Integrating Cisco ISE Guest Authentication with PAN-OS
Symptom
This document describes how to configure Cisco ISE to send user-id information to PAN-OS.
Environment
This scenario was deployed with Cisco ISE 1.4.0-253 and PAN-OS 6.1 and 7.0.
Resolution
In the scenario described here, user-id integration with Active Directory is already working, so, the idea is to collect only user-id Guest information from Cisco ISE. You can change this behavior just by removing/changing the subnets at the regular expressions.
Cisco ISE works as a RADIUS server to authenticate and authorize users on a network. We are going to forward RADIUS Authentication and Accounting logs to PAN-OS.
Configuring a new remote log target on Cisco ISE, this device is going to be PAN-OS:
- Choose Administration > System > Logging > Remote Logging Targets
- Click Add
- Give it a name you like, for target type, select UDP Syslog. For IP address, fill with the PAN-0S Management Interface IP address.
- Click Submit
Repeat the steps below if you want to send user-id log information to other devices.
Configuring ISE to forward Passed Authentication Syslog Messages
- Choose Administration > System > Logging > Logging Categories
- Click Passed Authentications
- Select the remote log target you created before on the Available column, and click the > sign to move it to the Selected column.
- Click Save
Configuring ISE to forward RADIUS Accounting Syslog Messages
- Choose Administration > System > Logging > Logging Categories
- Click RADIUS Accounting
- Select the remote log target you created before on the Available column and click the > sign to move it to the Selected column
- Click Save
Enable User-ID Syslog Listener-UDP on PAN-OS
- Choose Device > Setup > Management Interface Settings
- Check the User-ID Syslog Listener-UDP box
- Click OK
Create a Syslog Parse Profile to match the interesting information on syslog messages
- Choose Device > User Identification > User Mapping
- Edit Palo Alto Networks User ID Agent Setup and click Syslog Filters
- Click Add
- Fill all the fields according to the information below.
Be aware of the following:
- Wireless devices: Cisco ISE sends the user-id information only on the Authentication logs
- Wired devices: Cisco ISE sends the user-id information on the Accounting logs.
In this example, we have:
- 10.10.130.0/24 = Wireless Guest
- 10.10.30.0/24 = Wireless Guest
- 10.10.140.0/24 = Wired Guest
Adjust the Syslog Parse Profile regex below according to your needs:
- Syslog Parse Profile: Cisco ISE
- Event regex: ([A-Za-z0-9].*CISE_Passed_Authentications.*((Framed-IP-Address=10\.10\.130)|(Framed-IP-Address=10\.10\.30))|([A-Za-z0-9].*CISE_RADIUS_Accounting.*(Framed-IP-Address=10\.10\.140)))
- Username Regex: (?<=UserName=|User-Name=)[\w-]+
- Address Regex: Framed-IP-Address=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})
- Click OK
The Cisco ISE 2.1 syslog parse profile should look like this:
Event Regex
([A-Za-z0-9].*CISE_Passed_Authentications.*Framed-IP-Address=.*)|([A-Za-z0-9].*CISE_RADIUS_Accounting.*Framed-IP-Address=.*)
Username Regex
User-Name=([a-zA-Z0-9\@\-\\/\\\._]+)|UserName=([a-zA-Z0-9\@\-\\/\\\._]+)
Address Regex
Framed-IP-Address=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})
Add ISE servers to Server Monitoring list
- Choose Device > User Identification > User Mapping
- Under Server Monitoring, click Add
- Give it a name and a description you like.
- For Type, choose Syslog Sender
- For Network Address, insert your Cisco ISE IP address
- For Connection Type, choose UDP
- For Filter, select Cisco ISE
- For Default Domain Name, insert your netbios domain name or the information that matches your environment.
- Click Commit
Verify that PAN-OS is receiving user-id information from Cisco ISE, by running the following CLI commands:
show user server-monitor state
show user ip-user-mapping all type SYSLOG
test user-id user-id-syslog-parse
tail follow yes mp-log useridd.log
Additional Information
References