WiFi with 802.1x and Radius authentication - source user in traffic log problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

WiFi with 802.1x and Radius authentication - source user in traffic log problem

L4 Transporter

Hello

I'm thinking about WiFi network for my studnets. Now they are authenticating on HotSpot on Mikrotik AP's. They are complaining that must enter login and password so often.

HotSpot also isn't good for me becase I can't see authenticated users in PAN logs.

Is it possible to configure 802.1x authentication on AP and have in logs proper user name of logged user that is using IP attached from PAN DHCP?

Authentication is made by Radius (Free Radius) - not by Active Directory!

If my idea is bad, please advice me how to do that

With ragards

Slawek

9 REPLIES 9

L5 Sessionator

Hi Slawek,

You can force the students to authenticate against captive portal. They can be authenticated against a radius server, although it is not necessary to configure the radius auth on the AP. You can have a dedicated radius server for the authentication. With captive portal configuration, the students would have to enter the credentials just once, and they need not login multiple times ( unless they close the browser itself, and then they would be prompted for authentication again). Since captive portal works for  users that do not have IP-user mapping information relayed to the firewall from the agent or agentless service, you can create a new zone for the wifi network and disable user-identification on that zone. You can find below the document that explains how to setup captive portal, and the configuring the captive portal to use radius authentication.

https://live.paloaltonetworks.com/docs/DOC-1159

https://live.paloaltonetworks.com/docs/DOC-1410

L5 Sessionator

The following Doc talks about Radius (Cisco ACS) and User-ID integration in the environments using 802.1x devices and wireless access points and controllers.

A script can be configured to run on the Syslog server that will extract the user and IP information from the message, format it correctly for the UID-API, and then send it to the API agent.

UserID API integration using Syslog

Also check :https://live.paloaltonetworks.com/thread/7239

>You can force the students to authenticate against captive portal.

I know. I'm using CP for test purpose.

>the students would have to enter the credentials just once, and they need not login multiple times

I know, logon from notebook is OK, but do it from smarfones - it so compicated (in my opinion, because smarphones has a small screen and etc).

Students want to be connected without enter credential every time he is in wiFi range. So that is the reason why I'm started thinking about 802.1x

>The following Doc talks about Radius (Cisco ACS) and User-ID integration in the environments using 802.1x

uff - I expected simplest way to do it. Syslog server isn't a problem but as I remember that API uses administrator provilages of PAN, I wouldn't share that credentials.

You could use user-ID XML API of User-ID agent on a windows PC?

Could you explain a bit?

I found only

My Radius is a Free Radius on Linux server - how can I read logs from them? I'm going to implement Splunk - but not now (I hope) - I have a lot of other things to do.

Sorry was in response to your statement "Syslog server isn't a problem but as I remember that API uses administrator provilages of PAN, I wouldn't share that credentials". I don't think you need PAN credentials if you use the user-id agent. The firewall API requires an username and password to upload user mappings. The software user-id agent running on a windows PC does not need PAN admin credentials to upload user mappings. You only need to configure the connection between the user-id agent and the firewall. The script extracts user to IP mappings and injects it to the user-id agent running on windows. Hope my explanation makes sense Smiley Happy

It's a shame we can't have the cisco controllers send syslogs to PAN and PAN decode's them itself for which user just got which IP...

You could send the cisco syslog to another pc (with access to the mgmt of the PA) which could parse the logs and then through the XML API of the PA device (RESTFUL api) insert which user is currently using which IP if im not mistaken.

  • 7298 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!