Security

I've got an 802.1x network setup authenticating users against an active directory base radius server. Our users are connecting fine. Problem is when they only provide their username without the domain. Just their username is passed over to the Palo Alto firewall which then doesn't know that they are a domain user. This causes them to get a default restricted policy since it doesn't know Username is really DOMAIN\Username.

 

Is their anyway to require users to enter the domain/UPN or force the controller to pass the domain with the user DOMAIN\username all the time? Right now I'm having to manually have the users disconnect and reconnect their phones/tablets and reauthenticate with DOMAIN\Username.

 

Are you using the controller integration with Palo or something else?

CGTECH, 

 

Depending on which version of PANOS you are running there is an option to create Syslog filters with User-ID to parse out the user information and match on that for the policy you want the user to be assigned. 

 

The version of PANOS I have worked with that this was available is 6.0. 

 

If you check out the 6.0 Admin guide on pages 303 & 318 to 323 there is information on how to configure User-ID to receive user mappings from a syslog sender. If you go to page 320 there is a note on addressing what you want the default domain prefix to be. 

 

I ran into this same problem on the Instant product line. We integrated with a Palo Alto firewall and via the XML API it was supposed to relay user to IP mapping information so we could leverage role based access to apply policies. This worked fine with Windows domain clients because their user information came across with the domain prefix domain\username. However, if it was a domain user on a non-domain device like a Chromebook or an iPad that domain prefix was missing and the user fell through the policies list and got a default policy because they did not match on the User-ID group we had set up. 

 

You should have an easier time of accomplishing this since I assume you are working with Aruba controllers. The controller is a single Syslog entity whereas the IAPs are all separate and was a challenge to get them all added to the firewall. 

 

Here is an example of a regex and a field identifier. We used the field identifier for our instance. 

 

Syslog must be set to “Notice” for this information to be sent for collection.

Sample line from the syslog:

User authenticated, mac-40:0e:85:20:d6:dd, username-testmonkey, IP-172.16.1.101, method-4, role-IAP-PAN

 

regex identifier information:

Event Regex: User authenticated

username regex: username-([a-zA-Z0-9\._-]+)

address regex: IP-([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

 

field identifier

event string: User authenticated

username prefix: username-

delimiter: ,\s

address prefix: IP-

delimiter: ,\s

 

Here is an example of the server monitor we setup for the syslog filter and note at the bottom where we tell the monitor what the default domain prefix should be. 

 

 

 

Michael,

That describes my setup almost exactly. I'm controller based using the XML API integration and not the syslog as you described. I'm going to switch over to the syslog parsing and give that a shot tonight.

 

Thanks for the regex also that should save me a bit of time.

 

-Patrick

Patrick,

 

I wanted to quickly ask if you have CPPM deployed in your environement?

 

If yes, then you can review my TWO  TechNotes for CPPM+PANW integration. Beyond the great info above from Michael we offer a lot of adiiotnal endpoint reference attributes in our XMPAPI/HIP integration thatyou may want to leverage.

 

You can find the docs here on the support site  http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

 

Hi Danny

 

Hope you're well?

 

Is there an updated version of the CPPM and PANW integration? I'm on PANOS 7.0.11 and CPPM 6.6

 

Thanks

 

Jamie

Hi Jamie,

 

I've nothing new to add since the current V5 document. Have you got something in mind that is missing?

What version of code are you running? AOS 6.4 has native Palo integration that does exactly what you're trying to do.

Tim, 

 

My integration was with InstantOS and while the XMP API integration worked the success was only for domain joined Windows machines. The domain joined Windows machines present a prefix with the domain notated in their user information field while non domain joined devices do not. 

 

Without the domain prefix the Palo Alto cannot define who belongs to what group and therefore cannot assign correct policies.

 

I went around and around with Aruba and Palo Alto TAC to get to a solution that could work. 

 

The solution I provided above allows for the default domain prefix to be prepended to the username regardless of whether it was a domain joined device or not. 

I was leaning towards the point that you wouldn't need to use the Palo/AD integration if you use either the Controller/Palo or ClearPass/Palo integration.

I'm running 6.4.0.3 which has the Palo XML_API integration.

 

The problem with that is it only passes the username that the end user gives it. In my case all my domain computers were passing the username DOMAIN\username properly. It was the ipads/phones ect that the users were just putting in username only. Aruba would pass just the username to Palo causing it to not match the username with their domain account.

 

Using the SYSLOG parsing method I'm able to tell the Palo box that any user authenticated from the aruba syslog is from our DOMAIN and the Palo box now is identifying everyone correctly as domain users.

Micheal's solution works great.

 

If you're using the controller based the syslog is a bit different format for the event string. Here's my settings:

 

 

Also if you're trying to troubleshoot the syslog on the palo cli -> "show user server-monitor state all" will show you if it's parsing correctly.

 

 

 

Dear All,

 

any news about issue in object?

 Mobility Controller o Instant VC still doesn't add and pass "domain\" to PAN firewall when it misses?

 

Without "PAN syslog User-ID parser", the only workaround I found, is to type "domain\username" in the client autentication username field.

 

Clearpass handles this specific behavior, I think this is a lack of controller and instant PAN native integration.

 

I think the issue should be solved at Aruba side... what do you think?

Everybody opened a TAC request for that issue?

If yes, what was the replay?

 

thanks to all,

Andrea

 

Dear Andrea,

 

Did you have some reply or find a answer?

I'm trying to make it work, it's the first time that I try this integration, and I want to know if I have to switch to syslog or not

 

Thanks.

Hi Dekro,

 

no replay or answer.

 

I suggest you to implement Syslog parsing instead of Aruba MC PAN integration.

 

Last PANOS version (8.0) improves user-id syslog parsing management, with syslog logout event, so user-id mapping results more accurate:

https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/user-id-features/user-id-syslog-monitoring-enhancements

 

For more accuracy again, I suggest also to enable periodic autentication for 801.x session.

 

aaa authentication dot1x "default"

  timer reauth-period 1800

  reauthentication

 

ciao

Andrea

For the CPPM-PA-Firewall integration folks, I think I have a solution:

 

In CPPM, on the Administration >> Dictionaries >> Context Server Actions page, locate and copy the Palo Alto Networks Firewall "Send Login Info" action and edit the copy.

I renamed mine "UserID-Lab_Send Login Info" and edited the XLM content to insert our domain and a slash in front of the user variable:

Then adjust the profile you're using to send userID to use your new action.

did that.  didn't work... 

still user without domain. Did it work for you?

 

tip: you can also add the timeout value

 

<uid-message><version>1.0</version><type>update</type><payload><login><entry name="fvlprod\%{user}" ip="%{ip}" timeout="720"/></login></payload></uid-message>

 

in the post variabeles you can also specify the vsys

/api/?type=user-id&vsys=vsys20&action=set&key={key}

Did people get this working? I tried it and yes I can get the domain to work using the above XML config, however, after a period of time (like 45 or 60 min or something) my Palo reverts back to no domain again.... 

 

Just curious before I start dumps on the palo to find out what packet is updating the user-ip correlation again (it says XML still) 

I'm having the exact same issue right now.  I set the PA endpoint context server to "Prefix NetBIOS Domain" and it works, for a bit.

 

2019-08-21 11:18:33,397 INFO root ipcndevice Sending user object=<uid-message><version>1.0</version><type>update</type><payload><login><entry ip="10.101.0.193" name="domain\crazy"><hip-report><md5-sum>49962175f50053da0f00c77c8c16cfeb</md5-sum><user-name>domain\crazy</user-name><host-name></host-name><ip-address>10.101.0.193</ip-address><generate-time>2019-08-21 11:18:01</generate-time><categories><entry name="host-info"><host-name></host-name><os>Apple iPad</os><os-vendor>Apple</os-vendor></entry></categories></hip-report></entry><entry ip="10.101.4.122" name="domain\techdir"><hip-report><md5-sum>84331f943003c50555536bfc5cdc7fed</md5-sum><user-name>domain\techdir</user-name><host-name></host-name><ip-address>10.101.4.122</ip-address><generate-time>2019-08-21 11:18:32</generate-time><categories><entryname="host-info"><host-name></host-name><os>Apple iPhone</os><os-vendor>Apple</os-vendor></entry></categories></hip-report></entry><entry ip="10.101.0.185" name="domain\user2"><hip-report>

 

Then a little later.....

 

2019-08-21 11:19:59,128 DEBUG root ipcndevice Refreshing PAN user data for 10.254.254.6
2019-08-21 11:19:59,128 DEBUG root ipcndevice Sending userid object for padevice=10.254.254.6
2019-08-21 11:19:59,129 INFO root ipcndevice Sending user object=<uid-message><version>1.0</version><type>update</type><payload><login><entry name="crazy" ip="10.101.0.193"/><entry name="techdir" ip="10.101.4.122"/><entry name="user3" ip="10.101.5.6"/>

 

We've come to the conclusion that the accouting report logged by ipcndevice isn't following the setting to use the NetBIOS domain in the endpoint context server setting.

 

I opened a TAC case and found that when the PA does the accounting updates it re-sends the users and session info without the domain.