Network Management

Hi everyone,

We have an environment with AOS-CX switches and AOS Access Points where we enforce 802.1x authentication against an RADIUS server, without ClearPass.

Now, we want to send User-IP Mappings to the Palo Alto Firewall on the same network. With the Access Points, it has been pretty simple as there is a direct integration with the Palo Alto XML API that can be configured from Aruba Central (https://www.arubanetworks.com/techdocs/centralonprem/2.5.5/content/access-points/cfg/services/pan_firewall.htm)

However, with AOS-CX, it is not that simple. I saw that you can configure the Palo Alto Firewall as Syslog listener to perform User-IP Mappings (https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping/configure-the-pan-os-integrated-user-id-agent-as-a-syslog-listener). This requires that the login information must be sent as a single log containing both the user name and the IP address. Unfortunately, after inspecting the logs produced by the switch, I can only see logs relating the MAC address with the IP Address (with the IP tracking feature enabled), and other logs relating the MAC address with the username, but none of them relate the IP to the user name directly. Some examples of the logs I found:

2024-02-14:19:07:35.698925|port-accessd|LOG_INFO|AMM|-|PORTACCESS|PORTACCESS_ACCOUNTING|logID=664446 Acctreq IP [172.16.169.3], MAC [a8:4a:63:30:56:ca], Port [1/1/5] Update

2024-02-14:19:07:35.455137|port-accessd|LOG_NOTICE|AMM|-|PORTACCESS|PORTACCESS_SERVICES|logID=664445 Client '1/1/5 a8:4a:63:30:56:ca' identity 'johndoe' onboarded via dot1x successfully.

I know that with ClearPass it is easier as there is a direct integration with Palo Alto, but it is something we can not afford right now.

Does someone know if there is a way to achieve it without Celarpass?

Thanks everyone.

I have not done this with AOS-CX, but in general I have taken the Accounting logs from my RADIUS server and forwarded them to a Palo Alto firewall.  A syslog listener on the Palo Alto firewall parses the user and IP from these logs.

The Accounting RADIUS packets contain User-Name and Framed-IP-Address attributes.

Hi everyone,

We have an environment with AOS-CX switches and AOS Access Points where we enforce 802.1x authentication against an RADIUS server, without ClearPass.

Now, we want to send User-IP Mappings to the Palo Alto Firewall on the same network. With the Access Points, it has been pretty simple as there is a direct integration with the Palo Alto XML API that can be configured from Aruba Central (https://www.arubanetworks.com/techdocs/centralonprem/2.5.5/content/access-points/cfg/services/pan_firewall.htm)

However, with AOS-CX, it is not that simple. I saw that you can configure the Palo Alto Firewall as Syslog listener to perform User-IP Mappings (https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping/configure-the-pan-os-integrated-user-id-agent-as-a-syslog-listener). This requires that the login information must be sent as a single log containing both the user name and the IP address. Unfortunately, after inspecting the logs produced by the switch, I can only see logs relating the MAC address with the IP Address (with the IP tracking feature enabled), and other logs relating the MAC address with the username, but none of them relate the IP to the user name directly. Some examples of the logs I found:

2024-02-14:19:07:35.698925|port-accessd|LOG_INFO|AMM|-|PORTACCESS|PORTACCESS_ACCOUNTING|logID=664446 Acctreq IP [172.16.169.3], MAC [a8:4a:63:30:56:ca], Port [1/1/5] Update

2024-02-14:19:07:35.455137|port-accessd|LOG_NOTICE|AMM|-|PORTACCESS|PORTACCESS_SERVICES|logID=664445 Client '1/1/5 a8:4a:63:30:56:ca' identity 'johndoe' onboarded via dot1x successfully.

I know that with ClearPass it is easier as there is a direct integration with Palo Alto, but it is something we can not afford right now.

Does someone know if there is a way to achieve it without Celarpass?

Thanks everyone.

Hi @chalowther , thanks for your reply. We are using the OneLogin RADIUS server, and in the logs I only see the Public IP address of the site, so I lose the traceability of the IP-User mapping. That's why I am trying to find a solution from the local switch.

I have not done this with AOS-CX, but in general I have taken the Accounting logs from my RADIUS server and forwarded them to a Palo Alto firewall.  A syslog listener on the Palo Alto firewall parses the user and IP from these logs.

The Accounting RADIUS packets contain User-Name and Framed-IP-Address attributes.

Hi everyone,

We have an environment with AOS-CX switches and AOS Access Points where we enforce 802.1x authentication against an RADIUS server, without ClearPass.

Now, we want to send User-IP Mappings to the Palo Alto Firewall on the same network. With the Access Points, it has been pretty simple as there is a direct integration with the Palo Alto XML API that can be configured from Aruba Central (https://www.arubanetworks.com/techdocs/centralonprem/2.5.5/content/access-points/cfg/services/pan_firewall.htm)

However, with AOS-CX, it is not that simple. I saw that you can configure the Palo Alto Firewall as Syslog listener to perform User-IP Mappings (https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping/configure-the-pan-os-integrated-user-id-agent-as-a-syslog-listener). This requires that the login information must be sent as a single log containing both the user name and the IP address. Unfortunately, after inspecting the logs produced by the switch, I can only see logs relating the MAC address with the IP Address (with the IP tracking feature enabled), and other logs relating the MAC address with the username, but none of them relate the IP to the user name directly. Some examples of the logs I found:

2024-02-14:19:07:35.698925|port-accessd|LOG_INFO|AMM|-|PORTACCESS|PORTACCESS_ACCOUNTING|logID=664446 Acctreq IP [172.16.169.3], MAC [a8:4a:63:30:56:ca], Port [1/1/5] Update

2024-02-14:19:07:35.455137|port-accessd|LOG_NOTICE|AMM|-|PORTACCESS|PORTACCESS_SERVICES|logID=664445 Client '1/1/5 a8:4a:63:30:56:ca' identity 'johndoe' onboarded via dot1x successfully.

I know that with ClearPass it is easier as there is a direct integration with Palo Alto, but it is something we can not afford right now.

Does someone know if there is a way to achieve it without Celarpass?

Thanks everyone.

Hi again. So I noticed that I did not have enabled the accounting port-access logs. Now I enabled them, but i do not see the Framed-IP-Address field populated in the start logs, only in the stop ones:

6100# show accounting log port-access all--------------------------------------------------------------------------------------------------------------------------------------------Local accounting logs of network users from previous boot----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Local accounting logs of network users from current boot-------------------------------------------------------------------------------------------------------------------------------------------------type=USER_ACCT msg=audit(Feb 26 2024  11:00:33.798:61834) : msg='rec=ACCT_NETWORK session=PORT-ACCESS timezone=Europe/Paris user=NETWORK_USER auth-method=PORT-ACCESS auth-type=RADIUS service=shell isconfig=no "System-accounting-START-for-session-port-access User-Name = johndoe, Calling-Station-Id = 00:e0:4c:78:03:e6, NAS-Port-Id = 1/1/5, NAS-Port = 5, Acct-Session-Id = 1708941633807,  "  hostname=6100 res=success' -----type=USER_ACCT msg=audit(Feb 26 2024  11:00:45.768:61835) : msg='rec=ACCT_NETWORK session=PORT-ACCESS timezone=Europe/Paris user=NETWORK_USER auth-method=PORT-ACCESS auth-type=RADIUS service=shell isconfig=no "System-accounting-STOP-for-session-port-access User-Name = johndoe, Framed-IP-Address = 172.16.169.2, Framed-IPv6-Address = fe80::481:3171:c87c:7bab, Calling-Station-Id = 00:e0:4c:78:03:e6, NAS-Port-Id = 1/1/5, NAS-Port = 5, Acct-Session-Id = 1708941633807, Acct-Session-Time = 12 Acct-Input-Octets = 0, Acct-Output-Octets = 0, Acct-Input-Packets = 0, Acct-Output-Packets = 0, Acct-Input-Gigawords = 0, Acct-Output-Gigawords = 0 Acct-Terminate-Cause = Admin Reset  "  hostname=6100 res=success' 

Is there any way to include the Framed-IP-Address field in the START logs? Thank you!

Hi @chalowther , thanks for your reply. We are using the OneLogin RADIUS server, and in the logs I only see the Public IP address of the site, so I lose the traceability of the IP-User mapping. That's why I am trying to find a solution from the local switch.

I have not done this with AOS-CX, but in general I have taken the Accounting logs from my RADIUS server and forwarded them to a Palo Alto firewall.  A syslog listener on the Palo Alto firewall parses the user and IP from these logs.

The Accounting RADIUS packets contain User-Name and Framed-IP-Address attributes.

Hi everyone,

We have an environment with AOS-CX switches and AOS Access Points where we enforce 802.1x authentication against an RADIUS server, without ClearPass.

Now, we want to send User-IP Mappings to the Palo Alto Firewall on the same network. With the Access Points, it has been pretty simple as there is a direct integration with the Palo Alto XML API that can be configured from Aruba Central (https://www.arubanetworks.com/techdocs/centralonprem/2.5.5/content/access-points/cfg/services/pan_firewall.htm)

However, with AOS-CX, it is not that simple. I saw that you can configure the Palo Alto Firewall as Syslog listener to perform User-IP Mappings (https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping/configure-the-pan-os-integrated-user-id-agent-as-a-syslog-listener). This requires that the login information must be sent as a single log containing both the user name and the IP address. Unfortunately, after inspecting the logs produced by the switch, I can only see logs relating the MAC address with the IP Address (with the IP tracking feature enabled), and other logs relating the MAC address with the username, but none of them relate the IP to the user name directly. Some examples of the logs I found:

2024-02-14:19:07:35.698925|port-accessd|LOG_INFO|AMM|-|PORTACCESS|PORTACCESS_ACCOUNTING|logID=664446 Acctreq IP [172.16.169.3], MAC [a8:4a:63:30:56:ca], Port [1/1/5] Update

2024-02-14:19:07:35.455137|port-accessd|LOG_NOTICE|AMM|-|PORTACCESS|PORTACCESS_SERVICES|logID=664445 Client '1/1/5 a8:4a:63:30:56:ca' identity 'johndoe' onboarded via dot1x successfully.

I know that with ClearPass it is easier as there is a direct integration with Palo Alto, but it is something we can not afford right now.

Does someone know if there is a way to achieve it without Celarpass?

Thanks everyone.

Hi again.

I enabled DAI and DHCP Snooping and I can see the Framed-IP-Address in the START logs. Now, is there a way to send this accounting logs to a syslog server instead of (or in addition to) the remote RADIUS server?

Thank you!

Hi again. So I noticed that I did not have enabled the accounting port-access logs. Now I enabled them, but i do not see the Framed-IP-Address field populated in the start logs, only in the stop ones:

6100# show accounting log port-access all--------------------------------------------------------------------------------------------------------------------------------------------Local accounting logs of network users from previous boot----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Local accounting logs of network users from current boot-------------------------------------------------------------------------------------------------------------------------------------------------type=USER_ACCT msg=audit(Feb 26 2024  11:00:33.798:61834) : msg='rec=ACCT_NETWORK session=PORT-ACCESS timezone=Europe/Paris user=NETWORK_USER auth-method=PORT-ACCESS auth-type=RADIUS service=shell isconfig=no "System-accounting-START-for-session-port-access User-Name = johndoe, Calling-Station-Id = 00:e0:4c:78:03:e6, NAS-Port-Id = 1/1/5, NAS-Port = 5, Acct-Session-Id = 1708941633807,  "  hostname=6100 res=success' -----type=USER_ACCT msg=audit(Feb 26 2024  11:00:45.768:61835) : msg='rec=ACCT_NETWORK session=PORT-ACCESS timezone=Europe/Paris user=NETWORK_USER auth-method=PORT-ACCESS auth-type=RADIUS service=shell isconfig=no "System-accounting-STOP-for-session-port-access User-Name = johndoe, Framed-IP-Address = 172.16.169.2, Framed-IPv6-Address = fe80::481:3171:c87c:7bab, Calling-Station-Id = 00:e0:4c:78:03:e6, NAS-Port-Id = 1/1/5, NAS-Port = 5, Acct-Session-Id = 1708941633807, Acct-Session-Time = 12 Acct-Input-Octets = 0, Acct-Output-Octets = 0, Acct-Input-Packets = 0, Acct-Output-Packets = 0, Acct-Input-Gigawords = 0, Acct-Output-Gigawords = 0 Acct-Terminate-Cause = Admin Reset  "  hostname=6100 res=success' 

Is there any way to include the Framed-IP-Address field in the START logs? Thank you!

Hi @chalowther , thanks for your reply. We are using the OneLogin RADIUS server, and in the logs I only see the Public IP address of the site, so I lose the traceability of the IP-User mapping. That's why I am trying to find a solution from the local switch.

I have not done this with AOS-CX, but in general I have taken the Accounting logs from my RADIUS server and forwarded them to a Palo Alto firewall.  A syslog listener on the Palo Alto firewall parses the user and IP from these logs.

The Accounting RADIUS packets contain User-Name and Framed-IP-Address attributes.

Hi everyone,

We have an environment with AOS-CX switches and AOS Access Points where we enforce 802.1x authentication against an RADIUS server, without ClearPass.

Now, we want to send User-IP Mappings to the Palo Alto Firewall on the same network. With the Access Points, it has been pretty simple as there is a direct integration with the Palo Alto XML API that can be configured from Aruba Central (https://www.arubanetworks.com/techdocs/centralonprem/2.5.5/content/access-points/cfg/services/pan_firewall.htm)

However, with AOS-CX, it is not that simple. I saw that you can configure the Palo Alto Firewall as Syslog listener to perform User-IP Mappings (https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping/configure-the-pan-os-integrated-user-id-agent-as-a-syslog-listener). This requires that the login information must be sent as a single log containing both the user name and the IP address. Unfortunately, after inspecting the logs produced by the switch, I can only see logs relating the MAC address with the IP Address (with the IP tracking feature enabled), and other logs relating the MAC address with the username, but none of them relate the IP to the user name directly. Some examples of the logs I found:

2024-02-14:19:07:35.698925|port-accessd|LOG_INFO|AMM|-|PORTACCESS|PORTACCESS_ACCOUNTING|logID=664446 Acctreq IP [172.16.169.3], MAC [a8:4a:63:30:56:ca], Port [1/1/5] Update

2024-02-14:19:07:35.455137|port-accessd|LOG_NOTICE|AMM|-|PORTACCESS|PORTACCESS_SERVICES|logID=664445 Client '1/1/5 a8:4a:63:30:56:ca' identity 'johndoe' onboarded via dot1x successfully.

I know that with ClearPass it is easier as there is a direct integration with Palo Alto, but it is something we can not afford right now.

Does someone know if there is a way to achieve it without Celarpass?

Thanks everyone.

That will depend on the RADIUS server and your environment.

My experience with this is using Aruba wireless equipment and FreeRADIUS.  I was able to forward Accounting logs from FreeRADIUS to a Palo Alto firewall using syslog settings on the FreeRADIUS server.

Hi again.

I enabled DAI and DHCP Snooping and I can see the Framed-IP-Address in the START logs. Now, is there a way to send this accounting logs to a syslog server instead of (or in addition to) the remote RADIUS server?

Thank you!

Hi again. So I noticed that I did not have enabled the accounting port-access logs. Now I enabled them, but i do not see the Framed-IP-Address field populated in the start logs, only in the stop ones:

6100# show accounting log port-access all--------------------------------------------------------------------------------------------------------------------------------------------Local accounting logs of network users from previous boot----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Local accounting logs of network users from current boot-------------------------------------------------------------------------------------------------------------------------------------------------type=USER_ACCT msg=audit(Feb 26 2024  11:00:33.798:61834) : msg='rec=ACCT_NETWORK session=PORT-ACCESS timezone=Europe/Paris user=NETWORK_USER auth-method=PORT-ACCESS auth-type=RADIUS service=shell isconfig=no "System-accounting-START-for-session-port-access User-Name = johndoe, Calling-Station-Id = 00:e0:4c:78:03:e6, NAS-Port-Id = 1/1/5, NAS-Port = 5, Acct-Session-Id = 1708941633807,  "  hostname=6100 res=success' -----type=USER_ACCT msg=audit(Feb 26 2024  11:00:45.768:61835) : msg='rec=ACCT_NETWORK session=PORT-ACCESS timezone=Europe/Paris user=NETWORK_USER auth-method=PORT-ACCESS auth-type=RADIUS service=shell isconfig=no "System-accounting-STOP-for-session-port-access User-Name = johndoe, Framed-IP-Address = 172.16.169.2, Framed-IPv6-Address = fe80::481:3171:c87c:7bab, Calling-Station-Id = 00:e0:4c:78:03:e6, NAS-Port-Id = 1/1/5, NAS-Port = 5, Acct-Session-Id = 1708941633807, Acct-Session-Time = 12 Acct-Input-Octets = 0, Acct-Output-Octets = 0, Acct-Input-Packets = 0, Acct-Output-Packets = 0, Acct-Input-Gigawords = 0, Acct-Output-Gigawords = 0 Acct-Terminate-Cause = Admin Reset  "  hostname=6100 res=success' 

Is there any way to include the Framed-IP-Address field in the START logs? Thank you!

Hi @chalowther , thanks for your reply. We are using the OneLogin RADIUS server, and in the logs I only see the Public IP address of the site, so I lose the traceability of the IP-User mapping. That's why I am trying to find a solution from the local switch.

I have not done this with AOS-CX, but in general I have taken the Accounting logs from my RADIUS server and forwarded them to a Palo Alto firewall.  A syslog listener on the Palo Alto firewall parses the user and IP from these logs.

The Accounting RADIUS packets contain User-Name and Framed-IP-Address attributes.

Hi everyone,

We have an environment with AOS-CX switches and AOS Access Points where we enforce 802.1x authentication against an RADIUS server, without ClearPass.

Now, we want to send User-IP Mappings to the Palo Alto Firewall on the same network. With the Access Points, it has been pretty simple as there is a direct integration with the Palo Alto XML API that can be configured from Aruba Central (https://www.arubanetworks.com/techdocs/centralonprem/2.5.5/content/access-points/cfg/services/pan_firewall.htm)

However, with AOS-CX, it is not that simple. I saw that you can configure the Palo Alto Firewall as Syslog listener to perform User-IP Mappings (https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping/configure-the-pan-os-integrated-user-id-agent-as-a-syslog-listener). This requires that the login information must be sent as a single log containing both the user name and the IP address. Unfortunately, after inspecting the logs produced by the switch, I can only see logs relating the MAC address with the IP Address (with the IP tracking feature enabled), and other logs relating the MAC address with the username, but none of them relate the IP to the user name directly. Some examples of the logs I found:

2024-02-14:19:07:35.698925|port-accessd|LOG_INFO|AMM|-|PORTACCESS|PORTACCESS_ACCOUNTING|logID=664446 Acctreq IP [172.16.169.3], MAC [a8:4a:63:30:56:ca], Port [1/1/5] Update

2024-02-14:19:07:35.455137|port-accessd|LOG_NOTICE|AMM|-|PORTACCESS|PORTACCESS_SERVICES|logID=664445 Client '1/1/5 a8:4a:63:30:56:ca' identity 'johndoe' onboarded via dot1x successfully.

I know that with ClearPass it is easier as there is a direct integration with Palo Alto, but it is something we can not afford right now.

Does someone know if there is a way to achieve it without Celarpass?

Thanks everyone.