topic Re: User-ID for BYOD in General Topics

User-ID for BYOD

Sadik_Khirbash — Mon, 30 Oct 2017 18:10:27 GMT

Hello,

I tried to search for information on how to capture User-ID for BYOD using Ruckus WLC but couldn'd find usefull info? Can anyone point me in the right direction?

Thanks in advance.

~sK

Re: User-ID for BYOD

mgarg — Mon, 30 Oct 2017 18:28:46 GMT

For BYOD, you can use captive portal to learn the mapping.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Captive-Portal/tac-p/60461#M926

Re: User-ID for BYOD

Sadik_Khirbash — Mon, 30 Oct 2017 20:18:41 GMT

Thanks for the reply.

I am planning on using the Captive Portal as the second option; however, my plan is to use a wireless controller(Rukus) to monitor the syslog event logs and extract the usernames and IP addresses.

I got a bit confused by the instructions in the link below as it says "Determine whether there is a pre-defined syslog filter for your particular syslog sender(s). Palo Alto Networks provides several pre-defined syslog filters, which are delivered as Application content updates and are therefore updated dynamically as new filters are developed. The pre-defined filters are global to the firewall, whereas manually defined filters apply to a single virtual system only." We don't have a virtual system. Does that mean that I will not be able to create a manual filter for the WLC we have which is Rucks WLC if we don't have a virtual system?

https://www.paloaltonetworks.com/documentation/60/pan-os/newfeaturesguide/user-id-features/user-id-integration-with-syslog#_50964

Best, ~zK

Re: User-ID for BYOD

TerjeLundbo — Tue, 31 Oct 2017 11:38:51 GMT

You can send IP-user-mappings to Palo Alto using XML API. I have never used Ruckus, so I don't know how this can be implemented for their WLCs. Some Radius servers, like Aruba ClearPass, have builtin support for this.

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/user-id/send-user-mappings-to-user-id-using-the-xml-api

Re: User-ID for BYOD

Sadik_Khirbash — Tue, 07 Nov 2017 18:15:11 GMT

Thanks!

Best.

Re: User-ID for BYOD

michelealbrigo — Wed, 08 Nov 2017 08:38:31 GMT

I have a similar deployment, using a Cisco WLC with Cisco ISE. WLC authenticates on ISE (Radius) which uses a variety of identity sources (mainly an AD domain, but it also proxies Radius queries to external sources). ISE "Passed Authentication" logs are sent to a couple of Win 2012 VMs which run PAN User-ID agents and extract the IP-UserID pair, which is made available to 4 PA firewalls. I use two servers to have some delay between reboots (to update Windows and/or User-ID), because each reboot clears the mappings. The two User-ID servers also can poll domain controllers to further improve both detail and reliability of their data. Bonus: we have 802.1x implemented on our Cisco switches, so the whole thing works just the same for wired authentications.

This way we have:
- UserID = user -> user is on a non-AD client

- UserID = user@somewhere -> user is authenticated on external source (radius proxy), and comes from "somewhere"

- UserID = domain\user -> user is on an AD client (rewritten from UserID = user when the AD client polls the domain, after 802.1x auth)

Since every new authentication for an IP clears the database entry for the previous one, I've set the longest possible timeout for IP-user association (there's basically no option for users to access our network without authentication... ...hacking aside, of course, but that's out of the scope of this thread, and even of PA).

That's all I can tell you, the whole thing works for us (>10k clients). Happy reg-ex'ing 🙂 (I assume Ruckus does things differently from Cisco ISE/WLC, so no point giving you our expressions)