09-20-2012 08:52 AM
I am trying to integrate Ruckus ZoneDirector & PAN for user identification by using syslog. However, syslog message generated by Ruckus ZoneDirector doesn't have user's IP address. It only contains user name and MAC address of the device as shown below.
<134>Sep 20 12:16:34 syslog: eventd_to_syslog():User[GUEST@8c:70:5a:4e:a2:8c] joins WLAN[GUEST-WLAN] from AP[AP4@00:25:c4:13:a6:40] 25:c4:13:a6:4c roams from AP[AP4@00:25:c4:13:a6:40]
Therefore, I cannot extract user name and IP address form the syslog message for passing them to PAN User-ID Agent. Is there any solution?
09-20-2012 10:53 AM
I can think of a couple of options off the top of my head, but either will require a bit of extra work on the scripting side.
1) you could dump/query the ARP table on the AP when you get an auth/join message. I'm not familiar with the tools and APIs available on Ruckus so this may be easy or near impossible.
2) you could monitor your DHCP server as well and correlate the IP/MAC mappings it hands out.
Also, what's the backend auth mechanism that your ruckus system is using? Any chance that system (ie a radius server) would log IPs?
10-08-2012 11:46 PM
Hi Drogers,
Thanks for your reply!
Ruckus can integrate with AD, LDAP, RADIUS or use its internal user database for authentication. For integration with AD, there is no problem to identify wireless LAN users because PAN can also integrate with AD. For authentication with RADIUS, there is also no problem as long as RADIUS can send syslog message with user name and IP address. However, integration of PAN with Ruckus is necessary when customers use Ruckus internal user database for authentication.
I think both of your suggested solutions may work and I will try to follow your suggestion to solve this problem.
05-06-2022 12:47 PM
I found a Fix!
Settings to apply on Ruckus ZoneDirector
Troubleshooting > Diagnostics > Enable "Client Association" in the debug logs.
System > System Setting > Log Settings
- Enable Remote syslog, use the IP Address of a Palo Alto User-ID Agent or the Management port on the firewall listening for syslog traffic
Zone Director Settings
Facility Name: Local0 Priority Level: Info
Managed AP Settings
Facility Name: Local1 Priority Level: Info
I'm using Regex syslog filter to pull the required info.
User login / IP Update event.
Event Regex: operation=(update|add){1}
Username Regex: sta_name(?:=.*\\|=)([A-Za-z0-9@._]+)
Address Regex: sta_ip=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})
User Logout Event
Event Regex: operation=(del){1}
Username Regex: sta_name(?:=.*\\|=)([A-Za-z0-9@._]+)
Address Regex: sta_ip=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})
Hope this helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
