Palo Alto User-ID and Cisco Wireless LAN controller (WLC) configuration (with SNMP traps)

4. Configure SNMP

  • Start by installing the needed binaries for receiving the SNMP traps from the Cisco Wireless LAN Controller (net-snmp-utils can be used to debug):
yum install net-snmp net-snmp-utils
  • Edit the configuration of the SNMP trap daemon and allow all incoming connections (you can fine tune this setup if you want, but in our case I don’t think that’s really useful):
vi /etc/snmp/snmptrapd.conf
  • And add this at the end of the file:
disableAuthorization yes
  • Save and exit vi
  • Allow the firewall to receive SNMP traps from your Cisco Wireless LAN Controller:
firewall-cmd --zone=public --add-port=162/udp --permanent
firewall-cmd --reload

⚠️ Please note that we are using the default zone “public” and this design can be enhanced, but is not a part of this post.

  • Control that your UDP port was added correctly and permanently to the configuration:
firewall-cmd --zone=public --list-all
  • Start the snmptrapd service and enable it at boot time:
systemctl start snmptrapd
systemctl enable snmptrapd
  • If your setup is ready and working, the Cisco Wireless LAN Controller will fill your log with a lot of authentification messages. You can control that messages arrive by checking the file /var/log/messages:
tail -f /var/log/messages

⚠️ If no messages appear in this log, you need to double check your settings before continuing the next steps.

2 Replies to “Palo Alto User-ID and Cisco Wireless LAN controller (WLC) configuration (with SNMP traps)”

  1. Thanks for this great article. Did you already have time to create your new article avoiding the CentOS server?

    • Didn’t plan a new article ;-). On the WLC you only need to enable the logging syslog facility client associate option, and on the Palo Alto side you need to create a new Syslog receiver for User-ID.

Leave a Reply

Your email address will not be published.