Need help with Enterasys NAC/NMS and PaloAlto UserID

L1 Bithead

Need help with Enterasys NAC/NMS and PaloAlto UserID

Duplicate thread to Knowledgebase question, but need help making the info from this technote work:

Enterasys User ID integration

by -

Marc Benoit Nick Piagentini


Running a PA-4020, 4.1.6 code and assouciated UserID agent on an AD server - NMS 4.2

Tried putting perl script on NMS and NAC server - does not appear to launch on either.

L1 Bithead

Re: Need help with Enterasys NAC/NMS and PaloAlto UserID

NAC notifications are broken in 4.2  I had a case open with Enterasys that was recently resolved with the release of 4.3...however, I have not yet tested.

...sounds like an upgrade to 4.3 may be required for you as well.  Also, FYI...it seems as though this NAC notification fix was not reported in the NAC 4.3 release notes.

I hope that this helps

L1 Bithead

Re: Need help with Enterasys NAC/NMS and PaloAlto UserID

Thanks - am I reading the docs correctly that the script lives on the NetSight NMS server appliance, not the NAC appliance?

I'll update and report back - need to check on a report of extremely slow Compass searches in NetSight 4.3 I saw on the listsrv first.

L1 Bithead

Re: Need help with Enterasys NAC/NMS and PaloAlto UserID

Correct.  I have confirmed with ETS GTAC that the NAC notifications are processed by Netsight, not the NAC gateways.  So, the perl script must be located on the Netsight appliance to be triggered by the NAC notifications of end-system event changes.

Again, I have not yet implemented user-id integration...but hope to soon.

I saw the same 4.3 compass search issues on the listserv...looks like a bug fix may be in the works

Good luck!

Not applicable

Re: Need help with Enterasys NAC/NMS and PaloAlto UserID

Hi,

One thing that helped me in the troubleshooting of the integration was to make a copy of the perl script on the netsight server and change it to dump out a text file so you can verify what is actually being notified on in NAC as well as verifying if state changes are correctly causing notification.

You would need to change the nac_pub.pl to contain something like the following.

#/usr/bin/bash

echo $@ >> out.txt

I then saved it as test-trigger.sh but you can pick whatever name.

Finally setup the notifications in NAC the same way as for the nac_pub.pl but tell it to run the test-trigger.sh.

You should now be able to run the following command from an ssh session on the netsight server that will monitor the changes as they happen.

tail -f out.txt

If you want additional readability or insight into what is happening you can modify the notification to send different fields.  

Hopefully that helps with some of your troubleshooting and getting the correct information that Enterasys needs.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!