I am part-way in matching up IP addresses and user names, but struggling with the second......I'll explain. In our lab we have a PA5020, and I am running the User-ID agent on a VM close to the firewall. It successfull reads the AD credentials etc, and those users who authenticate with AD are showing correct names against their IP addresses The tricky part is our wireless solution...we have an HP wireless box, and doing authentication against a Radius service running on an MS server (this is part of NPS (Network Policy and Access Services)). The logs are stored locally (the only choices I have are log locally to text file, or to SQL database). The log format is one of three types: DTS Compliant ODBC (Legacy) IAS (Legacy) The most useful log file type is the ODBC one, but doesn't show the IP address for every authentication attempt (only the MAC address). I have written a Perl script which successfully does the following items: Find the latest log file to read from (as they are weekly logs, and new file per week) Open a file which states the last record sent to the XML API (as shown in step 4.1.4) Read output from "ARP -A" command line (to show MAC and IP addresses known on Radius server) Open the latest file and search through until the date/time is after the last update (in step 2): If this is an Authentication Accept message then lookup recorded MAC address against ARP (to know IP address) Read user name from line (and add domain name if not shown) Call the XML API with these details Write the date & time to a file to "bookmark" start of next search Read the next record All seems to be fine, except when there isn't a MAC address entry, or after 1 hour the record in the PA firewall times out!! So to solve the first we could simply ping all possible IP addresses to ensure that we have a correct MAC / IP entry (as long as the devices respond!!), but doesn't seem very elegant. There must be a way to modify the age timers of the firewall records? As the User-ID functionality is part of the whole promise from PA that their firewalls are unique and do everything based on User / Group and Application, is a little untrue (unless if you only use AD to authentciate, or any one of their prescribed workarounds (Captive Portal etc). Has anyone successfully gotten a solution similar to mine working? The main issue for me is the correct discovery of the IP address for every Radius Auth Accept message! And the timeout problem is likely to be easily fixed!!
... View more