Configuring Cisco ACS to send RADIUS Accounting directly to the firewall using Syslog

Cisco ACS Setup

1. Configure the Palo Alto Networks firewall as a remote logging target. This is done under System Administration>Configuration>Log Configuration>Remote Log Targets. Click Create.                                                           
2. Give the target a name and enter the IP address of the interface that will process the Syslog and use port 514.
3. Configure ACS to send RADIUS accounting information to the Palo Alto Networks remote log target.  This is done under System Administration>Configuration>Log Configuration>Logging Categories>Global.
4. Click on Accounting, then the Remote Syslog Target tab and move the Palo Alto Networks remote log target to the box on the right.  Click Submit.
5. Also do this in System Administration>Configuration>Log Configuration>Logging Categories>Global>RADIUS Accounting.  Click Submit.

Cisco WLC Setup

1. Ensure the WLAN is using 802.1x and is authenticating to the same ACS server that you just created the Palo Alto Networks remote log target. Do this in the WLC on the WLANs screen.  Click the WLAN ID of the WLAN you want to log users.  In this example, we are using WLAN ID 3, SSID of “joffrey”.
2. Click on the Security tab>AAA Servers.  Ensure the IP address of the ACS server is configured as the Accounting Server and that it is enabled.

Palo Alto Networks firewall

1. Check to make sure the zone has “user identification enabled.  That’s done on the Network tab > Zones.  The zone should have a check mark in the “Enabled” column.                                                                                                               
2. Create a regex mapping for Cisco ACS syslog messages. Go to the Device tab > User Identification > User Mapping.  In the Palo Alto Networks User ID Agent Setup window there is a small edit wheel in the top right corner.  Click on the edit wheel.                                                                                                             A rectangular window with tabs will appear.  Click on the far right tab, “Syslog Filter”.  At the bottom left, click on Add.  You can name the profile anything you want.  The most important part is the regex.                                                                                                      

   Here are the regex:

   Event Regex: NOTICE\ Radius-Accounting(?!(.)+User-Name=host)
    
   Username Regex: [\w\.-]+(?=, NAS-IP-Address=)
   
   Address Regex: Framed-IP-Address=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}) 

   Click ok.

    

3. Configure the management port to accept the SYSLOG for User-ID.

   Go to the Device tab > Setup.  On the right is a window for “Management Interface Settings”.  Click on the small edit wheel on that window.

   In the window that displays, you’ll need to check two boxes.  The “User-ID” and the “User-ID Syslog Listener-UDP”. 
   Click ok.
   
   
   
   

    

4. Add the ACS server as a monitored server.
   Back on the Device tab > User Identification there is a place for “Server Monitoring”.  Click on Add.  Give it any name.  Spaces are ok.  Change the type to Syslog Sender.  Put the IP address in the Network address field.  Select UDP.  Select the regex filter you created in step 2.  Go ahead and fill in the domain. 

5. Commit all changes.

Verification

CLI commands

• show user server-monitor state <Monitored server name>
  • Verify ACS is sending RADIUS accounting SYSLOG to the firewall and confirm that the firewall is properly processing SYSLOG messages.

Example: show user server-monitor state "Cisco ACS"

You’ll see the number of log message increase as the firewall receives RADIUS accounting messages.  If the firewall is successfully parsing the messages with the correctly typed in regex, then you’ll see the number of auth. success messages increase. 

• show user ip-user-mapping all type SYSLOG
  • display the username-IP mappings learned from SYSLOG