Palo Alto User-ID and Cisco Wireless LAN controller (WLC) configuration (with SNMP traps)

Index

  1. Introduction
    1. Schema
  2. Install CentOS 7
  3. Configure Cisco Wireless LAN Controller
  4. Configure SNMP
  5. Configure Syslog
  6. Configure User-ID
  7. Debugging and useful commands

1. Introduction

Catching the User Identification (User-ID) information (username and IP address) from a Cisco Wireless LAN controller is a little bit more complicated than other devices because it can send authentification login through syslog. So if you’re in this situation where the Cisco WLC can’t send the user authentication in syslog format, but only with SNMP traps you can follow this guide. On the other side, the Palo Alto User-ID don’t support SNMP traps for source identification, but only some predefined protocols and syslog for all other unsupported systems (or XML-API).

This blog post will introduce a way to setup a Cisco WLC to send SNMP traps to a CentOS 7 system with Rsyslog and to resend this SNMP message by syslog to the Palo Alto User-ID interface. This server will only be used to pass (“or convert”) the information and will not store the requests, so you will notice that the configuration is really basic and only invoked for this specific purpose only.

The source information for this blog post was found in a Palo Alto document explaining the same setup, but using a payed software (Kiwi Syslog). The CentOS configuration is really easy, so if you only need this functionally, it’s not mandatory to spend money on additional software. For the future, I sincerely hope that Palo Alto adds SNMP trap module directly to the User-ID.

UPDATE 2016.12

⚠️ This setup was based on Palo Alto information were saying (for a long time) that the information was not available through syslog, but now a user of the Palo Alto community has found that using a CLI configuration on the WLC you can add the needed information to the syslog messages!

Wireless LAN Controller can send authentication information by syslog using these:

  • Connect your Cisco Wireless LAN Controller through SSH
  • Enter in configuration mode:
config
  • Enable the client association in syslog messages:
logging syslog facility client associate enable

ℹ️ So you can avoid the CentOS 7 server and configure directly the User Identification module on the Palo Alto firewall. Note that’s not covered by this guide, but will come in a next update.

A. Schema

paloalto-userid

Leave a Reply

Your email address will not be published. Required fields are marked *

*