Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Is there anything in the works for pulling User-ID data directly from a MS NPS server

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Is there anything in the works for pulling User-ID data directly from a MS NPS server

L0 Member

User-ID integration with Microsoft AD is great, and works nicely, but we have the bulk of our users using RADIUS to authenticate wirelessly with 802.1x, and we're using a Microsoft NPS server to do that job. These users' devices are not necessarily (and often are not) Windows domain computers, so the LDAP lookups aren't providing the needed information for a User-ID mapping. Is there any good way to get that information from the NPS server?

1 accepted solution

Accepted Solutions

Roadmap questions are only answered under the NDA from your Sales team.  They can also see if there is an existing FR (Feature Request) for the functionality.  If there is an FR number you can add a "vote" for the feature.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

5 REPLIES 5

L4 Transporter

Hi

At the moment there isn't direct intergration with NPS however new features in PAN OS 6.0 called "User-ID Integration With Syslog" could be usefull for You.

Please read New Features Guide 6.0 (English) page 96

Regards

SLawek

L4 Transporter

Hello,

One problem you might encounter with userid integration is that the ip in the Microsoft NPS logs is not the ip address of the client machine but the device performing the radius Auth on behalf of client.

If the wireless device is capable of sending user and ip information in syslog format then you can use new feature in Pan-OS 6.0 mentioned above.

If the device is not able to send this information in syslog such as Cisco WLC (which uses SNMP) then would need to have the information sent to SNMP collector from WLC.

On the SNMP collector would need to have a way of parsing the event and forwarding that to Pan User-ID for User-ID integration.

L7 Applicator

You could configure captive portal.  But I guess you don't want to force a login portal.

The issue with RADIUS is as dmaynard says, the ip association is in the payloads.  There is a script posted in Dev center to extract this for user id association.  I'm not sure how well it works as I haven't used it.

Scripting solution for User ID working with Microsoft IAS/NPS

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Yeah, I might have to look into that scripting solution. I'd definitely prefer native NPS integration, but who wouldn't? I just wonder if it's in the pipeline.

Roadmap questions are only answered under the NDA from your Sales team.  They can also see if there is an existing FR (Feature Request) for the functionality.  If there is an FR number you can add a "vote" for the feature.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 1 accepted solution
  • 3948 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!