topic Re: VPN Cisco concentrator/ISE - USER-ID log to PA in General Topics

VPN Cisco concentrator/ISE - USER-ID log to PA

Metgatz — Wed, 20 Mar 2024 03:11:21 GMT

USER-ID log from VPN Cisco concentrator

Dear Live community, how is everything going ?

Have you ever had to do the following?

We have to integrate a Cisco ASA, with Palo Alto, so that the PA receives from a Cisco ASA and/or Cisco ISE the users to be able to have mapper with USER-ID the users that connect by VPN. ( There is no global protect )

Details:

Cisco ASA --- Cisco ISE ( AAA ) users with any connect - Flows through PA.

They want the Palo Alto firewalls to be able to read the users that when a user connects via VPN to the Cisco ASA, the Palo Alto FW receives the information from the Cisco ASA and/or the Cisco ISE on the PA, so that the User-ID can somehow get that information from those users.

Clarifications, the PA does not have and should not use Global Protect. The Palo Alto FW must receive the information from the Cisco ASA and/or Cisco ISE when VPN users connect, Palo Alto can map them and see them in the User Log fields of the PA when traffic passes through it.

Please can you guide me and/or indicate me how to achieve this goal, at least as a base, limitations, considerations and/or guide to achieve this issue.

Thanks for your time and collaboration

I remain attentive

Best regards

Re: VPN Cisco concentrator/ISE - USER-ID log to PA

TomYoung — Wed, 20 Mar 2024 04:42:56 GMT

Hi @Metgatz ,

You can configure ISE to send syslog data to a NGFW which parses User-ID info. It works great. https://live.paloaltonetworks.com/t5/general-topics/cisco-ise-integration-for-userid/m-p/381362

Thanks,

Tom

Re: VPN Cisco concentrator/ISE - USER-ID log to PA

Metgatz — Fri, 29 Mar 2024 05:18:11 GMT

Hi @TomYoung , thank you very much for your time and thanks for your advice.

Yes, the issue here is also in the filtering needed for the

Log-In and Log-OFF.

So yes in this case I would also need that information from the ISE.

Now that I see it, I doubt that this information is sent from the ISE, maybe the login or that the connection was validated from the ASA to the ISE to authenticate and validate the user and already indicates OK, I am not sure if when the Cisco Anyconnect client exits the ASA, the ASA indicates to the ISE that the user released the session and performed the log-off.

Because if not, I would only apply the User Identification Timeout (default 45 min) to release the user mapping, thinking that I will only have the login or the successful validation of the ISE, but not the logoff.

User Identification Timeout (min)

Set the timeout value in minutes for user mapping entries (range is 1 to 3,600; default is 45).

What do you think, any advice, recommendation or detail to consider ?

I remain attentive

Best regards

Re: VPN Cisco concentrator/ISE - USER-ID log to PA

TomYoung — Fri, 29 Mar 2024 11:38:45 GMT

Hi @Metgatz ,

What specific issue do you have? Is the NGFW showing the User-ID mappings for the ASA AnyConnect users?

Thanks,

Tom

Re: VPN Cisco concentrator/ISE - USER-ID log to PA

PavelK — Fri, 29 Mar 2024 23:12:23 GMT

Hello @Metgatz

we have implemented IP-User mapping from AnyConnect clients by parsing ASA logs. For AnyConnect session connection and disconnection there are below syslog messages generated.

746012
Error Message %ASA-5-746012: user-identity: Add IP-User mapping IP Address - domain_name \user_name result - reason
Explanation: A new user-IP mapping has been added to the user-to-IP address mapping database. The status of the operation (success or failure) is indicated. The success reason is VPN user. The failure reasons include the following: Maximum user limit reached and Duplicated address.

746013
Error Message %ASA-5-746013: user-identity: Delete IP-User mapping IP Address - domain_name \user_name result - reason
Explanation: A change has been made to the user-to-IP address mapping database. The status of the operation (success or failure) is indicated. The success reasons include the following: Inactive timeout, NetBIOS probing failed, PIP notification, VPN user logout, Cut-through-proxy user logout, and MAC address mismatch. The failure reason is PIP notification.

In our case this works well to update User-ID mapping in Firewalls.

Kind Regards

Pavel

Re: VPN Cisco concentrator/ISE - USER-ID log to PA

Metgatz — Sat, 30 Mar 2024 00:38:13 GMT

Hi @PavelK thanks for your reply.

Excellent, yes that's exactly what I'm looking for. I was already looking at those logs and yes, there I will have both login and logout. From the ISE I will not have the logout versus the ASA log for both cases. This way sounds better.

Please if it was not too much bother and waiting for your help and collaboration, could you share the Regex or Field that you used in the syslog parse profile for both the LogIn event and the LogOut, only generically, without sharing anything sensitive, and then I adjust them to what I need, but if you could share the ones you used, that are working in the environment that you mention that works without problems, I would appreciate it very much.

Thanks for your time, advice and collaboration

I remain attentive

Best regards

Re: VPN Cisco concentrator/ISE - USER-ID log to PA

PavelK — Mon, 01 Apr 2024 11:28:13 GMT

Hello @Metgatz

I am sorry for late response. This has been set years ago and I have in meanwhile moved to different position. Please give me some time to research it.

Kind Regards

Pavel

Re: VPN Cisco concentrator/ISE - USER-ID log to PA

PavelK — Mon, 02 Dec 2024 07:04:30 GMT

Hello @Metgatz

I am sorry for very late response.

Unfortunately, I do not have much to share. In our environment ASAs are sending SNMP traps for user logon/logoff to User-ID server:

logging list eventlist_user_login_logout message 746013
logging list eventlist_user_login_logout message 746012
snmp-server enable traps syslog
snmp-server host management <user-id server> community ***** version 2c

then kiwi syslog (running on User-ID agent server) picks snmp trap up, archives it for auditing, then forwards it to User-ID agent's port.

Kind Regards

Pavel