- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-19-2024 08:11 PM
USER-ID log from VPN Cisco concentrator
Dear Live community, how is everything going ?
Have you ever had to do the following?
We have to integrate a Cisco ASA, with Palo Alto, so that the PA receives from a Cisco ASA and/or Cisco ISE the users to be able to have mapper with USER-ID the users that connect by VPN. ( There is no global protect )
Details:
Cisco ASA --- Cisco ISE ( AAA ) users with any connect - Flows through PA.
They want the Palo Alto firewalls to be able to read the users that when a user connects via VPN to the Cisco ASA, the Palo Alto FW receives the information from the Cisco ASA and/or the Cisco ISE on the PA, so that the User-ID can somehow get that information from those users.
Clarifications, the PA does not have and should not use Global Protect. The Palo Alto FW must receive the information from the Cisco ASA and/or Cisco ISE when VPN users connect, Palo Alto can map them and see them in the User Log fields of the PA when traffic passes through it.
Please can you guide me and/or indicate me how to achieve this goal, at least as a base, limitations, considerations and/or guide to achieve this issue.
Thanks for your time and collaboration
I remain attentive
Best regards
03-19-2024 09:42 PM
Hi @Metgatz ,
You can configure ISE to send syslog data to a NGFW which parses User-ID info. It works great. https://live.paloaltonetworks.com/t5/general-topics/cisco-ise-integration-for-userid/m-p/381362
Thanks,
Tom
03-28-2024 10:18 PM
Hi @TomYoung , thank you very much for your time and thanks for your advice.
Yes, the issue here is also in the filtering needed for the
Log-In and Log-OFF.
So yes in this case I would also need that information from the ISE.
Now that I see it, I doubt that this information is sent from the ISE, maybe the login or that the connection was validated from the ASA to the ISE to authenticate and validate the user and already indicates OK, I am not sure if when the Cisco Anyconnect client exits the ASA, the ASA indicates to the ISE that the user released the session and performed the log-off.
Because if not, I would only apply the User Identification Timeout (default 45 min) to release the user mapping, thinking that I will only have the login or the successful validation of the ISE, but not the logoff.
User Identification Timeout (min)
Set the timeout value in minutes for user mapping entries (range is 1 to 3,600; default is 45).
What do you think, any advice, recommendation or detail to consider ?
I remain attentive
Best regards
03-29-2024 04:38 AM
Hi @Metgatz ,
What specific issue do you have? Is the NGFW showing the User-ID mappings for the ASA AnyConnect users?
Thanks,
Tom
03-29-2024 04:12 PM
Hello @Metgatz
we have implemented IP-User mapping from AnyConnect clients by parsing ASA logs. For AnyConnect session connection and disconnection there are below syslog messages generated.
746012
Error Message %ASA-5-746012: user-identity: Add IP-User mapping IP Address - domain_name \user_name result - reason
Explanation: A new user-IP mapping has been added to the user-to-IP address mapping database. The status of the operation (success or failure) is indicated. The success reason is VPN user. The failure reasons include the following: Maximum user limit reached and Duplicated address.
746013
Error Message %ASA-5-746013: user-identity: Delete IP-User mapping IP Address - domain_name \user_name result - reason
Explanation: A change has been made to the user-to-IP address mapping database. The status of the operation (success or failure) is indicated. The success reasons include the following: Inactive timeout, NetBIOS probing failed, PIP notification, VPN user logout, Cut-through-proxy user logout, and MAC address mismatch. The failure reason is PIP notification.
In our case this works well to update User-ID mapping in Firewalls.
Kind Regards
Pavel
03-29-2024 05:38 PM
Hi @PavelK thanks for your reply.
Excellent, yes that's exactly what I'm looking for. I was already looking at those logs and yes, there I will have both login and logout. From the ISE I will not have the logout versus the ASA log for both cases. This way sounds better.
Please if it was not too much bother and waiting for your help and collaboration, could you share the Regex or Field that you used in the syslog parse profile for both the LogIn event and the LogOut, only generically, without sharing anything sensitive, and then I adjust them to what I need, but if you could share the ones you used, that are working in the environment that you mention that works without problems, I would appreciate it very much.
Thanks for your time, advice and collaboration
I remain attentive
Best regards
04-01-2024 04:28 AM
Hello @Metgatz
I am sorry for late response. This has been set years ago and I have in meanwhile moved to different position. Please give me some time to research it.
Kind Regards
Pavel
12-01-2024 11:04 PM
Hello @Metgatz
I am sorry for very late response.
Unfortunately, I do not have much to share. In our environment ASAs are sending SNMP traps for user logon/logoff to User-ID server:
logging list eventlist_user_login_logout message 746013
logging list eventlist_user_login_logout message 746012
snmp-server enable traps syslog
snmp-server host management <user-id server> community ***** version 2c
then kiwi syslog (running on User-ID agent server) picks snmp trap up, archives it for auditing, then forwards it to User-ID agent's port.
Kind Regards
Pavel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!