Palo Alto Networks Knowledgebase: Use Syslog Receiver to Integrate with Cisco Wireless Controller Series

Use Syslog Receiver to Integrate with Cisco Wireless Controller Series

2140
Created On 09/26/18 21:04 PM - Last Updated 09/26/18 21:10 PM
Network Integration
Resolution

Overview

This document describes how to configure User-ID Agent to get User-IP mapping from the Cisco Wireless controller.

 

Details

Shown below is a typical example of a syslog from the wireless controller. The bolded fields is the information that will be extracted from the syslog for a successful User-IP mapping when connecting from the Cisco Wireless controller.

9    28.211036    194.36.58.245    192.168.10.248    Syslog    425    LOCAL7.DEBUG: community=Test_Syslog, enterprise=1.3.6.1.4.1.9.9.599.0.4, uptime=384972600, agent_ip=194.36.58.245, version=Ver2, cldcClientMacAddress.0=+;\273t\260\313, cLApName.0=ap-gl-01, cldcApMacAddress.0="Hex String=40 F4 EC 12 3A 40", 1.3.6.1.4.1.9.9.513.1.2.1.1.1.0=1, cldcClientIPAddress.0=10.100.254.157, 1.3.6.1.4.1.9.9.599.1.3.1.1.27.0=rhillcoat, 1.3.6.1.4.1.9.9.599.1.3.1.1.28.0=Howco_Exec

 

The screenshot below explains how to parse this information and extract the needed details. A Field Identifier is being used instead of Regex

 

 

Some versions of Cisco WLC might be sending a slightly different syslog message than the one mentioned above. If your Cisco WLC syslog format looks like the one pasted below (specifically note the highlighted string that holds the IP address of the user) then a different string needs to be configured for the “Address Prefix” value.

 

07-29-2016      11:32:34        Local7.Debug    10.2.22.31      community=PA_TEST31, enterprise=1.3.6.1.4.1.9.9.599.0.4, uptime=1163840600, agent_ip=10.2.17.39, version=Ver2, 1.3.6.1.4.1.9.9.599.1.3.1.1.1.0="Hex String=44 00 10 2D CC 2D", 1.3.6.1.4.1.9.9.513.1.1.1.1.5.0=MUM04-CSAP11, 1.3.6.1.4.1.9.9.599.1.3.1.1.8.0=P???WP, 1.3.6.1.4.1.9.9.513.1.2.1.1.1.0=0, 1.3.6.1.4.1.9.9.599.1.3.1.1.10.0=10.2.60.62, 1.3.6.1.4.1.9.9.599.1.3.1.1.27.0=corp\user.name1, 1.3.6.1.4.1.9.9.599.1.3.1.1.28.0=CMSPL-11BG

 

Use the string 1.3.6.1.4.1.9.9.599.1.3.1.1.10.0= in the “Address Prefix” field. See below screenshot for details.

 image001.png

Note that trailing spaces can cause problems in parsing the syslog message. When pasting the text into the “Syslog Parse Profile” window, make sure to delete all spaces at the end of the string.  

 

 

 

 

 

Note:  Make sure the Syslog listener is on the interface that is expected to reach the device. Cisco WLC native Syslog messages do not contain authentication information, so User-ID mappings cannot be derived from them. Cisco WLC generates SNMP Traps that do contain this information. The SNMP Trap must be converted into a Syslog message. To achieve this, please follow document: Cisco WLC - Palo Alto Networks config guide.pdf

 

owner: smalayappan



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5lCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language