PaloAlto User-ID from Cisco ISE Nodes

I apologize this looks like ass. i pasted in from word. Remind me to never do that again. I couldn't find this info anywhere. I'll clean it up someday.

Adding ISE as a Syslog Provider to Palo Alto for User-ID

Info to gather

• PaloAltos

  • IP Address and interface on each FW you want to receive Syslogs
    

• ·         ISE

o   Understand your ISE deployment (single unit, distributed, etc)

o   IP address of the Policy Service Nodes from which the Syslogs will originate. Here forward ISE Policy Services Nodes maybe be called ISE PSN's or PSN. 

• ·         Network/Firewall

o   Ensure the ISE nodes can send udp 514 traffic from the IP address above to the PaloAlto IP addresses above.

In order to receive User to IP mappings for ISE you will need to do these basic steps.

•         Create the Palo Altos as syslog receivers within ISE. 
•          Configure ISE to send only RADIUS Accounting logs to the PAs that will be the log receivers.
• The accounting logs have the username and IP (Framed-IP-Address) of the user.
  Create a syslog filter on the PaloAltos to filter the appropriate information. Key field info (and yes, the “,/s” matters, it signifies a space is to follow. The “=” is required too):

o   Type: Field Identifier

o   Event String:  NOTICE Radius-Accounting: RADIUS Accounting

o   Username Prefix:  User-Name=

o   Username Delimiter: ,/s

o   Address Prefix:  Framed-IP-Address=

o   Address Delimiter: ,/s

·         Configure each Policy Service Node within ISE as a Server Monitor using the syslog filter just created. The IP address will be the ISE PSN IP address. Again, each PSN will need to be added, if applicable.

o   If ISE is distributed, you do NOT need your admin nor monitor nodes added

o   If it is a standalone, add the single ISE node as a Server Monitor

·         Ensure that the receiving interface on the PaloAltos allow User-ID Syslog UDP.

o   Option 1 – Interface Management Profile

o   Option 2 – Management profile (DO NOT LOCK YOURSELF OUT!)

·         Ensure the zone with users to be identified have USER-ID enabled. Use IP restrictions to limit.

·         Use the Include/Excluded Networks on Device à User Identification to include/limit also.

·         Verify via command-line/SSH.

o   show user ip-user-mapping all | match SYSLOG

o   show user server-monitor state all

Configure ISE

Configure PaloAlto Firewalls as a Syslog Receiver

Log into to ISE.

Under the Administration Menu, Select Logging.

Under Logging, Select Remote Logging Targets

Click Add. Enter in the appropriate information. The IP address should be your intended receiving interface on your PaloAlto. Most Logging is sent over UDP port 514. Submit when complete.

If you have redundant devices and you are logging to different IPs, create a second entry.

Set ISE to send Accounting to your targets.

Stay in the Logging Menu and Select Logging Categories

Select Radius Accounting under the Category (not Accounting as is highlighted).

Move your newly created target(s) to the Selected: side and save.

 

Configure the PaloAlto Firewalls

These instructions are in Panorama, but will work if follow along directly on the firewalls.

Configure the Syslog Filter to pull extract the User-ID information

Select Device à User Identification à User Mapping à Green Gear for Panorama; The plain gear will work for the firewalls directly.

Select Syslog Filters Tab, Click Add

Fill out the Syslog Parse Profile. You can use any Profile Name and Description you want.

You can use any Profile Name and Description you want.

The rest should be filled as above. PLEASE NOTE THE CHANGE IN EVENT STRING! Values are listed below.

·         Type: Field Identifier

·         Event String:  NOTICE Radius-Accounting: RADIUS Accounting

·         Username Prefix:  User-Name=

·         Username Delimiter: ,/s

·         Address Prefix:  Framed-IP-Address=

·         Address Delimiter: ,/s

The “,/s” looks for a comma and a blank space. Here is a capture of a RADIUS syslog from which the info was gathered.

Click Ok to have the filter.

Click Ok to exist the User-ID Agent Setup.

--UPDATE--
I modified the Event String. ISE sends 3 major types of 300x series accounting logs. 3000 and 3001 are accounting start and watchdog updates. These two types of updates contain User-ID to IP address mapping information. 3002 are stops. They all lead with "NOTICE Radius-Accounting: RADIUS Accounting". Using the more generic log filter allows all of these to be parsed. My original setup missed the watchdogs so many of my user mappings were timing out. Thus, I was losing mappings. This helped greatly. 

Configure the Server Monitoring Information with the new Syslog Filter

We will need to add every Policy Service Node that does authentication for the WLAN. You do NOT add your administration nor monitoring nodes, only the Policy Service Nodes (PSNs). If it is an all in one system, add the single ISE node. The syslogs are sent from the PSNs only.

Stay in Device à User Identification à User Mapping, Select Add under Server Monitoring

Fill out the User Identification Monitored server for EACH ISE PSN node.

Make sure to select the type as Syslog Sender. The Network Address will the ISE PSN IP address. The filter will be the newly created filter in the previous steps. The Default Domain Name will be your organization’s domain name.

At this point, you can follow all the standard rules for using a syslog server as a User ID source.

Remaining general steps:

1.  Fill-out included/excluded networks on the Device à User Identification tab.
2. Ensure the interface you are sending syslogs for User-ID has User-ID Syslog enabled.
1. Step 2 -- Option 1 --- Logging to a Network interface
1. Create an Interface Management Profile under the Network à Network Profiles à Interface Mgmt
2. Ensure User-ID Syslog Listener-UDP is enabled. Ensure the IP address of your PSN’s are permitted on the Permitted IP addresses tab.
3. On Network à Interfaces, select the interface with the IP address the syslog senders are sending too, and enable the management profile under the advanced tab

S

Step 2 -- Option 2 – Sending Syslogs to your PA’s management interface

WARNINGS:  BE CAREFUL NOT TO LOCK YOURSELF OUT! CHANGING SETTINGS HERE CAN LOCK YOU OUT OF MANAGEMENT ACCESS TO YOUR PALOALTOS!!! I’M NOT RESPONSIBLE IF YOU LOCK YOURSELF OUT.

If you manage over https, and ssh, make sure they boxes stay selected

If you use SNMP, leave it selected

If you do not have any Permitted IP Address, DO NOT add anything. All traffic is currently permitted. You might want to change that sometime, but that's a different topic.

a)      Select the Device Tab à Setup à Management à Management Interface Settings

b)      Ensure User-ID Syslog Listener-UDP is selected.

c)       Add the Permitted IP addresses of your ISE nodes (WARNING: Only if you have management interface IP restrictions! – be careful not to lock yourself out. If you do not have restrictions, all traffic is permitted, so DO NOT add anything!!! Please make sure you have your management workstation/network already added before adding these entries.)

3)      Enable User-ID on the appropriate zones.

Network à Zones

Click on the appropriate zones. Add the networks to the User Identification ACL