Aruba AP with PAN, User-ID mapping with IP, Syslog Filters

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Aruba AP with PAN, User-ID mapping with IP, Syslog Filters

L1 Bithead

I'm trying to map User-ID to IP in our intranet so that we could easily identify User in PAN Traffic.

 

We have Aruba APs adn AC authenticating with external Radius Server,  While our PAN is sitting at the gateway.

 

What i'm trying to do is using Aruba AC sending debug level logs to PAN,  PAN could use Syslog Filters to filter our the mapping.

 

I'm wondering Anyone have ever done that succuessfully?

 

Thanks

3 REPLIES 3

Not sure about "AC", but I use Aruba Instant clusters.  I integrate user-id with PaloAlto two ways.

 

First, there is a native integration option

https://www.arubanetworks.com/techdocs/Instant_40_Mobile/Advanced/Content/UG_files/RTLS_conf/panFire...

 

Second, a syslog filter on the PaloAlto

Event Regex: User [aA]uthenticat(?:ed|ion)

Username Regex: username[-=]([a-zA-Z0-9\\._-]+)

Address Regex: [iI][pP][-=]([0-9.]+)

 

The syslog filter a backup in case the native integration fails.  I am currently trying to report a bug with the native integration where the Aruba will use the PaloAlto API to send a logout followed immediately by a login for an IP.  This often results in the login update not taking effect.

we don't have any integration on Windows.  

Only Aruba AP, AC and PAN 850.   I have tried with various Syslog Filter settings , but still nothing shows in Monitoring about Source User.  

 

I checked debug log in Aruba AC (Local), i could see all those '<NOTI> |authmgr| User Authentication Successful' logs, but can't reflect on PAN. no idea where set wrong.

 

 

I'm not sure why you are mentioning Windows.  The native integration is where the Aruba Instant controller will directly update a PaloAlto device using the PaloAlto API.

 

Impossible to say what is wrong.  Some troubleshooting tasks that jump to mind

- Do a packet capture on the firewall to see if the syslog messages are arriving

- Check logs.  System logs in the UI.  From the command line there are mp-log files for useridd.log and syslog-ng.log that could be useful.

- Verify under User Identification that the server sending the syslog messages is configured as a Monitored Server with your regex profile

- Verify the interface receiving the syslog messages has an Interface Management Profile that allows the User-ID Syslog Listener

  • 6712 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!