Palo Alto User-ID with macOS computers

When deploying Palo Alto User-ID feature, integrating macOS computers can be a challenge. User-ID has a lot of potential ways to catch the match user / IP address, but we are sometimes in the situation with macOS computers where we need to be creative. During our tests, I researched the best way to deploy reliable solutions that can be used with a large variety of macOS version. The information below shows the progress, but is not a “true” reference set in stone. They are there to indicate possible paths to follow during a deployment and give some ideas. Often macOS computers are not attached to the domain and not necessarily attached to a centralized management tool…  I hope these few notes and references will help you:

Bind to Active Directory domain

The most common solution for Windows administrators would be to bind all macOS computers to Active Directory domain with the standard tools offered by Apple. The main problem with this solution is if your computers aren’t already bound when you made the choice to deploy User-ID, you need to migrate all local user accounts to Active Directory accounts. Depending on how your company is deploying computers, this is not really conceivable and can be a challenge more. In our case this choice was too complicated because our macOS computers were not bound to Active Directory domain.

Pros

  • Standard method supported by Apple
  • No cost

Cons

  • Perhaps difficult/long to implement

NoMAD

When binding the computer to Active Directory is too complicated, it’s possible to try a solution like NoMAD. NoMAD is a software that gives some Active Directory possibilities like the way to “sign-in” to the domain without affecting the local user account. This login to the domain is detected by the Palo Alto User-ID in the security log of domain controllers and is easy to deploy. NoMAD is ready to be managed by standard management tools using plist editing. It was our choice, because our macOS computers aren’t bound to Active Directory and the possibility to get premium support is a real advantage.

Pros

  • Easy to deploy and can be realized very quickly
  • Support plans can be purchased

Cons

  • Software more to manage

Custom script

Using the syslog capability of User-ID, you can create a local script that will be deployed to all macOS computers that will affected to the task of sending the match username / IP to a syslog server. The syslog server will pass the information to the Palo Alto firewalls. This setup is a little more complicated because you need a server affected to this task and some specific scripting matching your company needs. This is very similar to a precedent post that explains how to use User-ID with a Cisco Wireless Controller, in this scenario, replace the WLC by the local script deployed on your macOS computers (note that this post is deprecated).
The script itself is not enough, you need to setup your server to get messages by syslog/snmp/api and resent this information through syslog. In the script below we’re using snmp, because this server was already setup to catch user ID for other equipment using this protocol and resend these messages to Palo Alto User-ID with syslog.

Pros

  • No limit, customize it as you wish

Cons

  • A server more to manage
  • Complicated to deploy

Script example (non-working like this, just an example)

#!/bin/bash

CURRENT_USER=`/usr/bin/whoami | grep "REGEX EXPRESSION TO CATCH YOUR USER"`
IP_ADDRESSES=`/sbin/ifconfig | /usr/bin/grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | /usr/bin/grep -Eo '([0-9]*\.){3}[0-9]*' | /usr/bin/grep -v '127.0.0.1'`
SERVER_AVAILABILITY=`/sbin/ping -c 3 "paloalto-userid.server.tld" > /dev/null && echo "UP" || echo "DOWN"`

if [[ -z "$CURRENT_USER" ]]; then
 exit

elif [[ -z "$IP_ADDRESSES" ]]; then
 exit
 
elif [[ "$SERVER_AVAILABILITY" == "DOWN" ]]; then
 /usr/bin/logger "Palo Alto User-ID: No access to syslog server."
 exit
 
fi

for i in $IP_ADDRESSES; do 
 /usr/bin/nc -w0 -u paloalto-userid.hepl.ch 514 <<< "User: $CURRENT_USER IP $i#"
 /usr/bin/logger "Palo Alto User-ID: $CURRENT_USER $i"
done

exit

Captive portal

The last possibility if no other solution is conceivable, remains the solution of using the captive portal. This is the recommended option for macOS computers and Linux computers. In my opinion, this is not a user-friendly choice, users don’t like things like that and it can be a source of more support to the helpdesk. But it’s a working solution and supported by Palo Alto Networks, so you need to take this as a possibility.

Pros

  • Official Palo Alto Networks solution
  • No cost

Cons

  • It’s a captive portal and it’s not really user-friendly.

Leave a Reply

Your email address will not be published. Required fields are marked *

*