https://live.paloaltonetworks.com/t5/general-topics/trouble-getting-user-id-from-ms-radius-nps-using-script/m-p/15688#M11482 <HTML><HEAD></HEAD><BODY><P>I am part-way in matching up IP addresses and user names, but struggling with the second......I'll explain.</P><P></P><P>In our lab we have a PA5020, and I am running the User-ID agent on a VM close to the firewall. It successfull reads the AD credentials etc, and those users who authenticate with AD are showing correct names against their IP addresses <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> </P><P></P><P>The tricky part is our wireless solution...we have an HP wireless box, and doing authentication against a Radius service running on an MS server (this is part of NPS (Network Policy and Access Services)). The logs are stored locally (the only choices I have are log locally to text file, or to SQL database).</P><P></P><P>The log format is one of three types:</P><UL><LI>DTS Compliant</LI><LI>ODBC (Legacy)</LI><LI>IAS (Legacy)</LI></UL><P></P><P>The most useful log file type is the ODBC one, but doesn't show the IP address for every authentication attempt (only the MAC address).</P><P></P><P></P><P>I have written a Perl script which successfully does the following items:</P><OL><LI>Find the latest log file to read from (as they are weekly logs, and new file per week)</LI><LI>Open a file which states the last record sent to the XML API (as shown in step 4.1.4)</LI><LI>Read output from "ARP -A" command line (to show MAC and IP addresses known on Radius server)</LI><LI>Open the latest file and search through until the date/time is after the last update (in step 2):<OL><LI>If this is an Authentication Accept message<OL><LI>then lookup recorded MAC address against ARP (to know IP address)</LI><LI>Read user name from line (and add domain name if not shown)</LI><LI>Call the XML API with these details</LI><LI>Write the date &amp; time to a file to "bookmark" start of next search</LI></OL></LI><LI>Read the next record</LI></OL></LI></OL><P></P><P>All seems to be fine, except when there isn't a MAC address entry, or after 1 hour the record in the PA firewall times out!!</P><P></P><P>So to solve the first we could simply ping all possible IP addresses to ensure that we have a correct MAC / IP entry (as long as the devices respond!!), but doesn't seem very elegant.</P><P>There must be a way to modify the age timers of the firewall records?</P><P></P><P></P><P>As the User-ID functionality is part of the whole promise from PA that their firewalls are unique and do everything based on User / Group and Application, is a little untrue (unless if you only use AD to authentciate, or any one of their prescribed workarounds (Captive Portal etc).</P><P></P><P>Has anyone successfully gotten a solution similar to mine working?</P><P></P><P>The main issue for me is the correct discovery of the IP address for every Radius Auth Accept message! And the timeout problem is likely to be easily fixed!!</P></BODY></HTML> Fri, 27 Jul 2012 01:35:25 GMT ady_wilson 2012-07-27T01:35:25Z https://live.paloaltonetworks.com/t5/general-topics/trouble-getting-user-id-from-ms-radius-nps-using-script/m-p/15688#M11482 <HTML><HEAD></HEAD><BODY><P>I am part-way in matching up IP addresses and user names, but struggling with the second......I'll explain.</P><P></P><P>In our lab we have a PA5020, and I am running the User-ID agent on a VM close to the firewall. It successfull reads the AD credentials etc, and those users who authenticate with AD are showing correct names against their IP addresses <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> </P><P></P><P>The tricky part is our wireless solution...we have an HP wireless box, and doing authentication against a Radius service running on an MS server (this is part of NPS (Network Policy and Access Services)). The logs are stored locally (the only choices I have are log locally to text file, or to SQL database).</P><P></P><P>The log format is one of three types:</P><UL><LI>DTS Compliant</LI><LI>ODBC (Legacy)</LI><LI>IAS (Legacy)</LI></UL><P></P><P>The most useful log file type is the ODBC one, but doesn't show the IP address for every authentication attempt (only the MAC address).</P><P></P><P></P><P>I have written a Perl script which successfully does the following items:</P><OL><LI>Find the latest log file to read from (as they are weekly logs, and new file per week)</LI><LI>Open a file which states the last record sent to the XML API (as shown in step 4.1.4)</LI><LI>Read output from "ARP -A" command line (to show MAC and IP addresses known on Radius server)</LI><LI>Open the latest file and search through until the date/time is after the last update (in step 2):<OL><LI>If this is an Authentication Accept message<OL><LI>then lookup recorded MAC address against ARP (to know IP address)</LI><LI>Read user name from line (and add domain name if not shown)</LI><LI>Call the XML API with these details</LI><LI>Write the date &amp; time to a file to "bookmark" start of next search</LI></OL></LI><LI>Read the next record</LI></OL></LI></OL><P></P><P>All seems to be fine, except when there isn't a MAC address entry, or after 1 hour the record in the PA firewall times out!!</P><P></P><P>So to solve the first we could simply ping all possible IP addresses to ensure that we have a correct MAC / IP entry (as long as the devices respond!!), but doesn't seem very elegant.</P><P>There must be a way to modify the age timers of the firewall records?</P><P></P><P></P><P>As the User-ID functionality is part of the whole promise from PA that their firewalls are unique and do everything based on User / Group and Application, is a little untrue (unless if you only use AD to authentciate, or any one of their prescribed workarounds (Captive Portal etc).</P><P></P><P>Has anyone successfully gotten a solution similar to mine working?</P><P></P><P>The main issue for me is the correct discovery of the IP address for every Radius Auth Accept message! And the timeout problem is likely to be easily fixed!!</P></BODY></HTML> Fri, 27 Jul 2012 01:35:25 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-getting-user-id-from-ms-radius-nps-using-script/m-p/15688#M11482 ady_wilson 2012-07-27T01:35:25Z https://live.paloaltonetworks.com/t5/general-topics/trouble-getting-user-id-from-ms-radius-nps-using-script/m-p/15689#M11483 <HTML><HEAD></HEAD><BODY><P>Any luck with this?&nbsp; We're looking to do the very same thing with an NPS server.&nbsp; If you had any luck, any chance you'd be willing to share the script?</P><P><BR />Thanks!</P></BODY></HTML> Mon, 10 Sep 2012 20:47:59 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-getting-user-id-from-ms-radius-nps-using-script/m-p/15689#M11483 SabreAce33 2012-09-10T20:47:59Z https://live.paloaltonetworks.com/t5/general-topics/trouble-getting-user-id-from-ms-radius-nps-using-script/m-p/15690#M11484 <HTML><HEAD></HEAD><BODY><P>I am having the exact same situation; no luck</P></BODY></HTML> Mon, 08 Sep 2014 19:52:05 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-getting-user-id-from-ms-radius-nps-using-script/m-p/15690#M11484 MMCiobanu 2014-09-08T19:52:05Z https://live.paloaltonetworks.com/t5/general-topics/trouble-getting-user-id-from-ms-radius-nps-using-script/m-p/15691#M11485 <HTML><HEAD></HEAD><BODY><P>Your workaround seems nice just ping the IPs you can't see in the ARP table, even if they don't respond the ping you should be able to know they MAC address [try it if you don't believe me]. Or if you wanna add complexity log into their default gateway via SHH in perl [maybe it's the firewall] and look for the MAC in they ARP table, as they pretend to get internet access their DG must know their MAC address.</P><P></P><P>Also you can configure Captive portal as fallback option using the radius servers as authentication method.</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1159">How to Configure Captive Portal</A></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-2908">How to Configure RADIUS Authentication</A></P><P></P><P>About the timer could be a security flag just leave a session more than 1 hour, under those cases the captive portal is a good option in order to re-log every hour...</P></BODY></HTML> Tue, 23 Sep 2014 00:02:31 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-getting-user-id-from-ms-radius-nps-using-script/m-p/15691#M11485 GLastra 2014-09-23T00:02:31Z https://live.paloaltonetworks.com/t5/general-topics/trouble-getting-user-id-from-ms-radius-nps-using-script/m-p/15692#M11486 <HTML><HEAD></HEAD><BODY><P>Take a look at <A href="https://live.paloaltonetworks.com/docs/DOC-6851">Microsoft NPS to PANOS UserID connector</A>. I build this connector some months ago. All that you need is:</P><UL><LI>Enable RADIUS Accounting in the HP Wireless Infrastructure</LI><LI>Configure the NPS to log using DTS format</LI><LI>To run the connector against the given NPS log directory</LI></UL><P></P><P>Hope it helps</P></BODY></HTML> Tue, 23 Sep 2014 05:48:42 GMT https://live.paloaltonetworks.com/t5/general-topics/trouble-getting-user-id-from-ms-radius-nps-using-script/m-p/15692#M11486 xhoms 2014-09-23T05:48:42Z