I tried to search for information on how to capture User-ID for BYOD using Ruckus WLC but couldn'd find usefull info? Can anyone point me in the right direction?
Thanks in advance.
For BYOD, you can use captive portal to learn the mapping.
Thanks for the reply.
I am planning on using the Captive Portal as the second option; however, my plan is to use a wireless controller(Rukus) to monitor the syslog event logs and extract the usernames and IP addresses.
I got a bit confused by the instructions in the link below as it says "Determine whether there is a pre-defined syslog filter for your particular syslog sender(s). Palo Alto Networks provides several pre-defined syslog filters, which are delivered as Application content updates and are therefore updated dynamically as new filters are developed. The pre-defined filters are global to the firewall, whereas manually defined filters apply to a single virtual system only." We don't have a virtual system. Does that mean that I will not be able to create a manual filter for the WLC we have which is Rucks WLC if we don't have a virtual system?
You can send IP-user-mappings to Palo Alto using XML API. I have never used Ruckus, so I don't know how this can be implemented for their WLCs. Some Radius servers, like Aruba ClearPass, have builtin support for this.
I have a similar deployment, using a Cisco WLC with Cisco ISE. WLC authenticates on ISE (Radius) which uses a variety of identity sources (mainly an AD domain, but it also proxies Radius queries to external sources). ISE "Passed Authentication" logs are sent to a couple of Win 2012 VMs which run PAN User-ID agents and extract the IP-UserID pair, which is made available to 4 PA firewalls. I use two servers to have some delay between reboots (to update Windows and/or User-ID), because each reboot clears the mappings. The two User-ID servers also can poll domain controllers to further improve both detail and reliability of their data. Bonus: we have 802.1x implemented on our Cisco switches, so the whole thing works just the same for wired authentications.
This way we have:
- UserID = user -> user is on a non-AD client
- UserID = user@somewhere -> user is authenticated on external source (radius proxy), and comes from "somewhere"
- UserID = domain\user -> user is on an AD client (rewritten from UserID = user when the AD client polls the domain, after 802.1x auth)
Since every new authentication for an IP clears the database entry for the previous one, I've set the longest possible timeout for IP-user association (there's basically no option for users to access our network without authentication... ...hacking aside, of course, but that's out of the scope of this thread, and even of PA).
That's all I can tell you, the whole thing works for us (>10k clients). Happy reg-ex'ing :-) (I assume Ruckus does things differently from Cisco ISE/WLC, so no point giving you our expressions)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!