by Marcos Buzo (Live Community username: @MarcosBuzo)
This document describes how to configure Cisco ISE to send user-id information to PAN-OS.
This scenario was deployed with Cisco ISE 1.4.0-253 and PAN-OS 6.1 and 7.0.
In the scenario described here, user-id integration with Active Directory is already working, so, the idea is to collect only user-id Guest information from Cisco ISE. You can change this behavior just by removing/changing the subnets at the regular expressions.
Cisco ISE works as a RADIUS server to authenticate and authorize users on a network. We are going to forward RADIUS Authentication and Accounting logs to PAN-OS.
Repeat the steps below if you want to send user-id log information to other devices.
Here comes the tricky part -- for wireless devices, Cisco ISE sends the user-id information only on the Authentication logs and for wired devices, Cisco ISE sends the user-id information on the Accounting logs.
In this example, we have:
So, adjust the Event regex below according to your needs.
The Cisco ISE 2.1 syslog parse profile should look like this:
Add ISE servers to Server Monitoring list
Now you are good to go! Your PAN-OS should be receiving user-id information from Cisco ISE. You can use the following CLI commands to verify that it's working fine:
show user server-monitor state
show user ip-user-mapping all type SYSLOG
test user-id user-id-syslog-parse
tail follow yes mp-log useridd.log
If this information has been helpful to you, or piqued your interest or curiosity and desire to learn more, please leave a thumbs up, a comment, or a question in the section below.