03-25-2013 09:14 PM
Hi All,
My name is Paul Mathew and I am working as a Network Engineer at American School of Dubai, in UAE. Our environment is 99% MAC and IOS devices, and some of you were aware of Mobile Account concept in MAC. Let me explain briefly about it. Mobile account means when we login to a MAC machine as network user we create the mobile account so that the user can login to the device even though the network is unavailable and it acts like a local account. In our campus we have Aruba wireless infrastructure and for students and staff the WiFi authentication is 802.1X using windows RADIUS. Because of this setup there is no network connectivity when they login to the machines. Since we create the mobile account they are able to login to the machine even though the network is unavailable and therefore there is no authentication happening in AD (Active Directory). Since there is no authentication we cannot resolve the source user on PAN and we don't have any exchange server as everything is on Google. Is there any chance we can get the source user details from the Radius server since all the users got authenticated against Radius for the 802.1X. Please help us to solve this issue other than Captive Portal.
Regards.
Paul Mathew.
03-27-2013 03:02 AM
We figure out the issue that we need to Palo Alto to the Access Control List to push the user names to the PA. I really appreciate your help on this. Thanks a lot.
Paul Mathew
03-25-2013 10:24 PM
Following are the available UserID methods :
The following Doc talks about Radius (Cisco ACS) and User-ID integration in the environments using 802.1x devices and wireless access points and controllers.
A script can be configured to run on the Syslog server that will extract the user and IP information from the message, format it correctly for the UID-API, and then send it to the API agent.
UserID API integration using Syslog
-Ameya
03-25-2013 11:43 PM
Thanks for the reply Ameya will try and let you know.
03-26-2013 09:13 PM
Hi Ameya,
I tried the XML API and it worked and now I am able to get all the names resolved on User-ID Agent and what we did is we dump all the logs to a linux box and from there it pushes everything to the User-ID Agent. Now the issue is in PA we configured the User Identification and through port TCP 5007 but it's not connecting to the server where the User-ID Agent is installed. Because of this it cannot resolve the source users in PA. I hope somebody can help me on this.
Regards
Paul Mathew
03-26-2013 09:54 PM
You mean no firewall , no anti-virus or something on agent PC.And connection problem ?
What is your panos version ?
Try to change 5007 on both sides and see what is going on.
03-26-2013 10:47 PM
Firewall is off on the agent server and both are using 5007 TCP port. we changed the port on either end and same result.
03-27-2013 12:07 AM
The firewall uses Management interface to connect to the Agent Server by default.
can you reach the Agent server from the firewall?
>ping host <IP of the Agent srvr>
Check if the Agent is listening on the port configured.
>netstat -an | findstr "5007"
-Ameya
03-27-2013 03:02 AM
We figure out the issue that we need to Palo Alto to the Access Control List to push the user names to the PA. I really appreciate your help on this. Thanks a lot.
Paul Mathew
05-14-2013 10:13 AM
hi paul,
what do you mean ACL to ush the username to PA. mind to explain briefly? so you are using XML API for user ip mapping right?
05-31-2013 05:50 PM
I decipher, "They opened up the ACL (policy ) on their intermediate FW to allow uninterrupted access for the PA's IP address "
-Ameya
08-11-2014 12:53 PM
If I understand correctly, the messages will be sent to the user-ID agent running on domain controllers? How would this work in an environment where there are about 50 User-ID agents installed, 3 collectors and 1 RADIUS server?
Will the script send the information to all user-id agents?
I am thinking that sending from the RADIUS logs directly to the firewalls would be a better solution in this case? I don't know if this is possible? Does anybody else have a similar situation?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
