We have been working for several months now to integrate Cisco ISE into the middle of our networks and to replace different methods to catch the IP Address/Username matches for Palo Alto User ID. Gathering every authentication and accounting information into Cisco ISE has a lot of advantage, but some fine tuning need to be done on every device to maximize the Palo Alto User ID data quality.
We’re using a full set of Cisco products, like Cisco switches, Cisco Wireless LAN controller (WLC) and Cisco Adaptative Security Appliance (ASA) and every product was communicating directly to Palo Alto User ID before installing Cisco ISE in the middle.
Palo Alto User ID Caching effect
The first problem with the Palo Alto User ID is to keep the most accurate information about username/IP address even if the user disconnect from the network and that the DHCP address is leased to a new user. To do that, we need to refresh the username/IP address information faster than Palo Alto User ID purges the user cache. The user cache keeps a trace of the matches username/IP address for a fixed period and if the information was not updated, delete the match from the database.
So it’s really important to continually refresh the data to the database with accurate information. The best solution and the easiest to setup is the accounting interim update for every device using Cisco ISE as radius servers. So the first step is to define for your network a global policy of what’s an “accurate” information and how many time you need to refresh this information. For our needs, we defined that the User ID cache can be purged every 90 minutes and that a device should send an interim update to Cisco ISE every 60 minutes. This takes into account the DHCP servers and how the IP addresses were distributed and for how long.
When Cisco ISE get an accounting information or an interim update it send this information to the Palo Alto configured interface for User ID through syslog. This blog post will help you to set up some basic configuration giving you a general idea of the setup and don’t try to explain everything in detail.
Cisco ISE and Palo Alto User ID configuration example
Configure Palo Alto User ID
This example was configured with Cisco ISE 2.4 and was working with Cisco ISE 2.3 but not tested with other version and is based on a Palo Alto Networks documentation.
- The first step is to setup a syslog filter that will catch the username/ip address information from the Cisco ISE syslog message.
- Go to Device -> User Identification -> Settings -> Syslog Filters
- Click the “Add” button
- Syslog Parse Profile: Add a name to identify the syslog filter, as example “Cisco ISE”
- Description: Add a description if needed
- Type: Regex Identifier
- Event Regex: ([A-Za-z0-9].CISE_Passed_Authentications.Framed-IP-Address=.)|([A-Za-z0-9].CISE_RADIUS_Accounting.Framed-IP-Address=.)
- Username Regex: User-Name=([a-zA-Z0-9\@-\/\.]+)|UserName=([a-zA-Z0-9\@-\/\.]+)
- Address Regex: Framed-IP-Address=([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})
- Validate with OK and close the setup window
- In the Server Monitoring section, click “Add”
- Name: Add a name for the ISE server
- Description: Add a description if needed
- Enable: Checked
- Type: Syslog Sender
- Network Address: Enter the IP address of a ISE server
- Connection Type: UDP
- Filter: Selected the Syslog filter created previously
- Default Domain Name: default domain name of your users
- Validate with OK and repeat for every Cisco ISE server
- Now, you need to configure where the syslog data will be sent to your Palo Alto network interface. This is a little more complicated things because it’s depending on your network topology. The best is to configure an interface nearest the Cisco ISE, like the interface of the Palo Alto that will be used to route to the Cisco ISE. Another solution is to use the management interface of the Palo Alto but, in my opinion, it’s less clean.
- First, create a management profile allowing User ID :
- Network -> Network Profiles -> Interface Mgmt
- Edit or add a new interface profile that allow User-ID and User-ID Syslog Listener-UDP
- Network -> Network Profiles -> Interface Mgmt
- Depending of your setup/topology add this profile to the interface that you will use as User ID entry point
- Network -> Interface > Choose an interface -> Advanced -> Management Profile
- Add your profile allowing User ID
- Network -> Interface > Choose an interface -> Advanced -> Management Profile
- For management interface, you need to to that in this menu and don’t need to create a management profile :
- Device -> Setup -> Interfaces -> Management
- Check User-ID and User-ID Syslog Listener-UDP
- Device -> Setup -> Interfaces -> Management
- Remember to add a Security Rule that allow the trafic from Cisco ISE to the IP of the selected interface for User ID. You can allow only the syslog application, it’s working fine on our setup.
- First, create a management profile allowing User ID :
- At this point, you’ve setup every thing on the Palo Alto side to start receiving information from Cisco ISE servers.
Configure Cisco ISE
On the Cisco ISE side, you only need to forward the log into syslog format to the selected interface for User ID.
- Administration -> Logging -> Remote Logging Targets
- Click “Add”
- Name: Choose a name for the User ID destination
- Target Type: UDP SysLog
- Description: Enter a description if needed
- Host / IP Address: Enter the IP of the UserID configured interface
- Port: 514
- Facility Code: by default
- Maximum Length: change to 4096
- Include Alarms for this Target: No
- Click “Add”
- Now you need to instruct Cisco ISE to use this Syslog target for some kind of messages:
- Administration -> Logging -> Logging Categories
- Choose some accurate categories to forward. By our experience, you should use:
- Passed Authentications
- Accounting
- RADIUS Accounting
- For every category that you need, click “Edit”
- Add to the “Selected” column the Logging Target created on the above step and save
- Choose some accurate categories to forward. By our experience, you should use:
- Administration -> Logging -> Logging Categories
The basic setup is complete now. Probably you need to debug to be sure that’s working. Some instruction that will help you to check if it’s working :
- First check the Palo Alto trafic logs to control if you can see communication from Cisco ISE to User ID interface on port 514 and that’s not blocked.
- If you see no trafic, something is wrong with Cisco ISE setup, on the firewall rule or somewhere else on the network. This is UDP trafic, if you’re not logging at start it can take some time to refresh the log.
- If you see that the trafic is denied, you know what you need to do…
- Next, check if the User ID receive informations using the CLI into the Palo Alto firewalls :
- show user server-monitor state all
- “number of auth. success message” should not be 0
- If it’s 0 and you’ve trafic on port 514, you have a problem with the User ID setup or the Syslog filter.
- “number of auth. success message” should not be 0
- show user ip-user-mapping all type SYSLOG
- show you a user list
- show user server-monitor state all
- If some users appear to the list, you can now use the GUI to view the history of User ID :
- Monitor -> Logs -> User-ID
Cisco devices configuration
As explained on the introduction, you need to be sure that you devices send an interim accounting update and that this update is sent faster than the cache is cleared. The accounting updated will be caught by the User ID syslog filter. To set up this on various Cisco devices, you can get some idea here:
Cisco Wireless LAN Controller (WLC)
- GUI -> WLAN -> Edit your WLAN -> Security -> AAA Servers -> RADIUS Server Accounting
- Interim Update: check
- Interim Interval: value smaller than your User ID cache purge setting
- Note that the default value is 0, when 0 is configured the interim updates are only sent on special event, like roaming.
- Repeat for each WLAN using Cisco ISE where Palo Alto User ID is needed
Cisco Adaptative Security Appliance (ASA)
- ASDM -> Configuration -> Device Management -> User/AAA -> AAA Server Groups -> ISE Server group
- Enable interim accounting update : check
- Update interval: value smaller than your User ID cache purge setting (note that 1 hour is the smallest value possible)
Cisco IOS switches
- aaa accounting update newinfo periodic XXX
- replace XXX with a value in second smaller than your User ID cache purge setting
I had to change the . before the Framed-IP-Address in the Event Regex to a .* to get it to work for me.