Trouble getting User-ID from MS Radius (NPS) using script

Reply
Highlighted
Not applicable

Trouble getting User-ID from MS Radius (NPS) using script

I am part-way in matching up IP addresses and user names, but struggling with the second......I'll explain.

In our lab we have a PA5020, and I am running the User-ID agent on a VM close to the firewall. It successfull reads the AD credentials etc, and those users who authenticate with AD are showing correct names against their IP addresses :smileyhappy:

The tricky part is our wireless solution...we have an HP wireless box, and doing authentication against a Radius service running on an MS server (this is part of NPS (Network Policy and Access Services)). The logs are stored locally (the only choices I have are log locally to text file, or to SQL database).

The log format is one of three types:

  • DTS Compliant
  • ODBC (Legacy)
  • IAS (Legacy)

The most useful log file type is the ODBC one, but doesn't show the IP address for every authentication attempt (only the MAC address).

I have written a Perl script which successfully does the following items:

  1. Find the latest log file to read from (as they are weekly logs, and new file per week)
  2. Open a file which states the last record sent to the XML API (as shown in step 4.1.4)
  3. Read output from "ARP -A" command line (to show MAC and IP addresses known on Radius server)
  4. Open the latest file and search through until the date/time is after the last update (in step 2):
    1. If this is an Authentication Accept message
      1. then lookup recorded MAC address against ARP (to know IP address)
      2. Read user name from line (and add domain name if not shown)
      3. Call the XML API with these details
      4. Write the date & time to a file to "bookmark" start of next search
    2. Read the next record

All seems to be fine, except when there isn't a MAC address entry, or after 1 hour the record in the PA firewall times out!!

So to solve the first we could simply ping all possible IP addresses to ensure that we have a correct MAC / IP entry (as long as the devices respond!!), but doesn't seem very elegant.

There must be a way to modify the age timers of the firewall records?

As the User-ID functionality is part of the whole promise from PA that their firewalls are unique and do everything based on User / Group and Application, is a little untrue (unless if you only use AD to authentciate, or any one of their prescribed workarounds (Captive Portal etc).

Has anyone successfully gotten a solution similar to mine working?

The main issue for me is the correct discovery of the IP address for every Radius Auth Accept message! And the timeout problem is likely to be easily fixed!!

Highlighted
L2 Linker

Any luck with this?  We're looking to do the very same thing with an NPS server.  If you had any luck, any chance you'd be willing to share the script?


Thanks!

Highlighted
L3 Networker

I am having the exact same situation; no luck

Highlighted
L1 Bithead

Your workaround seems nice just ping the IPs you can't see in the ARP table, even if they don't respond the ping you should be able to know they MAC address [try it if you don't believe me]. Or if you wanna add complexity log into their default gateway via SHH in perl [maybe it's the firewall] and look for the MAC in they ARP table, as they pretend to get internet access their DG must know their MAC address.

Also you can configure Captive portal as fallback option using the radius servers as authentication method.

How to Configure Captive Portal

How to Configure RADIUS Authentication

About the timer could be a security flag just leave a session more than 1 hour, under those cases the captive portal is a good option in order to re-log every hour...

Highlighted
L5 Sessionator

Take a look at Microsoft NPS to PANOS UserID connector. I build this connector some months ago. All that you need is:

  • Enable RADIUS Accounting in the HP Wireless Infrastructure
  • Configure the NPS to log using DTS format
  • To run the connector against the given NPS log directory

Hope it helps

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!