topic Re: WiFi with 802.1x and Radius authentication - source user in traffic log problem in General Topics

WiFi with 802.1x and Radius authentication - source user in traffic log problem

_slv_ — Mon, 24 Jun 2013 09:50:36 GMT

Hello

I'm thinking about WiFi network for my studnets. Now they are authenticating on HotSpot on Mikrotik AP's. They are complaining that must enter login and password so often.

HotSpot also isn't good for me becase I can't see authenticated users in PAN logs.

Is it possible to configure 802.1x authentication on AP and have in logs proper user name of logged user that is using IP attached from PAN DHCP?

Authentication is made by Radius (Free Radius) - not by Active Directory!

If my idea is bad, please advice me how to do that

With ragards

Slawek

Re: WiFi with 802.1x and Radius authentication - source user in traffic log problem

kprakash — Mon, 24 Jun 2013 13:40:17 GMT

Hi Slawek,

You can force the students to authenticate against captive portal. They can be authenticated against a radius server, although it is not necessary to configure the radius auth on the AP. You can have a dedicated radius server for the authentication. With captive portal configuration, the students would have to enter the credentials just once, and they need not login multiple times ( unless they close the browser itself, and then they would be prompted for authentication again). Since captive portal works for users that do not have IP-user mapping information relayed to the firewall from the agent or agentless service, you can create a new zone for the wifi network and disable user-identification on that zone. You can find below the document that explains how to setup captive portal, and the configuring the captive portal to use radius authentication.

https://live.paloaltonetworks.com/docs/DOC-1159

https://live.paloaltonetworks.com/docs/DOC-1410

Re: WiFi with 802.1x and Radius authentication - source user in traffic log problem

UhMayYeah — Tue, 25 Jun 2013 08:18:07 GMT

The following Doc talks about Radius (Cisco ACS) and User-ID integration in the environments using 802.1x devices and wireless access points and controllers.

A script can be configured to run on the Syslog server that will extract the user and IP information from the message, format it correctly for the UID-API, and then send it to the API agent.

UserID API integration using Syslog

Also check :https://live.paloaltonetworks.com/thread/7239

Re: WiFi with 802.1x and Radius authentication - source user in traffic log problem

_slv_ — Tue, 25 Jun 2013 09:28:27 GMT

>You can force the students to authenticate against captive portal.

I know. I'm using CP for test purpose.

>the students would have to enter the credentials just once, and they need not login multiple times

I know, logon from notebook is OK, but do it from smarfones - it so compicated (in my opinion, because smarphones has a small screen and etc).

Students want to be connected without enter credential every time he is in wiFi range. So that is the reason why I'm started thinking about 802.1x

Re: WiFi with 802.1x and Radius authentication - source user in traffic log problem

_slv_ — Tue, 25 Jun 2013 09:38:38 GMT

>The following Doc talks about Radius (Cisco ACS) and User-ID integration in the environments using 802.1x

uff - I expected simplest way to do it. Syslog server isn't a problem but as I remember that API uses administrator provilages of PAN, I wouldn't share that credentials.

Re: WiFi with 802.1x and Radius authentication - source user in traffic log problem

Quinton — Tue, 25 Jun 2013 13:01:28 GMT

You could use user-ID XML API of User-ID agent on a windows PC?

Re: WiFi with 802.1x and Radius authentication - source user in traffic log problem

_slv_ — Tue, 25 Jun 2013 13:24:29 GMT

Could you explain a bit?

I found only

My Radius is a Free Radius on Linux server - how can I read logs from them? I'm going to implement Splunk - but not now (I hope) - I have a lot of other things to do.

Re: WiFi with 802.1x and Radius authentication - source user in traffic log problem

Quinton — Tue, 25 Jun 2013 13:38:03 GMT

Sorry was in response to your statement "Syslog server isn't a problem but as I remember that API uses administrator provilages of PAN, I wouldn't share that credentials". I don't think you need PAN credentials if you use the user-id agent. The firewall API requires an username and password to upload user mappings. The software user-id agent running on a windows PC does not need PAN admin credentials to upload user mappings. You only need to configure the connection between the user-id agent and the firewall. The script extracts user to IP mappings and injects it to the user-id agent running on windows. Hope my explanation makes sense

Re: WiFi with 802.1x and Radius authentication - source user in traffic log problem

MydisplayNameis3 — Tue, 05 Nov 2013 23:03:09 GMT

It's a shame we can't have the cisco controllers send syslogs to PAN and PAN decode's them itself for which user just got which IP...

Re: WiFi with 802.1x and Radius authentication - source user in traffic log problem

mikand — Sun, 01 Dec 2013 17:49:45 GMT

You could send the cisco syslog to another pc (with access to the mgmt of the PA) which could parse the logs and then through the XML API of the PA device (RESTFUL api) insert which user is currently using which IP if im not mistaken.