using syslog to integrate Ruckus ZoneDirector & PAN for user identification

cancel
Showing results for 
Search instead for 
Did you mean: 

using syslog to integrate Ruckus ZoneDirector & PAN for user identification

L1 Bithead

I am trying to integrate Ruckus ZoneDirector & PAN for user identification by using syslog. However, syslog message generated by Ruckus ZoneDirector doesn't have user's IP address. It only contains user name and MAC address of the device as shown below.

<134>Sep 20 12:16:34 syslog: eventd_to_syslog():User[GUEST@8c:70:5a:4e:a2:8c] joins WLAN[GUEST-WLAN] from AP[AP4@00:25:c4:13:a6:40] 25:c4:13:a6:4c roams from AP[AP4@00:25:c4:13:a6:40]

Therefore, I cannot extract user name and IP address form the syslog message for passing them to PAN User-ID Agent. Is there any solution?

4 REPLIES 4

L3 Networker

I can think of a couple of options off the top of my head, but either will require a bit of extra work on the scripting side.

1) you could dump/query the ARP table on the AP when you get an auth/join message.  I'm not familiar with the tools and APIs available on Ruckus so this may be easy or near impossible.

2) you could monitor your DHCP server as well and correlate the IP/MAC mappings it hands out.

Also, what's the backend auth mechanism that your ruckus system is using?  Any chance that system (ie a radius server) would log IPs?

Hi Drogers,

Thanks for your reply!

Ruckus can integrate with AD, LDAP, RADIUS or use its internal user database for authentication. For integration with AD, there is no problem to identify wireless LAN users because PAN can also integrate with AD. For authentication with RADIUS, there is also no problem as long as RADIUS can send syslog message with user name and IP address. However, integration of PAN with Ruckus is necessary when customers use Ruckus internal user database for authentication.

I think both of your suggested solutions may work and I will try to follow your suggestion to solve this problem.

L0 Member

Check the new 9.8 firmware version of ZD..

L0 Member

I found a Fix!

 

Settings to apply on Ruckus ZoneDirector

 

Troubleshooting > Diagnostics > Enable "Client Association" in the debug logs.

 

System > System Setting >  Log Settings

 - Enable Remote syslog, use the IP Address of a Palo Alto User-ID Agent or the Management port on the firewall listening for syslog traffic

Zone Director Settings

 Facility Name: Local0 Priority Level: Info

Managed AP Settings

 Facility Name: Local1  Priority Level: Info

 

 

I'm using Regex syslog filter to pull the required info.

 

 

User login / IP Update event.

 

Event Regex: operation=(update|add){1}

Username Regex: sta_name(?:=.*\\|=)([A-Za-z0-9@._]+)

Address Regex: sta_ip=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

 

 

User Logout Event

 

Event Regex: operation=(del){1}

Username Regex: sta_name(?:=.*\\|=)([A-Za-z0-9@._]+)

Address Regex: sta_ip=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

 

 

Hope this helps!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!