https://live.paloaltonetworks.com/t5/general-topics/aruba-ap-with-pan-user-id-mapping-with-ip-syslog-filters/m-p/352233#M87153 <P>I'm not sure why you are mentioning Windows.&nbsp; The native integration is where the Aruba Instant controller will directly update a PaloAlto device using the PaloAlto API.</P><P>&nbsp;</P><P>Impossible to say what is wrong.&nbsp; Some troubleshooting tasks that jump to mind</P><P>- Do a packet capture on the firewall to see if the syslog messages are arriving</P><P>- Check logs.&nbsp; System logs in the UI.&nbsp; From the command line there are mp-log files for useridd.log and syslog-ng.log that could be useful.</P><P>- Verify under User Identification that the server sending the syslog messages is configured as a Monitored Server with your regex profile</P><P>- Verify the interface receiving the syslog messages has an Interface Management Profile that allows the User-ID Syslog Listener</P> Fri, 25 Sep 2020 17:43:55 GMT alowther_chatham 2020-09-25T17:43:55Z https://live.paloaltonetworks.com/t5/general-topics/aruba-ap-with-pan-user-id-mapping-with-ip-syslog-filters/m-p/345704#M86378 <P>I'm trying to map User-ID to IP in our intranet so that we could easily identify User in PAN Traffic.</P><P>&nbsp;</P><P>We have Aruba APs adn AC authenticating with external Radius Server,&nbsp; While our PAN is sitting at the gateway.</P><P>&nbsp;</P><P>What i'm trying to do is using Aruba AC sending debug level logs to PAN,&nbsp; PAN could use Syslog Filters to filter our the mapping.</P><P>&nbsp;</P><P>I'm wondering Anyone have ever done that succuessfully?</P><P>&nbsp;</P><P>Thanks</P> Thu, 27 Aug 2020 11:41:57 GMT https://live.paloaltonetworks.com/t5/general-topics/aruba-ap-with-pan-user-id-mapping-with-ip-syslog-filters/m-p/345704#M86378 ZhenGuo 2020-08-27T11:41:57Z https://live.paloaltonetworks.com/t5/general-topics/aruba-ap-with-pan-user-id-mapping-with-ip-syslog-filters/m-p/345889#M86409 <P>Not sure about "AC", but I use Aruba Instant clusters.&nbsp; I integrate user-id with PaloAlto two ways.</P><P>&nbsp;</P><P>First, there is a native integration option</P><P><A href="https://www.arubanetworks.com/techdocs/Instant_40_Mobile/Advanced/Content/UG_files/RTLS_conf/panFirewallInt.htm" target="_blank">https://www.arubanetworks.com/techdocs/Instant_40_Mobile/Advanced/Content/UG_files/RTLS_conf/panFirewallInt.htm</A></P><P>&nbsp;</P><P>Second, a syslog filter on the PaloAlto</P><P>Event Regex: User [aA]uthenticat(?:ed|ion)</P><P>Username Regex: username[-=]([a-zA-Z0-9\\._-]+)</P><P>Address Regex: [iI][pP][-=]([0-9.]+)</P><P>&nbsp;</P><P>The syslog filter a backup in case the native integration fails.&nbsp; I am currently trying to report a bug with the native integration where the Aruba will use the PaloAlto API to send a logout followed immediately by a login for an IP.&nbsp; This often results in the login update not taking effect.</P> Fri, 28 Aug 2020 19:43:57 GMT https://live.paloaltonetworks.com/t5/general-topics/aruba-ap-with-pan-user-id-mapping-with-ip-syslog-filters/m-p/345889#M86409 alowther_chatham 2020-08-28T19:43:57Z https://live.paloaltonetworks.com/t5/general-topics/aruba-ap-with-pan-user-id-mapping-with-ip-syslog-filters/m-p/351004#M87026 <P>we don't have any integration on Windows.&nbsp;&nbsp;</P><P>Only Aruba AP, AC and PAN 850.&nbsp; &nbsp;I have tried with various Syslog Filter settings , but still nothing shows in Monitoring about Source User.&nbsp;&nbsp;</P><P>&nbsp;</P><P>I checked debug log in Aruba AC (Local), i could see all those '<SPAN>&lt;NOTI&gt; |authmgr| User Authentication Successful' logs, but can't reflect on PAN. no idea where set wrong.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 22 Sep 2020 09:54:33 GMT https://live.paloaltonetworks.com/t5/general-topics/aruba-ap-with-pan-user-id-mapping-with-ip-syslog-filters/m-p/351004#M87026 ZhenGuo 2020-09-22T09:54:33Z https://live.paloaltonetworks.com/t5/general-topics/aruba-ap-with-pan-user-id-mapping-with-ip-syslog-filters/m-p/352233#M87153 <P>I'm not sure why you are mentioning Windows.&nbsp; The native integration is where the Aruba Instant controller will directly update a PaloAlto device using the PaloAlto API.</P><P>&nbsp;</P><P>Impossible to say what is wrong.&nbsp; Some troubleshooting tasks that jump to mind</P><P>- Do a packet capture on the firewall to see if the syslog messages are arriving</P><P>- Check logs.&nbsp; System logs in the UI.&nbsp; From the command line there are mp-log files for useridd.log and syslog-ng.log that could be useful.</P><P>- Verify under User Identification that the server sending the syslog messages is configured as a Monitored Server with your regex profile</P><P>- Verify the interface receiving the syslog messages has an Interface Management Profile that allows the User-ID Syslog Listener</P> Fri, 25 Sep 2020 17:43:55 GMT https://live.paloaltonetworks.com/t5/general-topics/aruba-ap-with-pan-user-id-mapping-with-ip-syslog-filters/m-p/352233#M87153 alowther_chatham 2020-09-25T17:43:55Z