Integrating Cisco ISE Guest Authentication with PAN-OS

by ‎07-18-2016 07:01 AM - edited ‎02-15-2017 04:28 AM (18,250 Views)

by Marcos Buzo (Live Community username: MarcosBuzo)

 

This document describes how to configure Cisco ISE to send user-id information to PAN-OS.

This scenario was deployed with Cisco ISE 1.4.0-253 and PAN-OS 6.1 and 7.0. 


In the scenario described here, user-id integration with Active Directory is already working, so, the idea is to collect only user-id Guest information from Cisco ISE. You can change this behavior just by removing/changing the subnets at the regular expressions.

 

Cisco ISE works as a RADIUS server to authenticate and authorize users on a network. We are going to forward RADIUS Authentication and Accounting logs to PAN-OS.


Details

 

Configuring a new remote log target on Cisco ISE, this device is going to be PAN-OS:

  • Choose Administration > System > Logging > Remote Logging Targets.
  • Click Add.
  • Give it a name you like, for target type, select UDP Syslog. For IP address, fill with the PAN-0S Management Interface IP address.
  • Click Submit.

 

Picture1.png

Repeat the steps below if you want to send user-id log information to other devices.

 

Configuring ISE to forward Passed Authentication Syslog Messages

  • Choose Administration > System > Logging > Logging Categories.
  • Click Passed Authentications.
  • Select the remote log target you created before on the “Available” column, and click the “>” sign to move it to the “Selected” column.
  • Click Save.

Picture2.png

 

Configuring ISE to forward RADIUS Accounting Syslog Messages

  • Choose Administration > System > Logging > Logging Categories.
  • Click RADIUS Accounting.
  • Select the remote log target you created before on the “Available” column and click the “>” sign to move it to the “Selected” column.
  • Click Save.

 

Picture3.png

 

Enable User-ID Syslog Listener-UDP on PAN-OS

  • Choose Device > Setup > Management Interface Settings.
  • Check the User-ID Syslog Listener-UDP box.
  • Click OK.

Picture4.png

 

Create a Syslog Parse Profile to match the interesting information on syslog messages

  • Choose Device > User Identification > User Mapping.
  • Edit Palo Alto Networks User ID Agent Setup and click Syslog Filters.
  • Click Add.
  • Fill all the fields according to the information below.

 

Here comes the tricky part -- for wireless devices, Cisco ISE sends the user-id information only on the Authentication logs and for wired devices, Cisco ISE sends the user-id information on the Accounting logs.


In this example, we have:

 

  • 10.10.130.0/24 = Wireless Guest
  • 10.10.30.0/24 = Wireless Guest
  • 10.10.140.0/24 = Wired Guest

So, adjust the Event regex below according to your needs.

 

  • Syslog Parse Profile: Cisco ISE
  • Event regex: ([A-Za-z0-9].*CISE_Passed_Authentications.*((Framed-IP-Address=10\.10\.130)|(Framed-IP-Address=10\.10\.30))|([A-Za-z0-9].*CISE_RADIUS_Accounting.*(Framed-IP-Address=10\.10\.140)))
  • Username Regex: (?<=UserName=|User-Name=)[\w-]+
  • Address Regex: Framed-IP-Address=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) 
  • Click OK.

Picture6.png

 

The Cisco ISE 2.1 syslog parse profile should look like this:

Event Regex
([A-Za-z0-9].*CISE_Passed_Authentications.*Framed-IP-Address=.*)|([A-Za-z0-9].*CISE_RADIUS_Accounting.*Framed-IP-Address=.*)

Username Regex
User-Name=([a-zA-Z0-9\@\-\\/\\\._]+)|UserName=([a-zA-Z0-9\@\-\\/\\\._]+)

Address Regex
Framed-IP-Address=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

 

Add ISE servers to Server Monitoring list

  • Choose Device > User Identification > User Mapping.
  • Under Server Monitoring, click Add.
  • Give it a name and a description you like.
  • For Type, choose Syslog Sender.
  • For Network Address, insert your Cisco ISE IP address.
  • For Connection Type, choose UDP.
  • For Filter, select Cisco ISE.
  • For Default Domain Name, insert your netbios domain name or the information that matches your environment.
  • Click Commit.

Picture7.png

 

 

Now you are good to go! Your PAN-OS should be receiving user-id information from Cisco ISE. You can use the following CLI commands to verify that it's working fine:

 

show user server-monitor state 
show user ip-user-mapping all type SYSLOG
test user-id user-id-syslog-parse
tail follow yes mp-log useridd.log

 

References


Configuring Cisco ACS to send RADIUS Accounting directly to the firewall using Syslog
Configuring ISE to Forward User Login Events to CDA

 

If this information has been helpful to you, or piqued your interest or curiosity and desire to learn more, please leave a thumbs up, a comment, or a question in the section below.

 

Thanks,

Marcos Buzo

@MarcosBuzo

 

Comments
by Brandon_Wertz
on ‎07-26-2016 08:37 AM

Great implementation document!

 

One thing, it would be nice if there was something that defined what code levels this has been tested or built against.

 

The ISE UI has changed drasticly, from 1.1, 1.2, 1.3 and on; even to 2.0.  Palo's UI has also had similar changes.

 

if there was a comment at least identifying the code versions of each, I just think it would be good to highlight.

by MarcosBuzo
on ‎08-03-2016 07:20 AM

Hi Brandon, 

 

This scenario was deployed with Cisco ISE 1.4.0-253 and PAN-OS 6.1 and 7.0. 

I'll check the newer ISE versions as soon as I have a chance to do that.

 

Thank you for the suggestions!

 

 

by
on ‎08-03-2016 07:28 AM

I'll go ahead and add the comment, thanks @Brandon_Wertz and @MarcosBuzo

by sylvain.cassan
on ‎08-31-2016 08:58 AM

Hi,

 

I have quite the same configuration except I'm using the Field Identifier instead of the regexp, it's maybe more simple.

I don't know if you did the test in a multi-system environment but in my case I had to use several interfaces of the firewall depending on the Virtual System. If I use only one interface in the ISE to send the SYSLOG then the message is handled only by the first VSYS and the authentication is not take into account in the second or third one (Bad configuration?). 

 

So in virtual system environment you cannot use the Management IP address of the firewall.

 

Regards,

 

Sylvain

by MarcosBuzo
on ‎09-02-2016 09:14 AM

Hi Sylvain,

 

Indeed, I have not tested this solution in a multi-system environment. Thank you for this information, I am sure this will be useful for anyone implementing on this scenario.

 

About the field identifier versus the regexp, we used it because we wanted to collect only the user information about the guest network. All the other network's user information are already being collected through Active Directory.

 

Please, share your Field Identifier setup with us, I believe that would be very useful for those that are looking for a "full" implementation through Cisco ISE, not just Guest networks.

 

Best Regards,

Marcos Buzo

 

by sylvain.cassan
on ‎09-05-2016 01:38 AM

Hi,

 

Regarding the Field Identifier the configuration is quite simple:

FieldIdentitier.JPG

 

This configuration is working fine with ISE 1.2.1. I think the Address must be modified for cisco ISE 1.4.

The best way to check is to capture a syslog event sent by the ISE and then to use the test command to verify the parser.

We are using this configuration with a Guest Portal on the ISE. It's maybe different with automatic connections.

Regards,

 

Sylvain

by sylvain.cassan
on ‎09-19-2016 07:24 AM

Some information regarding the multi vsys.

You cannot put the same ip for a listener on vsys1 and a listener on vsys2.

There are two possible configurations:

- 1 listener with IP A on VSYS1 and 1 listener with IP B on VSYS2

- All the listener you want on VSYS1 and a redistribution of the mapping table to the other VSYS

 

Regards,

 

Sylvain

by danilolmcardoso
on ‎09-22-2016 10:25 AM

Hi MarcosBuzo

Nice document!

 

Best Regards

 

Danilo Cardoso

by CPPalo
on ‎02-07-2017 11:16 PM

For Cisco ISE 2.1 syslog parse profile should look like this:

 

 

Event Regex

([A-Za-z0-9].*CISE_Passed_Authentications.*Framed-IP-Address=.*)|([A-Za-z0-9].*CISE_RADIUS_Accounting.*Framed-IP-Address=.*)

 

Username Regex

User-Name=([a-zA-Z0-9\@\-\\/\\\._]+)|UserName=([a-zA-Z0-9\@\-\\/\\\._]+)

 

Address Regex

Framed-IP-Address=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

 

 

 

by MarcosBuzo
on ‎02-15-2017 04:20 AM

Thanks for the Update @CPPalo.

@reaperCould you update the article, please?

 

Cheers,

Marcos Buzo

by
on ‎02-15-2017 04:28 AM

*updated*

by CPPalo
on ‎03-10-2017 03:44 AM

Little Update.

 

Something in regex proposed by me is causing firewall to reboot itself after some time.

 

PanOS version 7.1.6. 

 

Part reply from Support:

 

1) segmentation fault is observed:
messages.log
Feb 8 08:11:11 mgmt kernel: useridd[4517]: segfault at 8 ip 00000000f736e82c sp 00000000e848f0d0 error 4 in libpancommon_mp.so.1.0[f720e000+334000]
Feb 8 08:12:16 mgmt kernel: useridd[5267]: segfault at 8 ip 00000000f73e582c sp 00000000e740d0d0 error 4 in libpancommon_mp.so.1.0[f7285000+334000]
Feb 8 08:16:49 mgmt kernel: useridd[5460]: segfault at 8 ip 00000000f739382c sp 00000000e814d0d0 error 4 in libpancommon_mp.so.1.0[f7233000+334000]
2) the regex looks not to be matched properly
userid.log
2017-02-08 08:57:27.993 +0100 pan_user_id_syslog_server_apply_regex_to_msg: No match found in msg <181>
3) userid crashes multiple times which ends up in firewall reboot

 

 

UserID is matched, but after few minutes firewall ends up rebooting itself with error message:

 

useridd: restarts exhausted, rebooting system

 

 

Ive upgraded ISE to version 2.2 and im gonna try once again create regex for userid. 

 

 

by sib2017
on ‎03-27-2017 02:12 AM


Hi,

ise Version : 2.0.1.130

 

Event Regex
([A-Za-z0-9].*CISE_Passed_Authentications.*Framed-IP-Address=.*)|([A-Za-z0-9].*CISE_RADIUS_Accounting.*Framed-IP-Address=.*)

Username Regex
User-Name=([a-zA-Z0-9\@\-\\/\\\._]+)|UserName=([a-zA-Z0-9\@\-\\/\\\._]+)

Address Regex
Framed-IP-Address=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

 

 


This does not work for me


show user server-monitor state ISE-01

UDP Syslog Listener Service is disabled
SSL Syslog Listener Service is disabled

Proxy: ISE-01(vsys: vsys1) Host: ISE-01(192.168.10.10)
number of log messages : 0
number of auth. success messages : 0


Thanks

 

 

by sib2017
on ‎03-27-2017 03:45 AM

 Hi,

Could you post the regex for  a subnet for example 10.0.2.0/23

Thanks

by CPPalo
‎03-29-2017 02:38 AM - edited ‎03-29-2017 02:40 AM

I ve rewrote regex for Cisco ISE 2.2 (newest version) and its working ok.

 

Event Regex
CISE_RADIUS_Accounting

Username Regex
User-Name=([a-zA-Z0-9\.\-\@\_\/]+)|User-Name=DOMAIN\\\\([a-zA-Z0-9\\\.\-\@\_\/]+)

Address Regex
Framed-IP-Address=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

 

Quick Explanations:

 

Regex for username for Cisco ISE consists of two conditions with or | , this is necessary if you are using anyconnect as 802.1x supplicant and native windows 802.1x supplicant.

anyconnect sends username as: user.name

windows supplicants send username as: DOMAIN\\user.name

 

because of that, on Palo you have to strip DOMAIN\\ from username (second condition) to create policy based on AD groups.

User is match according to what regex is inside bracket: 

 

([a-zA-Z0-9\.\-\@\_\/]+)

This regex is pretty simple match everything which contains   a-z , A-z, 0-9 and specials characters:  { . - @ _ / }

 

 

@sib

regex for ip address 10.0.2.0/23 could look like this:

 

Framed-IP-Address=(10\.0\.[2-3]{1}\.[0-9]{1,3})

 

so it matches 10.0.2.0 - 10.0.3.255

 

You can check you regex on site:

https://regex101.com/

by CPPalo
on ‎03-29-2017 02:52 AM

@sib

 

 

"This does not work for me


show user server-monitor state ISE-01

UDP Syslog Listener Service is disabled
SSL Syslog Listener Service is disabled

Proxy: ISE-01(vsys: vsys1) Host: ISE-01(192.168.10.10)
number of log messages : 0
number of auth. success messages : 0

 

You have UDP syslog Listener Service disabled, you should enable it.

 

And also change Event Regex (for ISE 2.0) to:

Event Regex
CISE_Passed_Authentications|CISE_RADIUS_Accounting

 

 

by Scooby
on ‎04-06-2017 07:48 AM

Hi

 

Having same issue, doesn't work, have upgraded to 2.2.

As this is using a sponsor page, should I still see a username against the traffic?

 

I see on syslog when a user first joins and conencts to the sponosr page

CISE_Guest

 

Should this be showing on the PA?

 

Tried on PA directly and Panaroma

 

Cheers

by bradcl_15
on ‎04-24-2017 12:49 AM

Would it be possible to instead of restrict the Event RegEx to subnets, restrict the Event RegEx to the Authorization Rule in Cisco ISE??

 

I have Active Directory monitoring the Wired LAN authentications and don't want Cisco ISEs 802.1x machine authentication usernames coming across to the Palo, but at the same time I need the Cisco ISE wireless authentications which are using the same subnet as-well as the Wired-CWA authentications.

 

In the Syslog messages from ISE there is an object: AuthorizationPolicyMatchedRule: which I thought I could possibly match?

 

Cheers

 

by cmaxwell
3 weeks ago

i am trying to use ISE authentication at 50 different locations on the PA-220 with a L2 deployment (single FW handling 2-3 users all directly connected to the device) . does this mean i have to have 50 different entries on the ISE UDP SysLog set up (one for each IP Add?)

 

 

Register now
Ask Questions Get Answers Join the Live Community
Contributors