Meru Integration with PANOS 6.1.5

Reply
Highlighted

Meru Integration with PANOS 6.1.5

HI Folks,

We're trying integrate our Meru system with Palo Alto Networks. but can't find any documentation.

As far as i can see we have two options:

- Radius

- Syslog feed straight to the PA device.

Has anyone created the regex's / parsers for Meru and Syslog integration with Palo?

Many Thanks,

Chris

Highlighted
L0 Member

Re: Meru Integration with PANOS 6.1.5

Hey Chris,

I just completed this configuration. This is a syslog config with Meru's Captive Portal authentication.

PANOS 6.1.5, User-ID agent 6.0.2-3.

The only difference is I'm using a User-ID Agent rather than direct to the firewall, but both should work.

First, we send the syslog to the User-ID agent (or firewall).

From Meru's Controller CLI :  syslog-host <IP address of User-ID agent or firewall>

There are two syslog entries that we can match on for Captive Portal, the request or success:

Jul 29 08:25:05 10.246.116.208 xems: 1438172705l | security | info | CAP | Captive Portal User(myname@172.21.0.53) login Request Received.

Jul 29 08:25:06 10.246.116.208 SecurityMM: 1438172706l | security | info | CAP | myname@172.21.0.53 StationMac[7c:d1:c3:8d:4e:ea] Radius User logged in OK

The first log entry is pre-authentication on the Meru, so the second entry would be ideal to match on.

However, I have had difficulty matching the second entry, but no problem matching the first entry. (I probably need to use regex for the second one)

A failed login would still send a user-id mapping to the firewall, but still wouldn't allow the user past the Captive Portal, so we should be able to use it without issue.

First, enable the syslog service in the agent setup. Then add a new filter.

user-agent1-filter-setup.jpg

To match the first log entry, create the following filter in the User-ID agent.

user-agent1-filter.jpg

Then create the syslog server listener referring to the name of the filter we created above.

user-agent1-senderserver-setup.jpg

Don't forget to commit the configuration on the agent!

The setup direct to the firewall should be similar.

The following is the User-ID agent debug log for a successful login/mapping.

07/29/15 10:32:06:640[Debug  372]: Syslog: Msg is '<38>xems: 1438180326l | security | info | CAP | Captive Portal User(myname@172.21.0.53) login Request Received.'

07/29/15 10:32:06:640[Debug  454]: Syslog: Discovered User (myname), Address (172.21.0.53) in tId (2432)

07/29/15 10:32:06:640[Debug  178]: UserIpMap: IP 172.21.0.53 with login name admin\myname and timeout 28800 is added. tId (2432)

07/29/15 10:32:06:640[Debug 1039]: Syslog UDP: User (admin\myname), IP(172.21.0.53), Discovered at (1438180326), with Timeout (28800) tId(2432)

07/29/15 10:32:06:640[Debug  178]: UserIpMap: IP 172.21.0.53 with login name admin\myname and timeout 28800 is added. tId (2432)

07/29/15 10:32:06:671[Debug  242]: UserIpMap: IP (172.21.0.53) Username (admin\myname) queued for xmission to firewall

If I create a filter for the success logon that works I'll add it, or perhaps someone else can!

Hopefully this helps.

Cheers,

Miles.

Highlighted
L2 Linker

Re: Meru Integration with PANOS 6.1.5

Hi Chris,

I've also just performed Meru user-ID integration.. testing and working on 6.1.5 and 6.1.6.. however does rely on Meru Smart Connect:

We limit the amount of information being sent to the PA devices once a user has successfully authenticated using a custom syslog message and then use Field Identifier value to extract the user-id information.

Meru uses Smart Connect for the on boarding, provides authentication and handles 802.1x profiles for the devices. From this Smart Connect device we setup syslog forwarding and configured Custom Message Format:

meru smart connect.png

We limited the amount of information being sent to the PA devices using the format you can see in the above screenshot.

Syslog Parsing Profile implemented on Palo:

Palo parse.png

  Hope that helps

Regards,

Ben

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!