I am part-way in matching up IP addresses and user names, but struggling with the second......I'll explain.
In our lab we have a PA5020, and I am running the User-ID agent on a VM close to the firewall. It successfull reads the AD credentials etc, and those users who authenticate with AD are showing correct names against their IP addresses :smileyhappy:
The tricky part is our wireless solution...we have an HP wireless box, and doing authentication against a Radius service running on an MS server (this is part of NPS (Network Policy and Access Services)). The logs are stored locally (the only choices I have are log locally to text file, or to SQL database).
The log format is one of three types:
The most useful log file type is the ODBC one, but doesn't show the IP address for every authentication attempt (only the MAC address).
I have written a Perl script which successfully does the following items:
All seems to be fine, except when there isn't a MAC address entry, or after 1 hour the record in the PA firewall times out!!
So to solve the first we could simply ping all possible IP addresses to ensure that we have a correct MAC / IP entry (as long as the devices respond!!), but doesn't seem very elegant.
There must be a way to modify the age timers of the firewall records?
As the User-ID functionality is part of the whole promise from PA that their firewalls are unique and do everything based on User / Group and Application, is a little untrue (unless if you only use AD to authentciate, or any one of their prescribed workarounds (Captive Portal etc).
Has anyone successfully gotten a solution similar to mine working?
The main issue for me is the correct discovery of the IP address for every Radius Auth Accept message! And the timeout problem is likely to be easily fixed!!
Your workaround seems nice just ping the IPs you can't see in the ARP table, even if they don't respond the ping you should be able to know they MAC address [try it if you don't believe me]. Or if you wanna add complexity log into their default gateway via SHH in perl [maybe it's the firewall] and look for the MAC in they ARP table, as they pretend to get internet access their DG must know their MAC address.
Also you can configure Captive portal as fallback option using the radius servers as authentication method.
About the timer could be a security flag just leave a session more than 1 hour, under those cases the captive portal is a good option in order to re-log every hour...
Take a look at Microsoft NPS to PANOS UserID connector. I build this connector some months ago. All that you need is:
Hope it helps
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!