Integrating Cisco ISE Guest Authentication with PAN-OS

by ‎07-18-2016 07:01 AM - edited ‎02-12-2018 03:25 AM (63,147 Views)

by Marcos Buzo (Live Community username: @MarcosBuzo)


This document describes how to configure Cisco ISE to send user-id information to PAN-OS.

This scenario was deployed with Cisco ISE 1.4.0-253 and PAN-OS 6.1 and 7.0. 

In the scenario described here, user-id integration with Active Directory is already working, so, the idea is to collect only user-id Guest information from Cisco ISE. You can change this behavior just by removing/changing the subnets at the regular expressions.


Cisco ISE works as a RADIUS server to authenticate and authorize users on a network. We are going to forward RADIUS Authentication and Accounting logs to PAN-OS.



Configuring a new remote log target on Cisco ISE, this device is going to be PAN-OS:

  • Choose Administration > System > Logging > Remote Logging Targets.
  • Click Add.
  • Give it a name you like, for target type, select UDP Syslog. For IP address, fill with the PAN-0S Management Interface IP address.
  • Click Submit.



Repeat the steps below if you want to send user-id log information to other devices.


Configuring ISE to forward Passed Authentication Syslog Messages

  • Choose Administration > System > Logging > Logging Categories.
  • Click Passed Authentications.
  • Select the remote log target you created before on the “Available” column, and click the “>” sign to move it to the “Selected” column.
  • Click Save.



Configuring ISE to forward RADIUS Accounting Syslog Messages

  • Choose Administration > System > Logging > Logging Categories.
  • Click RADIUS Accounting.
  • Select the remote log target you created before on the “Available” column and click the “>” sign to move it to the “Selected” column.
  • Click Save.




Enable User-ID Syslog Listener-UDP on PAN-OS

  • Choose Device > Setup > Management Interface Settings.
  • Check the User-ID Syslog Listener-UDP box.
  • Click OK.



Create a Syslog Parse Profile to match the interesting information on syslog messages

  • Choose Device > User Identification > User Mapping.
  • Edit Palo Alto Networks User ID Agent Setup and click Syslog Filters.
  • Click Add.
  • Fill all the fields according to the information below.


Here comes the tricky part -- for wireless devices, Cisco ISE sends the user-id information only on the Authentication logs and for wired devices, Cisco ISE sends the user-id information on the Accounting logs.

In this example, we have:


  • = Wireless Guest
  • = Wireless Guest
  • = Wired Guest

So, adjust the Event regex below according to your needs.


  • Syslog Parse Profile: Cisco ISE
  • Event regex: ([A-Za-z0-9].*CISE_Passed_Authentications.*((Framed-IP-Address=10\.10\.130)|(Framed-IP-Address=10\.10\.30))|([A-Za-z0-9].*CISE_RADIUS_Accounting.*(Framed-IP-Address=10\.10\.140)))
  • Username Regex: (?<=UserName=|User-Name=)[\w-]+
  • Address Regex: Framed-IP-Address=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) 
  • Click OK.



The Cisco ISE 2.1 syslog parse profile should look like this:

Event Regex

Username Regex

Address Regex


Add ISE servers to Server Monitoring list

  • Choose Device > User Identification > User Mapping.
  • Under Server Monitoring, click Add.
  • Give it a name and a description you like.
  • For Type, choose Syslog Sender.
  • For Network Address, insert your Cisco ISE IP address.
  • For Connection Type, choose UDP.
  • For Filter, select Cisco ISE.
  • For Default Domain Name, insert your netbios domain name or the information that matches your environment.
  • Click Commit.




Now you are good to go! Your PAN-OS should be receiving user-id information from Cisco ISE. You can use the following CLI commands to verify that it's working fine:


show user server-monitor state 
show user ip-user-mapping all type SYSLOG
test user-id user-id-syslog-parse
tail follow yes mp-log useridd.log



Configuring Cisco ACS to send RADIUS Accounting directly to the firewall using Syslog
Configuring ISE to Forward User Login Events to CDA


If this information has been helpful to you, or piqued your interest or curiosity and desire to learn more, please leave a thumbs up, a comment, or a question in the section below.



Marcos Buzo



by Brandon_Wertz
on ‎07-26-2016 08:37 AM

Great implementation document!


One thing, it would be nice if there was something that defined what code levels this has been tested or built against.


The ISE UI has changed drasticly, from 1.1, 1.2, 1.3 and on; even to 2.0.  Palo's UI has also had similar changes.


if there was a comment at least identifying the code versions of each, I just think it would be good to highlight.

by MarcosBuzo
on ‎08-03-2016 07:20 AM

Hi Brandon, 


This scenario was deployed with Cisco ISE 1.4.0-253 and PAN-OS 6.1 and 7.0. 

I'll check the newer ISE versions as soon as I have a chance to do that.


Thank you for the suggestions!



on ‎08-03-2016 07:28 AM

I'll go ahead and add the comment, thanks @Brandon_Wertz and @MarcosBuzo

by sylvain.cassan
on ‎08-31-2016 08:58 AM



I have quite the same configuration except I'm using the Field Identifier instead of the regexp, it's maybe more simple.

I don't know if you did the test in a multi-system environment but in my case I had to use several interfaces of the firewall depending on the Virtual System. If I use only one interface in the ISE to send the SYSLOG then the message is handled only by the first VSYS and the authentication is not take into account in the second or third one (Bad configuration?). 


So in virtual system environment you cannot use the Management IP address of the firewall.





by MarcosBuzo
on ‎09-02-2016 09:14 AM

Hi Sylvain,


Indeed, I have not tested this solution in a multi-system environment. Thank you for this information, I am sure this will be useful for anyone implementing on this scenario.


About the field identifier versus the regexp, we used it because we wanted to collect only the user information about the guest network. All the other network's user information are already being collected through Active Directory.


Please, share your Field Identifier setup with us, I believe that would be very useful for those that are looking for a "full" implementation through Cisco ISE, not just Guest networks.


Best Regards,

Marcos Buzo


by sylvain.cassan
on ‎09-05-2016 01:38 AM



Regarding the Field Identifier the configuration is quite simple:



This configuration is working fine with ISE 1.2.1. I think the Address must be modified for cisco ISE 1.4.

The best way to check is to capture a syslog event sent by the ISE and then to use the test command to verify the parser.

We are using this configuration with a Guest Portal on the ISE. It's maybe different with automatic connections.




by sylvain.cassan
on ‎09-19-2016 07:24 AM

Some information regarding the multi vsys.

You cannot put the same ip for a listener on vsys1 and a listener on vsys2.

There are two possible configurations:

- 1 listener with IP A on VSYS1 and 1 listener with IP B on VSYS2

- All the listener you want on VSYS1 and a redistribution of the mapping table to the other VSYS





by danilolmcardoso
on ‎09-22-2016 10:25 AM

Hi MarcosBuzo

Nice document!


Best Regards


Danilo Cardoso

by CPPalo
on ‎02-07-2017 11:16 PM

For Cisco ISE 2.1 syslog parse profile should look like this:



Event Regex



Username Regex



Address Regex





by MarcosBuzo
on ‎02-15-2017 04:20 AM

Thanks for the Update @CPPalo.

@reaperCould you update the article, please?



Marcos Buzo

on ‎02-15-2017 04:28 AM


by CPPalo
on ‎03-10-2017 03:44 AM

Little Update.


Something in regex proposed by me is causing firewall to reboot itself after some time.


PanOS version 7.1.6. 


Part reply from Support:


1) segmentation fault is observed:
Feb 8 08:11:11 mgmt kernel: useridd[4517]: segfault at 8 ip 00000000f736e82c sp 00000000e848f0d0 error 4 in[f720e000+334000]
Feb 8 08:12:16 mgmt kernel: useridd[5267]: segfault at 8 ip 00000000f73e582c sp 00000000e740d0d0 error 4 in[f7285000+334000]
Feb 8 08:16:49 mgmt kernel: useridd[5460]: segfault at 8 ip 00000000f739382c sp 00000000e814d0d0 error 4 in[f7233000+334000]
2) the regex looks not to be matched properly
2017-02-08 08:57:27.993 +0100 pan_user_id_syslog_server_apply_regex_to_msg: No match found in msg <181>
3) userid crashes multiple times which ends up in firewall reboot



UserID is matched, but after few minutes firewall ends up rebooting itself with error message:


useridd: restarts exhausted, rebooting system



Ive upgraded ISE to version 2.2 and im gonna try once again create regex for userid. 



by sib2017
on ‎03-27-2017 02:12 AM


ise Version :


Event Regex

Username Regex

Address Regex



This does not work for me

show user server-monitor state ISE-01

UDP Syslog Listener Service is disabled
SSL Syslog Listener Service is disabled

Proxy: ISE-01(vsys: vsys1) Host: ISE-01(
number of log messages : 0
number of auth. success messages : 0




by sib2017
on ‎03-27-2017 03:45 AM


Could you post the regex for  a subnet for example


by CPPalo
‎03-29-2017 02:38 AM - edited ‎03-29-2017 02:40 AM

I ve rewrote regex for Cisco ISE 2.2 (newest version) and its working ok.


Event Regex

Username Regex

Address Regex


Quick Explanations:


Regex for username for Cisco ISE consists of two conditions with or | , this is necessary if you are using anyconnect as 802.1x supplicant and native windows 802.1x supplicant.

anyconnect sends username as:

windows supplicants send username as: DOMAIN\\


because of that, on Palo you have to strip DOMAIN\\ from username (second condition) to create policy based on AD groups.

User is match according to what regex is inside bracket: 



This regex is pretty simple match everything which contains   a-z , A-z, 0-9 and specials characters:  { . - @ _ / }




regex for ip address could look like this:




so it matches -


You can check you regex on site:

by CPPalo
on ‎03-29-2017 02:52 AM




"This does not work for me

show user server-monitor state ISE-01

UDP Syslog Listener Service is disabled
SSL Syslog Listener Service is disabled

Proxy: ISE-01(vsys: vsys1) Host: ISE-01(
number of log messages : 0
number of auth. success messages : 0


You have UDP syslog Listener Service disabled, you should enable it.


And also change Event Regex (for ISE 2.0) to:

Event Regex



by Scooby
on ‎04-06-2017 07:48 AM



Having same issue, doesn't work, have upgraded to 2.2.

As this is using a sponsor page, should I still see a username against the traffic?


I see on syslog when a user first joins and conencts to the sponosr page



Should this be showing on the PA?


Tried on PA directly and Panaroma



by bradcl_15
on ‎04-24-2017 12:49 AM

Would it be possible to instead of restrict the Event RegEx to subnets, restrict the Event RegEx to the Authorization Rule in Cisco ISE??


I have Active Directory monitoring the Wired LAN authentications and don't want Cisco ISEs 802.1x machine authentication usernames coming across to the Palo, but at the same time I need the Cisco ISE wireless authentications which are using the same subnet as-well as the Wired-CWA authentications.


In the Syslog messages from ISE there is an object: AuthorizationPolicyMatchedRule: which I thought I could possibly match?




by cmaxwell
on ‎05-12-2017 06:53 AM

i am trying to use ISE authentication at 50 different locations on the PA-220 with a L2 deployment (single FW handling 2-3 users all directly connected to the device) . does this mean i have to have 50 different entries on the ISE UDP SysLog set up (one for each IP Add?)



by MikeC_PAN
on ‎06-07-2017 06:08 PM

Any thoughts on a regex to pull the framed-ipv6-address out of ISE.   Here is an example of what I am trying to parse.  I need to ignore the link local (fe80) for the following log information:


Framed-IPv6-Address=fe80::141e:2de6:91f4:e215, Framed-IPv6-Address=2620:102:4009:1d16:d:fbc1:cc03:3e





by vishalr7589
on ‎07-28-2017 08:39 AM

Hi all,


Why TCP syslog is not recommended/suggested in above solution. TCP syslog being reliable,  can we use above approach with TCP syslog configured in ISE? Does Palo Alto supports parsing of TCP information from the Syslog Server and use it in a Security Rule based on Users? 




by sringstad
on ‎09-15-2017 01:35 AM

It seems like the PA is able to map user-id, but nothing shows up in user-id logs. Pan-OS 8.0.3, Cisco ISE


Anyone have a similar issue and know how to fix it?


admin@pa03> show user ip-user-mapping all type SYSLOG

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- ------------- vsys1 SYSLOG guest\simen 2538 2538


by CharlyBonneau
on ‎02-21-2018 07:54 AM


In order to manage Multi-Domain Users, I Absolutely need to obtain from ISE the following info : DOMAIN\Username !


From the following test string :
CISE_RADIUS_Accounting 0000001170 2 0 2018-02-05 16:07:17.675 +01:00 0000109072 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=136, Device IP Address=, RequestLatency=2, NetworkDeviceName=NAD_10.10.10.41, User-Name=EUROPE\\User1, NAS-IP-Address=, NAS-Port=13, Framed-IP-Address=, Class=CACS:0a4058f10000029f5a786c33:SJLISE01/306483897/2301, Called-Station-ID=00-a2-89-b9-d9-60, Called-Station-ID=70-6b-b9-7d-3f-80:Boardriders-External, Calling-Station-ID=60-67-20-02-38-f2, NAS-Identifier=EU-SJL-WLC2504-CA1-1-241, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=3687362, Acct-Output-Octets=168730253, Acct-Session-Id=5a786c33/60:67:20:02:38:f2/737, Acct-Authentic=RADIUS, Acct-Session-Time=1773, Acct-Input-Packets=35885, Acct-Output-Packets=117579, Acct-Input-Gigawords=0, Acct-Output-Gigawords=0, Event-Timestamp=1517843237, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN,

I need to get as Username for ID-Agent :
if - User-Name=EUROPE\\User1 -> I need : EUROPE\User1
or if - User-Name=AMERICAS\\User1 -> I need : AMERICASE\User1
or if - User-Name=ASIA\\User1 -> I need : ASIA\User1
or if - User-Name=User1 -> I need : User1

I tried fo hours to find a way to remove 1 of the 2 Backslash with no success
I tried as well to find other logs comming from Cisco ISE with Domain\User chain with IP address : No way...

All I succed to obtain in all cases is :
- Or DOMAIN - with : User-Name=([a-zA-Z0-9\@\-\/\._]+)
- Or Username - with : User-Name=EUROPE\\\\([a-zA-Z0-9\@\-\\/\\\._]+)
- Or DOMAIN\\Username - with : User-Name=([a-zA-Z0-9\@\-\\/\\\._]+)
- Or \Username - with User-Name=EUROPE\\([a-zA-Z0-9\@\-\\/\\\._]+)

But this is not what I need!


Please can anyone help obtaining : DOMAIN\Username ?





by Mass
a month ago

@CharlyBonneau have you been able to find a solution (workaround) for the scenario you have explained?



Have anyone ever configured UserID in multi-domain environemnt, and created security rules having AD groups in them? I wonder if this has been working for anyone at any time! I would like to know the PANOS and Cisco ISE versions.


Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community