topic using syslog to integrate Ruckus ZoneDirector & PAN for user identification in Automation/API Discussions

using syslog to integrate Ruckus ZoneDirector & PAN for user identification

carsent — Thu, 20 Sep 2012 15:52:23 GMT

I am trying to integrate Ruckus ZoneDirector & PAN for user identification by using syslog. However, syslog message generated by Ruckus ZoneDirector doesn't have user's IP address. It only contains user name and MAC address of the device as shown below.

<134>Sep 20 12:16:34 syslog: eventd_to_syslog():User[GUEST@8c:70:5a:4e:a2:8c] joins WLAN[GUEST-WLAN] from AP[AP4@00:25:c4:13:a6:40] 25:c4:13:a6:4c roams from AP[AP4@00:25:c4:13:a6:40]

Therefore, I cannot extract user name and IP address form the syslog message for passing them to PAN User-ID Agent. Is there any solution?

Re: using syslog to integrate Ruckus ZoneDirector & PAN for user identification

drogers — Thu, 20 Sep 2012 17:53:52 GMT

I can think of a couple of options off the top of my head, but either will require a bit of extra work on the scripting side.

1) you could dump/query the ARP table on the AP when you get an auth/join message. I'm not familiar with the tools and APIs available on Ruckus so this may be easy or near impossible.

2) you could monitor your DHCP server as well and correlate the IP/MAC mappings it hands out.

Also, what's the backend auth mechanism that your ruckus system is using? Any chance that system (ie a radius server) would log IPs?

Re: using syslog to integrate Ruckus ZoneDirector & PAN for user identification

carsent — Tue, 09 Oct 2012 06:46:12 GMT

Hi Drogers,

Thanks for your reply!

Ruckus can integrate with AD, LDAP, RADIUS or use its internal user database for authentication. For integration with AD, there is no problem to identify wireless LAN users because PAN can also integrate with AD. For authentication with RADIUS, there is also no problem as long as RADIUS can send syslog message with user name and IP address. However, integration of PAN with Ruckus is necessary when customers use Ruckus internal user database for authentication.

I think both of your suggested solutions may work and I will try to follow your suggestion to solve this problem.

Re: using syslog to integrate Ruckus ZoneDirector & PAN for user identification

UNIVALI — Thu, 21 Aug 2014 18:54:14 GMT

Check the new 9.8 firmware version of ZD..

Re: using syslog to integrate Ruckus ZoneDirector & PAN for user identification

Ricky_Mayenburg — Fri, 06 May 2022 19:47:44 GMT

I found a Fix!

Settings to apply on Ruckus ZoneDirector

Troubleshooting > Diagnostics > Enable "Client Association" in the debug logs.

System > System Setting > Log Settings

- Enable Remote syslog, use the IP Address of a Palo Alto User-ID Agent or the Management port on the firewall listening for syslog traffic

Zone Director Settings

Facility Name: Local0 Priority Level: Info

Managed AP Settings

Facility Name: Local1 Priority Level: Info

I'm using Regex syslog filter to pull the required info.

User login / IP Update event.

Event Regex: operation=(update|add){1}

Username Regex: sta_name(?:=.*\\|=)([A-Za-z0-9@._]+)

Address Regex: sta_ip=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

User Logout Event

Event Regex: operation=(del){1}

Username Regex: sta_name(?:=.*\\|=)([A-Za-z0-9@._]+)

Address Regex: sta_ip=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

Hope this helps!