10-06-2014 10:11 AM
currently have a customer using radius authentication on the wireless and user-id on the PA. The problem is when two different users use the same machine. Teacher logs in and gets a policy applied to the session going through the firewall and she logs out and a student logs in to the same machine, that student has the same privileges through the PA as the teacher did. It seems like the PA is not releasing the session and applying the correct policy to the new user. Any ideas?
setup is HA-3020's and Aruba wireless. Radius auth is against microsoft 2012 server
Thanks!
10-06-2014 11:18 AM
There are multiple methods to push user ip mappings:
--Using a syslog parser profile:
How to Collect the User-IP Mappings from a Syslog Sender Using an User-ID Agent
--Using XML API:
http://www.arubanetworks.com/wp-content/uploads/TechNote_ArubaAndPaloAltoNetworksIntegration.pdf
Hope it helps !
10-06-2014 10:16 AM
Do you see the (student) user name in the traffic logs when it hits the policy that you have created for teacher ?
If not, please verify if the ip-user-mapping changes for that IP address after teacher logs out and student logs in.
You can check the ip-user-mapping for an IP using the following command:
show user ip-user-mapping ip <ip/netmask>
10-06-2014 10:17 AM
Hi Dhibodeaux,
Actually this should not happen, because when user logs out, it creates a security log on AD server. Firewall reads it and remove the mapping. We should try to find out why its not happenning.
However, there are two solution for this.
1. Reduce Timeout interval for user-id to ip mapping. - Which means older mappings will expire if there is no activity from them.
2. Or enable WMI probing - User-id agent queries all active users, if they dont respond. Its removed.
Regards,
HArdik Shah:
10-06-2014 10:46 AM
ok so some more info
This is only happening on wireless users....wired works fine. we are not seeing a user/ip mapping for the wireless users...the source user is blank
Is there some new feature in 6.0 to help with this?
10-06-2014 10:56 AM
Source user field is blank due to the username not being pushed correctly, how are you pushing the usernames from the Aruba wireless ? Are you using XML API ?
10-06-2014 10:58 AM
I'm guessing I'm not...:smileyconfused:
10-06-2014 11:18 AM
There are multiple methods to push user ip mappings:
--Using a syslog parser profile:
How to Collect the User-IP Mappings from a Syslog Sender Using an User-ID Agent
--Using XML API:
http://www.arubanetworks.com/wp-content/uploads/TechNote_ArubaAndPaloAltoNetworksIntegration.pdf
Hope it helps !
10-06-2014 11:48 AM
you have to use api or the new syslog feature as mentioned.
10-08-2014 08:04 AM
ok so this customer does not have clear pass so I am assuming the xml api solution wont work...as far as the syslog solution, I am trying to set this up in my lab. I have a aruba controller, pa200, and 2008 server. Do I run the syslog server on the same server as the user-id agent is on or do these need to be separate boxes? I am running kiwi syslog server on the same 2008 server as the UID agent is on...think I said that already 
The document keeps referring to a "syslog sender" and I am not sure if that is the controller, the PA, or the 2008 server.
Thanks
David
10-08-2014 09:23 AM
Syslog sender should be aruba controller which should be sending login/logout events to pa200. On pa200 you should have syslog parser profile to parse these logs and extract the User to IP information.
10-08-2014 11:22 AM
I did finally get this to work using the user-id agent setup on the PA itself but my concern is how taxing this might be to the box in a production environment. I would really like it to work using the user-id agent on the domain controller. For some reason I cannot get the info from the DC to the PA for the wireless users. I have the Aruba pointing at the DC where the agent resides, I have the agent setup with the sender info but never see the user info on the PA in the monitor logs. any ideas?
10-10-2014 06:59 AM
ok I got it working using the UID agent residing on the DC.
Thanks for all the info!!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
