Integrating Cisco ISE Guest Authentication with PAN-OS

This scenario was deployed with Cisco ISE 1.4.0-253 and PAN-OS 6.1 and 7.0.

In the scenario described here, user-id integration with Active Directory is already working, so, the idea is to collect only user-id Guest information from Cisco ISE. You can change this behavior just by removing/changing the subnets at the regular expressions.

Cisco ISE works as a RADIUS server to authenticate and authorize users on a network. We are going to forward RADIUS Authentication and Accounting logs to PAN-OS.

Configuring a new remote log target on Cisco ISE, this device is going to be PAN-OS:

1. Choose Administration > System > Logging > Remote Logging Targets
2. Click Add
3. Give it a name you like, for target type, select UDP Syslog. For IP address, fill with the PAN-0S Management Interface IP address.
4. Click Submit

Repeat the steps below if you want to send user-id log information to other devices.

Configuring ISE to forward Passed Authentication Syslog Messages

1. Choose Administration > System > Logging > Logging Categories
2. Click Passed Authentications
3. Select the remote log target you created before on the Available column, and click the > sign to move it to the Selected column.
4. Click Save

Configuring ISE to forward RADIUS Accounting Syslog Messages

1. Choose Administration > System > Logging > Logging Categories
2. Click RADIUS Accounting
3. Select the remote log target you created before on the Available column and click the > sign to move it to the Selected column
4. Click Save

Enable User-ID Syslog Listener-UDP on PAN-OS

1. Choose Device > Setup > Management Interface Settings
2. Check the User-ID Syslog Listener-UDP box
3. Click OK

Create a Syslog Parse Profile to match the interesting information on syslog messages

1. Choose Device > User Identification > User Mapping
2. Edit Palo Alto Networks User ID Agent Setup and click Syslog Filters
3. Click Add
4. Fill all the fields according to the information below.

Be aware of the following:

• Wireless devices: Cisco ISE sends the user-id information only on the Authentication logs
• Wired devices: Cisco ISE sends the user-id information on the Accounting logs.

In this example, we have:

• 10.10.130.0/24 = Wireless Guest
• 10.10.30.0/24 = Wireless Guest
• 10.10.140.0/24 = Wired Guest

Adjust the Syslog Parse Profile regex below according to your needs:

1. Syslog Parse Profile: Cisco ISE
2. Event regex: ([A-Za-z0-9].*CISE_Passed_Authentications.*((Framed-IP-Address=10\.10\.130)|(Framed-IP-Address=10\.10\.30))|([A-Za-z0-9].*CISE_RADIUS_Accounting.*(Framed-IP-Address=10\.10\.140)))
3. Username Regex: (?<=UserName=|User-Name=)[\w-]+
4. Address Regex: Framed-IP-Address=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) 
5. Click OK

The Cisco ISE 2.1 syslog parse profile should look like this:

Event Regex
([A-Za-z0-9].*CISE_Passed_Authentications.*Framed-IP-Address=.*)|([A-Za-z0-9].*CISE_RADIUS_Accounting.*Framed-IP-Address=.*)

Username Regex
User-Name=([a-zA-Z0-9\@\-\\/\\\._]+)|UserName=([a-zA-Z0-9\@\-\\/\\\._]+)

Address Regex
Framed-IP-Address=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

Add ISE servers to Server Monitoring list

1. Choose Device > User Identification > User Mapping
2. Under Server Monitoring, click Add
3. Give it a name and a description you like.
4. For Type, choose Syslog Sender
5. For Network Address, insert your Cisco ISE IP address
6. For Connection Type, choose UDP
7. For Filter, select Cisco ISE
8. For Default Domain Name, insert your netbios domain name or the information that matches your environment.
9. Click Commit

Verify that PAN-OS is receiving user-id information from Cisco ISE, by running the following CLI commands:

show user server-monitor state 
show user ip-user-mapping all type SYSLOG
test user-id user-id-syslog-parse
tail follow yes mp-log useridd.log

References

• Configuring Cisco ACS to send RADIUS Accounting directly to the firewall using Syslog
• Configuring ISE to Forward User Login Events to CDA