Aruba Wireless Authentication User-IP Mapping Question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Aruba Wireless Authentication User-IP Mapping Question

L1 Bithead

Hi,

 

I have an Aruba Instant Cluster with an SSID set up to user a radius server to authenticate users. The cluster controller is configured to send syslog data to a Paloalto User Agent running on a Windows server. I've had this set up for a time but am now moving in to a updated OS (Windows 2016) and updated UA (8.0.10-7). My question revolves around wireless disconnects, when radius authenticated users leave the cluster or shut down their devices, I'd like the user-ip mapping to get deleted. In the syslog I get this to capture the authentication and mapping:

 

2018-09-26 11:12:36 Local1.Notice 10.54.132.240 Sep 26 11:12:36 2018 10.54.132.240 stm[2367]: <501199> <NOTI> <10.1.1.1 AC:A3:1E:C2:D2:9C> User authenticated, mac-a0:cc:2b:80:ad:bb, username-jsmith, IP-10.2.2.2, method-802.1x, role-PrivateSSID

 

But I don't see anything in the log that captures the disconnect that includes the user name. I do have this:

 

2018-09-26 11:13:39    Local1.Notice    10.54.132.240    Sep 26 11:13:39 2018 10.54.132.240 stm[2367]: <501217> <NOTI> <10.1.1.1 AC:A3:1E:C2:D2:9C>  update_ip_mac_role_acl_vlan 15467: user entry deleted for 10.2.2.2-a0:cc:2b:80:ad:bb

 

But in building the syslog logoff filter in the UA GUI, it seems 'username' is required.

 

Anyone have suggestions on how I can build out a user agent logoff filter that can capture the wireless client disconnects?

 

Thanks.

 

Dan

9 REPLIES 9

Cyber Elite
Cyber Elite

@Dan,

Generally for something like this I would actually build it out with the API and not the  user-id agent. 

@BPry

 

As I havent' worked with the API, where would be a good place to start?

 

Thanks.

@Dan

HERE's some decent documentation that is based on 7.1. Process is the same though 

L3 Networker

We also have Aruba and Palo Alto, but we chose to have our wireless controllers (campus, not Instant) send syslog data directly to the firewall instead of to a Windows server. See if you can find the string 'User de-authenticated' in your controllers logs, those entries should include the user name.

@TerjeLundbo

 

are you using the built in user-id agent and sending the syslog data to that or are you using the API as BPry suggested above? If you're sending/using the syslog data are you doing a regex expression and might you be able to share what that looks like?

 

Thanks.

 

Dan

We are sending syslog from the controllers direct to our firewall. What you need to do is:

 

1. Go to Device -> User Identification and click on the Settings Button for Palo Alto Networks User-ID Agent Setup

2. Go to the tab called Syslog Filters and add the following two profiles:

Syslog Parse Profile:	Aruba Login
Type:			Field Identifier
Event String:		Authentication Successful
Username Prefix:	username=
Username Delimiter:	\s
Address Prefix:		IP=
Address Delimiter:	\s

Syslog Parse Profile:	Aruba Logout
Type:			Field Identifier
Event String:		User de-authenticated
Username Prefix:	name=
Username Delimiter:	\s
Address Prefix:		IP=
Address Delimiter:	\s

 

3. Add all your controllers and/or IAPs as Syslog Sender under Device -> User Identification -> Server Monitoring on PA. Set your AD domain as Default Domain Name and set the two Syslog Parse Profiles you added in step 2 as filter for events login and logout repsectively.

 

There are other steps you need to do also of course, like configure controllers/IAPs to send syslog to PA for user events. Let me know if you need more info.

 

PS! If I remember correctly the logout event (User de-authenticated) will be logged on controllers if the user manually disconnects from the wireless network. If the device is removed from the wireless network without disconnecting I don't think anything will be logged and the IP-user-mapping will timout on PA according to your setup.

 

Edit: I think support for the logout event came in PAN-OS 8. Earlier versions have only login events.

Hi TerjeLundbo,

 

Please, could you post the syslog settings for an Aruba controller?

 

Many thanks

 

Andrew

This worked with me like a charm!

 

aruba-pc.pngaruba-phone.png

 

Regards,

Sharief

Regards,
Sharief

On each wireless controller you need to enable logging of user authentications and you need to send each authentication event as syslog to the firewall. Commands are:

 

logging level notifications user process authmgr
logging <FW IP address> type user severity notifications facility local1 source-interface <mgmt vlan of the controller>

 

  • 9678 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!