Integrating Cisco ISE Guest Authentication with PAN-OS

by ‎07-18-2016 07:01 AM - edited ‎02-15-2017 04:28 AM (14,308 Views)

by Marcos Buzo (Live Community username: MarcosBuzo)

 

This document describes how to configure Cisco ISE to send user-id information to PAN-OS.

This scenario was deployed with Cisco ISE 1.4.0-253 and PAN-OS 6.1 and 7.0. 


In the scenario described here, user-id integration with Active Directory is already working, so, the idea is to collect only user-id Guest information from Cisco ISE. You can change this behavior just by removing/changing the subnets at the regular expressions.

 

Cisco ISE works as a RADIUS server to authenticate and authorize users on a network. We are going to forward RADIUS Authentication and Accounting logs to PAN-OS.


Details

 

Configuring a new remote log target on Cisco ISE, this device is going to be PAN-OS:

  • Choose Administration > System > Logging > Remote Logging Targets.
  • Click Add.
  • Give it a name you like, for target type, select UDP Syslog. For IP address, fill with the PAN-0S Management Interface IP address.
  • Click Submit.

 

Picture1.png

Repeat the steps below if you want to send user-id log information to other devices.

 

Configuring ISE to forward Passed Authentication Syslog Messages

  • Choose Administration > System > Logging > Logging Categories.
  • Click Passed Authentications.
  • Select the remote log target you created before on the “Available” column, and click the “>” sign to move it to the “Selected” column.
  • Click Save.

Picture2.png

 

Configuring ISE to forward RADIUS Accounting Syslog Messages

  • Choose Administration > System > Logging > Logging Categories.
  • Click RADIUS Accounting.
  • Select the remote log target you created before on the “Available” column and click the “>” sign to move it to the “Selected” column.
  • Click Save.

 

Picture3.png

 

Enable User-ID Syslog Listener-UDP on PAN-OS

  • Choose Device > Setup > Management Interface Settings.
  • Check the User-ID Syslog Listener-UDP box.
  • Click OK.

Picture4.png

 

Create a Syslog Parse Profile to match the interesting information on syslog messages

  • Choose Device > User Identification > User Mapping.
  • Edit Palo Alto Networks User ID Agent Setup and click Syslog Filters.
  • Click Add.
  • Fill all the fields according to the information below.

 

Here comes the tricky part -- for wireless devices, Cisco ISE sends the user-id information only on the Authentication logs and for wired devices, Cisco ISE sends the user-id information on the Accounting logs.


In this example, we have:

 

  • 10.10.130.0/24 = Wireless Guest
  • 10.10.30.0/24 = Wireless Guest
  • 10.10.140.0/24 = Wired Guest

So, adjust the Event regex below according to your needs.

 

  • Syslog Parse Profile: Cisco ISE
  • Event regex: ([A-Za-z0-9].*CISE_Passed_Authentications.*((Framed-IP-Address=10\.10\.130)|(Framed-IP-Address=10\.10\.30))|([A-Za-z0-9].*CISE_RADIUS_Accounting.*(Framed-IP-Address=10\.10\.140)))
  • Username Regex: (?<=UserName=|User-Name=)[\w-]+
  • Address Regex: Framed-IP-Address=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) 
  • Click OK.

Picture6.png

 

The Cisco ISE 2.1 syslog parse profile should look like this:

Event Regex
([A-Za-z0-9].*CISE_Passed_Authentications.*Framed-IP-Address=.*)|([A-Za-z0-9].*CISE_RADIUS_Accounting.*Framed-IP-Address=.*)

Username Regex
User-Name=([a-zA-Z0-9\@\-\\/\\\._]+)|UserName=([a-zA-Z0-9\@\-\\/\\\._]+)

Address Regex
Framed-IP-Address=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

 

Add ISE servers to Server Monitoring list

  • Choose Device > User Identification > User Mapping.
  • Under Server Monitoring, click Add.
  • Give it a name and a description you like.
  • For Type, choose Syslog Sender.
  • For Network Address, insert your Cisco ISE IP address.
  • For Connection Type, choose UDP.
  • For Filter, select Cisco ISE.
  • For Default Domain Name, insert your netbios domain name or the information that matches your environment.
  • Click Commit.

Picture7.png

 

 

Now you are good to go! Your PAN-OS should be receiving user-id information from Cisco ISE. You can use the following CLI commands to verify that it's working fine:

 

show user server-monitor state 
show user ip-user-mapping all type SYSLOG
test user-id user-id-syslog-parse
tail follow yes mp-log useridd.log

 

References


Configuring Cisco ACS to send RADIUS Accounting directly to the firewall using Syslog
Configuring ISE to Forward User Login Events to CDA

 

If this information has been helpful to you, or piqued your interest or curiosity and desire to learn more, please leave a thumbs up, a comment, or a question in the section below.

 

Thanks,

Marcos Buzo

@MarcosBuzo

 

Comments
by Brandon_Wertz
on ‎07-26-2016 08:37 AM

Great implementation document!

 

One thing, it would be nice if there was something that defined what code levels this has been tested or built against.

 

The ISE UI has changed drasticly, from 1.1, 1.2, 1.3 and on; even to 2.0.  Palo's UI has also had similar changes.

 

if there was a comment at least identifying the code versions of each, I just think it would be good to highlight.

by MarcosBuzo
on ‎08-03-2016 07:20 AM

Hi Brandon, 

 

This scenario was deployed with Cisco ISE 1.4.0-253 and PAN-OS 6.1 and 7.0. 

I'll check the newer ISE versions as soon as I have a chance to do that.

 

Thank you for the suggestions!

 

 

by
on ‎08-03-2016 07:28 AM

I'll go ahead and add the comment, thanks @Brandon_Wertz and @MarcosBuzo

by sylvain.cassan
on ‎08-31-2016 08:58 AM

Hi,

 

I have quite the same configuration except I'm using the Field Identifier instead of the regexp, it's maybe more simple.

I don't know if you did the test in a multi-system environment but in my case I had to use several interfaces of the firewall depending on the Virtual System. If I use only one interface in the ISE to send the SYSLOG then the message is handled only by the first VSYS and the authentication is not take into account in the second or third one (Bad configuration?). 

 

So in virtual system environment you cannot use the Management IP address of the firewall.

 

Regards,

 

Sylvain

by MarcosBuzo
on ‎09-02-2016 09:14 AM

Hi Sylvain,

 

Indeed, I have not tested this solution in a multi-system environment. Thank you for this information, I am sure this will be useful for anyone implementing on this scenario.

 

About the field identifier versus the regexp, we used it because we wanted to collect only the user information about the guest network. All the other network's user information are already being collected through Active Directory.

 

Please, share your Field Identifier setup with us, I believe that would be very useful for those that are looking for a "full" implementation through Cisco ISE, not just Guest networks.

 

Best Regards,

Marcos Buzo

 

by sylvain.cassan
on ‎09-05-2016 01:38 AM

Hi,

 

Regarding the Field Identifier the configuration is quite simple:

FieldIdentitier.JPG

 

This configuration is working fine with ISE 1.2.1. I think the Address must be modified for cisco ISE 1.4.

The best way to check is to capture a syslog event sent by the ISE and then to use the test command to verify the parser.

We are using this configuration with a Guest Portal on the ISE. It's maybe different with automatic connections.

Regards,

 

Sylvain

by sylvain.cassan
on ‎09-19-2016 07:24 AM

Some information regarding the multi vsys.

You cannot put the same ip for a listener on vsys1 and a listener on vsys2.

There are two possible configurations:

- 1 listener with IP A on VSYS1 and 1 listener with IP B on VSYS2

- All the listener you want on VSYS1 and a redistribution of the mapping table to the other VSYS

 

Regards,

 

Sylvain

by danilolmcardoso
on ‎09-22-2016 10:25 AM

Hi MarcosBuzo

Nice document!

 

Best Regards

 

Danilo Cardoso

by CPPalo
on ‎02-07-2017 11:16 PM

For Cisco ISE 2.1 syslog parse profile should look like this:

 

 

Event Regex

([A-Za-z0-9].*CISE_Passed_Authentications.*Framed-IP-Address=.*)|([A-Za-z0-9].*CISE_RADIUS_Accounting.*Framed-IP-Address=.*)

 

Username Regex

User-Name=([a-zA-Z0-9\@\-\\/\\\._]+)|UserName=([a-zA-Z0-9\@\-\\/\\\._]+)

 

Address Regex

Framed-IP-Address=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

 

 

 

by MarcosBuzo
on ‎02-15-2017 04:20 AM

Thanks for the Update @CPPalo.

@reaperCould you update the article, please?

 

Cheers,

Marcos Buzo

by
on ‎02-15-2017 04:28 AM

*updated*

by CPPalo
2 weeks ago

Little Update.

 

Something in regex proposed by me is causing firewall to reboot itself after some time.

 

PanOS version 7.1.6. 

 

Part reply from Support:

 

1) segmentation fault is observed:
messages.log
Feb 8 08:11:11 mgmt kernel: useridd[4517]: segfault at 8 ip 00000000f736e82c sp 00000000e848f0d0 error 4 in libpancommon_mp.so.1.0[f720e000+334000]
Feb 8 08:12:16 mgmt kernel: useridd[5267]: segfault at 8 ip 00000000f73e582c sp 00000000e740d0d0 error 4 in libpancommon_mp.so.1.0[f7285000+334000]
Feb 8 08:16:49 mgmt kernel: useridd[5460]: segfault at 8 ip 00000000f739382c sp 00000000e814d0d0 error 4 in libpancommon_mp.so.1.0[f7233000+334000]
2) the regex looks not to be matched properly
userid.log
2017-02-08 08:57:27.993 +0100 pan_user_id_syslog_server_apply_regex_to_msg: No match found in msg <181>
3) userid crashes multiple times which ends up in firewall reboot

 

 

UserID is matched, but after few minutes firewall ends up rebooting itself with error message:

 

useridd: restarts exhausted, rebooting system

 

 

Ive upgraded ISE to version 2.2 and im gonna try once again create regex for userid. 

 

 

Register now
Ask Questions Get Answers Join the Live Community
Contributors