topic Re: Is there anything in the works for pulling User-ID data directly from a MS NPS server in General Topics

Is there anything in the works for pulling User-ID data directly from a MS NPS server

JordanGoodnough — Mon, 04 Aug 2014 18:10:17 GMT

User-ID integration with Microsoft AD is great, and works nicely, but we have the bulk of our users using RADIUS to authenticate wirelessly with 802.1x, and we're using a Microsoft NPS server to do that job. These users' devices are not necessarily (and often are not) Windows domain computers, so the LDAP lookups aren't providing the needed information for a User-ID mapping. Is there any good way to get that information from the NPS server?

Re: Is there anything in the works for pulling User-ID data directly from a MS NPS server

_slv_ — Mon, 04 Aug 2014 20:11:12 GMT

At the moment there isn't direct intergration with NPS however new features in PAN OS 6.0 called "User-ID Integration With Syslog" could be usefull for You.

Please read New Features Guide 6.0 (English) page 96

Regards

SLawek

Re: Is there anything in the works for pulling User-ID data directly from a MS NPS server

dmaynard — Mon, 04 Aug 2014 22:07:30 GMT

Hello,

One problem you might encounter with userid integration is that the ip in the Microsoft NPS logs is not the ip address of the client machine but the device performing the radius Auth on behalf of client.

If the wireless device is capable of sending user and ip information in syslog format then you can use new feature in Pan-OS 6.0 mentioned above.

If the device is not able to send this information in syslog such as Cisco WLC (which uses SNMP) then would need to have the information sent to SNMP collector from WLC.

On the SNMP collector would need to have a way of parsing the event and forwarding that to Pan User-ID for User-ID integration.

Re: Is there anything in the works for pulling User-ID data directly from a MS NPS server

pulukas — Tue, 05 Aug 2014 01:09:24 GMT

You could configure captive portal. But I guess you don't want to force a login portal.

The issue with RADIUS is as dmaynard says, the ip association is in the payloads. There is a script posted in Dev center to extract this for user id association. I'm not sure how well it works as I haven't used it.

Scripting solution for User ID working with Microsoft IAS/NPS

Re: Is there anything in the works for pulling User-ID data directly from a MS NPS server

JordanGoodnough — Tue, 05 Aug 2014 16:12:09 GMT

Yeah, I might have to look into that scripting solution. I'd definitely prefer native NPS integration, but who wouldn't? I just wonder if it's in the pipeline.

Re: Is there anything in the works for pulling User-ID data directly from a MS NPS server

pulukas — Tue, 05 Aug 2014 21:55:22 GMT

Roadmap questions are only answered under the NDA from your Sales team. They can also see if there is an existing FR (Feature Request) for the functionality. If there is an FR number you can add a "vote" for the feature.