cancel
Showing results for 
Search instead for 
Did you mean: 

How to integrate between Ruckus and Palo Alto

teeraphol_sukpr
New Contributor II
Hi everyone,

I have some problem about how to integrate between Ruckus and Palo Alto.

The Palo Alto need the Ruckus syslog message which contain the IP and username for creating the policy but I tried to set Ruckus to send the syslog to Palo Alto but in the syslog messages are contain username and MAC address.

Do you have any idea how to set the Ruckus to send IP and username in syslog message of if you have any way for integration, please advice me.
9 REPLIES 9

Helo, I forwarded the syslog from ZD to PA's Management IP (the syslog listener was enabled), but where to configure the syslog event filter?

I don think the ZD recognize the radius authenticated user's IP.
ZD only recognize the MAC address and Username, the Username is tie to the MAC address even in the event logs, cli command "show current-active-client" doesn't tell you any information about the IP address.

While the radius authentication is happening, in that context, there is no IP recognition involve between client, ZD and radius server.

So, my point is, if ZD itself can't recognize the authenticated user's IP and provided insufficient information, how can the PanOS recognize it?

Please correct/advise me if i'm wrong. Feel free to email me too, nick_khor@hotmail.com.
Thanks.

dilojunior
New Contributor III
Hey Nick,

Actually after 9.8 if you enabled on the "Debug Logs" the Client Association option, the ZD start to log the client association with some messages with the client login information and IP even if it uses Radius or Captive Portal.
Image_ images_messages_5f91c414135b77e24794fac1_0e4bfcbc8a0c53d14557ce64cc7c4d45_debug_inline-a07f417f-71d9-478a-9c98-1e2d002d4950-887041819.PNG1421165070

Don't forget to enable syslog forwarding on ZD to the PA's MGMT IP or User-ID agent IP.
Image_ images_messages_5f91c414135b77e24794fac1_18a014e752073d975f816c9291005641_logs_inline-bfc32272-7579-4259-87c5-a817610f5e69-619672653.PNG1421165117

I don't recall the exactly message, but I discovered it using an external syslog (on linux) receiving the messages. Do a grep filtering for "sta_name" or "operation=add"

At PA you need to enabled the MGMT interface to receive the message and then create a syslog filter on "Device" -> "User Identification" -> tab "User Mapping" click on the little engine on the right corner, and then the tab syslog filters (hidden right?)

There you can create a regex filter to recognize those messages.
Here we created a filter like this:
Type: Regex Identifier
Event Regex: operation=(update|add){1}
Username Regex: sta_name(?:=.*\\|=)([0-9]+); (our users login are just numbers)
Address Regex: sta_ip=(10\.[0-9]+\.[0-9]+\.[0-9]+);

And you need to add a Server Monitoring on PA's as well for the ZD, just right bellow on the User Mapping tab.
Image_ images_messages_5f91c414135b77e24794fac1_35665f3d2a183c78885640aea7c8b3d0_PA_inline-5501b9f5-6b04-4e15-8801-59527691d401-726585763.PNG1421165263

It worked for us configuring on PA but we want it better.

As I said, after we tested that, we were sure that PA was identifying the user authentication.. we implemented an external PA User-ID agent to receive the message from the Zone Director and configured the same filter on it, with that our PA's mgmt interface don't need to be listen to all those syslog message and just get the information the PA need already filtered by the agent.

Cheers.
ps: Sorry for the delay, I was on vacation!

Helo Odilo,

Thanks for that tips. Late is better than never ;)

I found this out from the syslog
"Jan 14 08:43:47 stamgr: stamgr_send_log_v4():operation=add;seq=3;sta_ip=192.168.XX.XX;sta_mac=a0:88:69:XX:XX:XX;zd/ap=6c:aa:b3:XX:XX:XX/84:18:3a:XX:XX:XX;sta_ostype=Windows 7/Vista;sta_name=host/LP-XXX.Domain.local;stamgr_handle_remote_ipc "

operation=add;
sta_ip=192.168.XX.XXX;
sta_name=host/LP-XXX.Domain.local;
---

That was a Computer Authentication log, the user authentication log was not appear in the syslog, i will need some times to check it out.
Btw, thanks for your guide!

Good!

We did some filter on radius as well, to permit only user + pass authentication, so we don't have our domain machines authenticating there. That way we can "assure" (ok maybe 99.99% of the time) that the user authenticating is the real user not just a machine that could be used by other one.

No problem, glad I can help :)
Good luck!

Cheers.