Use Syslog Receiver to Integrate with Cisco Wireless Controller Series

by smalayappan on ‎12-16-2014 11:43 AM - edited on ‎08-02-2016 12:06 AM by (15,259 Views)

Overview

This document describes how to configure User-ID Agent to get User-IP mapping from the Cisco Wireless controller.

 

Details

Shown below is a typical example of a syslog from the wireless controller. The bolded fields is the information that will be extracted from the syslog for a successful User-IP mapping when connecting from the Cisco Wireless controller.

9    28.211036    194.36.58.245    192.168.10.248    Syslog    425    LOCAL7.DEBUG: community=Test_Syslog, enterprise=1.3.6.1.4.1.9.9.599.0.4, uptime=384972600, agent_ip=194.36.58.245, version=Ver2, cldcClientMacAddress.0=+;\273t\260\313, cLApName.0=ap-gl-01, cldcApMacAddress.0="Hex String=40 F4 EC 12 3A 40", 1.3.6.1.4.1.9.9.513.1.2.1.1.1.0=1, cldcClientIPAddress.0=10.100.254.157, 1.3.6.1.4.1.9.9.599.1.3.1.1.27.0=rhillcoat, 1.3.6.1.4.1.9.9.599.1.3.1.1.28.0=Howco_Exec

 

The screenshot below explains how to parse this information and extract the needed details. A Field Identifier is being used instead of Regex

 

 

Some versions of Cisco WLC might be sending a slightly different syslog message than the one mentioned above. If your Cisco WLC syslog format looks like the one pasted below (specifically note the highlighted string that holds the IP address of the user) then a different string needs to be configured for the “Address Prefix” value.

 

07-29-2016      11:32:34        Local7.Debug    10.2.22.31      community=PA_TEST31, enterprise=1.3.6.1.4.1.9.9.599.0.4, uptime=1163840600, agent_ip=10.2.17.39, version=Ver2, 1.3.6.1.4.1.9.9.599.1.3.1.1.1.0="Hex String=44 00 10 2D CC 2D", 1.3.6.1.4.1.9.9.513.1.1.1.1.5.0=MUM04-CSAP11, 1.3.6.1.4.1.9.9.599.1.3.1.1.8.0=P???WP, 1.3.6.1.4.1.9.9.513.1.2.1.1.1.0=0, 1.3.6.1.4.1.9.9.599.1.3.1.1.10.0=10.2.60.62, 1.3.6.1.4.1.9.9.599.1.3.1.1.27.0=corp\user.name1, 1.3.6.1.4.1.9.9.599.1.3.1.1.28.0=CMSPL-11BG

 

Use the string 1.3.6.1.4.1.9.9.599.1.3.1.1.10.0= in the “Address Prefix” field. See below screenshot for details.

 image001.png

Note that trailing spaces can cause problems in parsing the syslog message. When pasting the text into the “Syslog Parse Profile” window, make sure to delete all spaces at the end of the string.  

 

 

 

 

 

Note:  Make sure the Syslog listener is on the interface that is expected to reach the device. Cisco WLC native Syslog messages do not contain authentication information, so User-ID mappings cannot be derived from them. Cisco WLC generates SNMP Traps that do contain this information. The SNMP Trap must be converted into a Syslog message. To achieve this, please follow document: Cisco WLC - Palo Alto Networks config guide.pdf

 

owner: smalayappan

Comments
by baris_acik
on ‎01-15-2015 10:22 PM

Hello,

What is the model number of the WLC that you get the syslogs above? We are using Cisco WLC 2504 and authentication information is in snmp trap logs, not in syslog. So I am unable to send the logs to paloalto firewall in order to be parsed.

by smalayappan
on ‎01-18-2015 02:38 PM

I don't remember the model on top of my head, however if you can send me the snapshot of the snmp trap message I will try to create  parser for you.

by stevenmills77
on ‎01-18-2015 11:19 PM

I have the same issue, the example message shown looks like it is from an SNMP trap generated by the Cisco WLC not a syslog message, there doesn't appear to be a syslog message that contains both the username and IP address. Do I need to use a third party application to convert SNMP traps to Syslog for this to work?

by bartoq
on ‎01-20-2015 03:20 AM

You can find a more detailed config guide from here Cisco Wireless LAN Controller Palo Alto Networks Config Guide

you need a method to convert SNMP traps to syslog. in this example I am using Kiwi Syslogd server, but you can use any syslog server that capable of converting SNMP to syslog

by f.giraud
on ‎06-23-2015 07:23 AM

Hi,

I receive the account name of the user but not the ip address of the user in the snmp trap.

Any idea (Cisco WLC 8.0).

by JeffryTanudjaja
‎10-22-2015 07:07 PM - edited ‎10-22-2015 07:07 PM

You need to ensure your WLC is sending authentication and/or association (CMIIW)

 

Go to Management >> SNMP >> SNMP Trap Controls >> client

 

by mhume
on ‎12-30-2015 09:39 AM

Hello,

 

I am having the same problem as f_giraud .  When i look at the snmp traps coming in on Kiwi syslog... I don't see a cldcClientIPAddress.0=.  I am running 8.1 code on the cisco WLC.  I have been at this a while now trying to get this setup properly and I can only assume that this is my issue at this point. 

by Quinton
on ‎01-11-2016 08:29 AM

It would be great if Palo could add SNMP traps to their user-ID listerner. Then you could send the client association SNMP traps from the Cisco WLC directly to PAN for parsing.

 

by cdelestal@netics.cat
on ‎06-29-2016 03:18 AM

Hello, the field for the " ip address prefix" may be an SNMP OID not an alphanumeric value, see image attached. 

syslog.jpg

 

Our Cisco WLC was using  firmware 8.0.121.0  and worked well with PANOS 7.0.6. 

 

When we used the "ddcclientipaddress" prefix in our environment it didn't work at all, so changing it to SNMP OID solved the issue with user id to ip address mapping via syslog.

by smisra
on ‎08-15-2016 05:49 PM

Issue: UIA Agent not receving user-ip mapping information, though pcaps shows that syslog messages are received from Cisco WLC on Kiwi server. Also, entering same infromation of the username, the IP address, the delimiters and the 'Event String' as in pcap under Setup > Syslog Parse Profile > Field Identifier.

 

Solution: We see error ''Received a message on UDP listening socket from... But no matching syslog server config...'' in logs.

 

Added Sysylog Server IP and Profile under UIA Agent > Discover tab. Commit the changes. Restart User ID Agent. 

by Febin
on ‎09-25-2016 02:08 AM

Cisco WLC native Syslog messages do not contain authentication information, so User-ID mappings cannot be derived from them. Cisco WLC generates SNMP Traps that do contain this information. Inorder to convert SNMP traps to SYSLOG Message please apply the below commands in Cisco Wireless LAN Controller and send SYSLOG directly to Palo Alto firewall.

 

(Cisco Controller) >config logging syslog facility client associate

(Cisco Controller) >config logging syslog facility client authentication

by Networker2b
on ‎11-21-2016 11:36 PM

Hi

Can anybody help me please regarding this problem.I have Cisco WLC 5508 , tried a number of times but failed.My traps is showing only username and missing ip address.

 

 

by FTBZ
‎12-07-2016 11:40 AM - edited ‎12-07-2016 09:26 PM

@Febin  Many thanks for the tips! During years nobody has found this options because everybody was taking the Palo Alto information as engraved in the marble 😜.

by Vovale
on ‎02-08-2017 12:32 PM

Im working currently with WLC 2504 running version 8.0.110.0. I run these commands on my controller as @Febin recommended:

config logging syslog facility client authentication

config logging syslog facility client associate

 

I can see now logs like these:

WLC_NAME: *Dot1x_NW_MsgTask_2: Feb 08 14:38:49.791: #APF-3-AUTHENTICATION_TRAP: apf_80211.c:15520 Client Authenticated: MACAddress:18:65:90:48:e0:3a Base Radio MAC:0c:68:03:2c:fc:d0 Slot:1 User Name:MYUSERNAME Ip Address:192.168.237.101 SSID:MYSSID

 

But i cant configure the filter on Paloalto to identify the user.

Any help willl be appriciated 

Learn more
Ask Questions Get Answers Join the Live Community
Contributors