 and Palo Alto IP address to user name (User-ID) mapping

pssd_210
New Contributor II

‎07-19-2017 03:00 PM

Hi,

I know that this can be achieved with a ZoneDirector, however I am struggling to make this work with my SmartZone 124 controllers.

I need to be able to forward authentication events that include both the authenticated client's username as well as their IP address to my Palo Alto firewall when a user successfully logs on to our wireless networks.  All authentications are handled via a Network Policy server and 802.1x authentication.

Once the event is sent to the firewall, I need to be able to create a Syslog filter to parse the authentication event so that the user can have their username and IP address mapped via Palo Alto's User-ID functionality.

I have so far been unable to see any event that includes both the user's username as well as IP address while monitoring the events on a Syslog server.  Again, I know that this can be done with a ZoneDirector however I am now using a SmartZone 124 controller.

Has anyone been able to successfully do this?

Thanks in advance!
12 REPLIES 12

ict_corpus_chri
New Contributor II

‎01-09-2020 06:51 PM

I have been in contact with Ruckus who have now fixed the syslog bug so it works correctly!

The Palo Alto regex I am using is the following,
Device > User Identification > Palo Alto Networks User-ID Agent Setup(the tiny cog on the top right) > Syslog Filters
Type: Regex Identifier
Event Regex: (?=.*clientInfoUpdate)(.*"ssid"="YourWirelessSSID")(.*"clientIP"=")
Username Regex: "userName"="([a-zA-Z0-9.\-\_\\]+)
Address Regex: "clientIP"="(\b(?:(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\b)

You can also remove the requirements for a specific SSID you can use the following,
Event Regex: (?=.*clientInfoUpdate)(.*"clientIP"=")

Dont forget to turn on "Allow matching usernames without domains" for the Palo Alto to allow it to digest logins without the domain if you use RADIUS for auth.
on the Palo Alto you turn on the following,
Device > User Identification > Palo Alto Networks User-ID Agent Setup(the tiny cog on the top right) > Cache > Allow matching usernames without domains(tick box)

Server Monitor also needs to be setup,
Add the Device > User Identification > Server Monitor
Type: Syslog Sender
Network Address: IP of the SmartZone controller
Connection: UDP
Add the Ruckus Regex under "Syslog Parse Profile"


The SmartZone Controller has the following settings,
System > General Settings > Syslog
Enable Syslog
Primary Syslog: Palo Alto Management interface IP(the default for user auth)
Port: 514
Protocol: UDP

Event Filter: All Events above a severity
Event Filter Severity: Informational



jimmy_ballentin
New Contributor II
In response to ict_corpus_chri

‎01-10-2020 02:19 PM

I have been having the same issue and neither support team could help. I tried your solution and I got nada.
I'm using a PA-5250 with 8.1.3
SZ Essentials 5.1.2.0.302

Any other suggestions?
0 Kudos

pssd_210
New Contributor II
In response to ict_corpus_chri

‎01-10-2020 02:31 PM

I am currently testing ICT's suggestion to see if it more accurately captures UserID events so I have no comment on whether or not it works at this time.

However I did have reasonable success with the following filter.  I am running a PA-3020 on 8.1.12, and a SZ-100 on 3.6.2.0.222.  I have avoided the 5.x release like the plague due to stability issues which is possibly related to the issues you are having, difficult to say.

Regardless, here's what I have used:

Event Regex: @@206,clientAuthorization,

Username Regex: "userName"="([a-zA-Z0-9\-]+\.[a-zA-Z0-9\-]+)(?:@[insert your domain here]\.[insert .com, .ca, whatever your tld is here])?"

Address Regex: "clientIP"="([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})"


Note the bold portions above, insert your domain and your TLD where the bold type is, making sure to not include the opening and closing brace as well

Your mileage with this may vary but if nothing is working for you now it's worth a shot. I know that Ruckus seems to change the event to look for with every firmware release.  This has worked fairly well for me for the entire 3.6x release.

jimmy_ballentin
New Contributor II
In response to ict_corpus_chri

‎01-10-2020 02:34 PM

I got it!!!
Go to Device > Server Profiles > Syslog
Add a profile and add server within profile with the Facility at LOG_LOCAL0
Then go back to Device > User Identification > Palo Alto Networks User-ID Agent Setup and go to Server Monitor tab.
Change the Syslog listener setting to the service profile you created.
0 Kudos

jimmy_ballentin
New Contributor II
In response to ict_corpus_chri

‎01-10-2020 02:35 PM

Thank you for getting the Regexs!!!! 
0 Kudos
Copyright © 2024 Khoros, LLC