Hey Chris,
I just completed this configuration. This is a syslog config with Meru's Captive Portal authentication.
PANOS 6.1.5, User-ID agent 6.0.2-3.
The only difference is I'm using a User-ID Agent rather than direct to the firewall, but both should work.
First, we send the syslog to the User-ID agent (or firewall).
From Meru's Controller CLI : syslog-host <IP address of User-ID agent or firewall>
There are two syslog entries that we can match on for Captive Portal, the request or success:
Jul 29 08:25:05 10.246.116.208 xems: 1438172705l | security | info | CAP | Captive Portal User(myname@172.21.0.53) login Request Received.
Jul 29 08:25:06 10.246.116.208 SecurityMM: 1438172706l | security | info | CAP | myname@172.21.0.53 StationMac[7c:d1:c3:8d:4e:ea] Radius User logged in OK
The first log entry is pre-authentication on the Meru, so the second entry would be ideal to match on.
However, I have had difficulty matching the second entry, but no problem matching the first entry. (I probably need to use regex for the second one)
A failed login would still send a user-id mapping to the firewall, but still wouldn't allow the user past the Captive Portal, so we should be able to use it without issue.
First, enable the syslog service in the agent setup. Then add a new filter.
To match the first log entry, create the following filter in the User-ID agent.
Then create the syslog server listener referring to the name of the filter we created above.
Don't forget to commit the configuration on the agent!
The setup direct to the firewall should be similar.
The following is the User-ID agent debug log for a successful login/mapping.
07/29/15 10:32:06:640[Debug 372]: Syslog: Msg is '<38>xems: 1438180326l | security | info | CAP | Captive Portal User(myname@172.21.0.53) login Request Received.'
07/29/15 10:32:06:640[Debug 454]: Syslog: Discovered User (myname), Address (172.21.0.53) in tId (2432)
07/29/15 10:32:06:640[Debug 178]: UserIpMap: IP 172.21.0.53 with login name admin\myname and timeout 28800 is added. tId (2432)
07/29/15 10:32:06:640[Debug 1039]: Syslog UDP: User (admin\myname), IP(172.21.0.53), Discovered at (1438180326), with Timeout (28800) tId(2432)
07/29/15 10:32:06:640[Debug 178]: UserIpMap: IP 172.21.0.53 with login name admin\myname and timeout 28800 is added. tId (2432)
07/29/15 10:32:06:671[Debug 242]: UserIpMap: IP (172.21.0.53) Username (admin\myname) queued for xmission to firewall
If I create a filter for the success logon that works I'll add it, or perhaps someone else can!
Hopefully this helps.
Cheers,
Miles.
Hi Chris,
I've also just performed Meru user-ID integration.. testing and working on 6.1.5 and 6.1.6.. however does rely on Meru Smart Connect:
We limit the amount of information being sent to the PA devices once a user has successfully authenticated using a custom syslog message and then use Field Identifier value to extract the user-id information.
Meru uses Smart Connect for the on boarding, provides authentication and handles 802.1x profiles for the devices. From this Smart Connect device we setup syslog forwarding and configured Custom Message Format:
We limited the amount of information being sent to the PA devices using the format you can see in the above screenshot.
Syslog Parsing Profile implemented on Palo:
Hope that helps
Regards,
Ben
