Cisco ISE integration for UserID

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cisco ISE integration for UserID

L4 Transporter

Greetings all,


I'm wondering if anyone else is using Cisco ISE for network access control and has experience integrating it to publish User ID to the Palo Alto firewalls?


I saw a support article for it but the regex appears to be out of date.  I found another guide somewhere else that suggested using field identifiers instead of regex which is what I did.  I now can get User ID for devices logging in to an 802.1x SSID, for example.


My next challenge is device that use MAC authorization, or MAB.  I know this isn't really a recommended practice but since we have on-campus housing, we need to support some SSIDs/networks that utilize this for all of those consumer devices that don't support better security like 802.1x.  I believe ISE is publishing these RADIUS connections to the firewall, however, they appear as device MAC addresses which is going to make user-based firewall rules difficult.


I know the username for the device when logging in to a MAB protected network technically is the MAC address, but we've used a previous solution for network access control that would instead publish the owner's username (i.e. the username they used to register/enroll the device) and I'm wondering if there is another way to implement the ISE/Palo connection that would give us the owner's username for these connections vs the MAC address?




L4 Transporter

This might help you with integrating userid from ISE with PA, this is what I had followed. But I am not sure if using a device registered under MAB would use the userid or MAC.

Thanks for the link!  I think I had actually found it already and was using it as a reference.


What I determined is that the radius messages sent by ISE actually contain multiple username fields.  UserName tends to be the actual user's ID and User-Name seems to be the machine's ID.  In the case of 802.1x then they're both the user's ID but with devices registered through ISE's MyDevice's portal and that use MAB authentication the fields are different.  Here is what I ended up doing so far:


Event Identifier:  NOTICE Radius-Accounting:

Username Regex:  (?<=UserName=)(?!([[:xdigit:]]{2}[:-]){5}[[:xdigit:]]{2})(.*?)(?=@|,)

Address Regex:  (?<=Framed-IP-Address=).*?(?=\s*,)


The Username regex is basically looking for the UserName field entry and taking the information after it if is not a MAC address and it takes everything else up until an @ or , which means it will only take the username prefix if the ISE log contains a username in username@domain format.


What I'm trying to figure out now is how to do these so that I can still publish MAC addresses/IP mappings to the traffic logs if we want but without prefixing them with the domain.  We want the domain on there for authenticated users so that we can use user-id based policy but any devices that we have as guests won't have a domain account but we'd still want to see that user account info in the firewall. Unfortunately, the default domain isn't assigned at the syslog filter and is set in the server instead and you can't add multiple instances of the same server.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!