topic Re: Aruba Wireless Authentication User-IP Mapping Question in General Topics

Aruba Wireless Authentication User-IP Mapping Question

Dan — Wed, 26 Sep 2018 18:20:15 GMT

Hi,

I have an Aruba Instant Cluster with an SSID set up to user a radius server to authenticate users. The cluster controller is configured to send syslog data to a Paloalto User Agent running on a Windows server. I've had this set up for a time but am now moving in to a updated OS (Windows 2016) and updated UA (8.0.10-7). My question revolves around wireless disconnects, when radius authenticated users leave the cluster or shut down their devices, I'd like the user-ip mapping to get deleted. In the syslog I get this to capture the authentication and mapping:

2018-09-26 11:12:36 Local1.Notice 10.54.132.240 Sep 26 11:12:36 2018 10.54.132.240 stm[2367]: <501199> <NOTI> <10.1.1.1 AC:A3:1E:C2:D2:9C> User authenticated, mac-a0:cc:2b:80:ad:bb, username-jsmith, IP-10.2.2.2, method-802.1x, role-PrivateSSID

But I don't see anything in the log that captures the disconnect that includes the user name. I do have this:

2018-09-26 11:13:39 Local1.Notice 10.54.132.240 Sep 26 11:13:39 2018 10.54.132.240 stm[2367]: <501217> <NOTI> <10.1.1.1 AC:A3:1E:C2:D2:9C> update_ip_mac_role_acl_vlan 15467: user entry deleted for 10.2.2.2-a0:cc:2b:80:ad:bb

But in building the syslog logoff filter in the UA GUI, it seems 'username' is required.

Anyone have suggestions on how I can build out a user agent logoff filter that can capture the wireless client disconnects?

Thanks.

Dan

Re: Aruba Wireless Authentication User-IP Mapping Question

BPry — Wed, 26 Sep 2018 18:41:12 GMT

@Dan,

Generally for something like this I would actually build it out with the API and not the user-id agent.

Re: Aruba Wireless Authentication User-IP Mapping Question

Dan — Wed, 26 Sep 2018 19:10:17 GMT

@BPry

As I havent' worked with the API, where would be a good place to start?

Thanks.

Re: Aruba Wireless Authentication User-IP Mapping Question

BPry — Wed, 26 Sep 2018 19:28:07 GMT

@Dan

HERE's some decent documentation that is based on 7.1. Process is the same though

Re: Aruba Wireless Authentication User-IP Mapping Question

TerjeLundbo — Thu, 27 Sep 2018 13:26:30 GMT

We also have Aruba and Palo Alto, but we chose to have our wireless controllers (campus, not Instant) send syslog data directly to the firewall instead of to a Windows server. See if you can find the string 'User de-authenticated' in your controllers logs, those entries should include the user name.

Re: Aruba Wireless Authentication User-IP Mapping Question

Dan — Thu, 11 Oct 2018 17:46:31 GMT

@TerjeLundbo

are you using the built in user-id agent and sending the syslog data to that or are you using the API as BPry suggested above? If you're sending/using the syslog data are you doing a regex expression and might you be able to share what that looks like?

Thanks.

Dan

Re: Aruba Wireless Authentication User-IP Mapping Question

TerjeLundbo — Fri, 12 Oct 2018 12:52:14 GMT

We are sending syslog from the controllers direct to our firewall. What you need to do is:

1. Go to Device -> User Identification and click on the Settings Button for Palo Alto Networks User-ID Agent Setup

2. Go to the tab called Syslog Filters and add the following two profiles:

Syslog Parse Profile:	Aruba Login
Type:			Field Identifier
Event String:		Authentication Successful
Username Prefix:	username=
Username Delimiter:	\s
Address Prefix:		IP=
Address Delimiter:	\s

Syslog Parse Profile:	Aruba Logout
Type:			Field Identifier
Event String:		User de-authenticated
Username Prefix:	name=
Username Delimiter:	\s
Address Prefix:		IP=
Address Delimiter:	\s

3. Add all your controllers and/or IAPs as Syslog Sender under Device -> User Identification -> Server Monitoring on PA. Set your AD domain as Default Domain Name and set the two Syslog Parse Profiles you added in step 2 as filter for events login and logout repsectively.

There are other steps you need to do also of course, like configure controllers/IAPs to send syslog to PA for user events. Let me know if you need more info.

PS! If I remember correctly the logout event (User de-authenticated) will be logged on controllers if the user manually disconnects from the wireless network. If the device is removed from the wireless network without disconnecting I don't think anything will be logged and the IP-user-mapping will timout on PA according to your setup.

Edit: I think support for the logout event came in PAN-OS 8. Earlier versions have only login events.

Re: Aruba Wireless Authentication User-IP Mapping Question

AndrewLeaver — Fri, 18 Jan 2019 09:48:59 GMT

Hi TerjeLundbo,

Please, could you post the syslog settings for an Aruba controller?

Many thanks

Andrew

Re: Aruba Wireless Authentication User-IP Mapping Question

MohamedSharief — Sun, 20 Jan 2019 14:35:44 GMT

This worked with me like a charm!

Regards,

Sharief

Re: Aruba Wireless Authentication User-IP Mapping Question

TerjeLundbo — Mon, 21 Jan 2019 12:00:32 GMT

On each wireless controller you need to enable logging of user authentications and you need to send each authentication event as syslog to the firewall. Commands are:

logging level notifications user process authmgr
logging <FW IP address> type user severity notifications facility local1 source-interface <mgmt vlan of the controller>