This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Trouble getting User-ID from MS Radius (NPS) using script

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Trouble getting User-ID from MS Radius (NPS) using script

ady_wilson
Not applicable

‎07-26-2012 06:35 PM

I am part-way in matching up IP addresses and user names, but struggling with the second......I'll explain.

In our lab we have a PA5020, and I am running the User-ID agent on a VM close to the firewall. It successfull reads the AD credentials etc, and those users who authenticate with AD are showing correct names against their IP addresses Smiley Happy

The tricky part is our wireless solution...we have an HP wireless box, and doing authentication against a Radius service running on an MS server (this is part of NPS (Network Policy and Access Services)). The logs are stored locally (the only choices I have are log locally to text file, or to SQL database).

The log format is one of three types:

  • DTS Compliant
  • ODBC (Legacy)
  • IAS (Legacy)

The most useful log file type is the ODBC one, but doesn't show the IP address for every authentication attempt (only the MAC address).

I have written a Perl script which successfully does the following items:

  1. Find the latest log file to read from (as they are weekly logs, and new file per week)
  2. Open a file which states the last record sent to the XML API (as shown in step 4.1.4)
  3. Read output from "ARP -A" command line (to show MAC and IP addresses known on Radius server)
  4. Open the latest file and search through until the date/time is after the last update (in step 2):
    1. If this is an Authentication Accept message
      1. then lookup recorded MAC address against ARP (to know IP address)
      2. Read user name from line (and add domain name if not shown)
      3. Call the XML API with these details
      4. Write the date & time to a file to "bookmark" start of next search
    2. Read the next record

All seems to be fine, except when there isn't a MAC address entry, or after 1 hour the record in the PA firewall times out!!

So to solve the first we could simply ping all possible IP addresses to ensure that we have a correct MAC / IP entry (as long as the devices respond!!), but doesn't seem very elegant.

There must be a way to modify the age timers of the firewall records?

As the User-ID functionality is part of the whole promise from PA that their firewalls are unique and do everything based on User / Group and Application, is a little untrue (unless if you only use AD to authentciate, or any one of their prescribed workarounds (Captive Portal etc).

Has anyone successfully gotten a solution similar to mine working?

The main issue for me is the correct discovery of the IP address for every Radius Auth Accept message! And the timeout problem is likely to be easily fixed!!

4 REPLIES 4

SabreAce33
L2 Linker

‎09-10-2012 01:47 PM

Any luck with this?  We're looking to do the very same thing with an NPS server.  If you had any luck, any chance you'd be willing to share the script?


Thanks!

0 Likes Likes

MMCiobanu
L3 Networker

‎09-08-2014 12:52 PM

I am having the exact same situation; no luck

0 Likes Likes

GLastra
L1 Bithead

‎09-22-2014 05:02 PM

Your workaround seems nice just ping the IPs you can't see in the ARP table, even if they don't respond the ping you should be able to know they MAC address [try it if you don't believe me]. Or if you wanna add complexity log into their default gateway via SHH in perl [maybe it's the firewall] and look for the MAC in they ARP table, as they pretend to get internet access their DG must know their MAC address.

Also you can configure Captive portal as fallback option using the radius servers as authentication method.

How to Configure Captive Portal

How to Configure RADIUS Authentication

About the timer could be a security flag just leave a session more than 1 hour, under those cases the captive portal is a good option in order to re-log every hour...

0 Likes Likes

xhoms
L5 Sessionator

‎09-22-2014 10:48 PM

Take a look at Microsoft NPS to PANOS UserID connector. I build this connector some months ago. All that you need is:

  • Enable RADIUS Accounting in the HP Wireless Infrastructure
  • Configure the NPS to log using DTS format
  • To run the connector against the given NPS log directory

Hope it helps

0 Likes Likes
  • 5560 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks