Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Windows Radius Server (NPS) / User ID discovery through PA Agent

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Windows Radius Server (NPS) / User ID discovery through PA Agent

L1 Bithead

I'm trying to figure out a way for the PA to discover usernames / IPs for wireless clients (could be Iphones / Andriod) authenticating via a Windows 2008 R2 Radius server. Clients are authenticating through dot1x (wpa2 enterprise). Auth and everything works fine, but the usernames are not being discovered.

Just curious if anyone else has ever run into this and if so what if anything they have done to work around this problem?

thanks

Rich

8 REPLIES 8

L4 Transporter

Hello,

There is nothing ready out of the box. I made a Perl daemon script that was listening for Radius Accounting packets then used UserID APIs to inject IP/user mapping as proof of concept and it worked well, but it's really far from production grade.

That is a feature request I made to me SE.

You wouldn't be able to share what you have by chance would you?

I also have a freeradius server using ntlm_auth that can authenticate clients via PEAP/MSCHAPv2. I'm thinking of using that server and then I could add an exec script in the post-auth section which would write the data to the DC. I know enough scripting really only to be dangerous, so any tips would be helpful!

To follow up on this, I ended up upgrading our user agent that supports the XML interface and used freeradius instead to call the perl script (someone else created that) and feeds this data to the user agent.

- install the freeradius perl module, if applicable to you (yum install freeradius-perl.x86_64)

- used the following perl module

#!/usr/bin/perl

use strict;

use PAN::API;

use vars qw(%RAD_REQUEST);

use Data::Dumper;

use constant    RLM_MODULE_OK=>        2;#  /* the module is OK, continue */

my $username;

my $ip;

my $useridagent;

my $useridapi;

sub accounting {

  $useridagent    = '10.x.x.x';

  $useridapi      = PAN::API::UID->new($useridagent);

  $username = $RAD_REQUEST{'User-Name'};

  $ip = $RAD_REQUEST{'Framed-IP-Address'};

  $useridapi->login($username,$ip);

  return RLM_MODULE_OK;

}

- upload script to server in the /etc/raddb, chmod 755 the script

- modify the /etc/raddb/modules/perl file to use the userid perl script (in this case the script is called userid.pl)

module = ${confdir}/userid.pl

- comment out the other scripts

- activate the perl script within your accounting section of the freeradius config, eg: sites-available/default

I did not bother to get this working through windows NPS because I set up a linux guest server that uses freeradius to auth through radius. Freeradius is configured to authenticate against a sponsored user Mysql database (registered through a web gui) and through SMB to the domain for domain user accounts. The nice thing about this is that no matter which way a user authenticates (sponsored guest or a domain user), the username is picked up through the XML API and I can report on it.

Hi,

Do you still have the perl script that can read RADIUS accounting packet ?


Regards,

Yudi

Please note that in PAN 6 is new functionality "User-ID Integration With Syslog"

Take a look in to New Features Guide 6.0 (English) page 96

With regards

SLawek

@slv That New Features Guide for 6.0 shows you how to configure the WINDOWS User-ID agent to accept Syslogs for mapping usernames.  Do you know if a Palo Alto on PAN-OS 5.x can take advantage of this Syslog/User mapping if we set it up on our Windows User-ID agent?

I don't know...

But I'm sure that it will be unsupported.

Regards

Slawek

it will not be possible without a script and user-id API on panos5.

  • 5931 Views
  • 8 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!