This document outlines the steps needed to import user-id information from an Aruba Networks controller to a Palo Alto Network firewall directly using syslog.
First step is to setup the Aruba controller to log user login/logout and send to a remote syslog server.
Login to the Aruba Networks Controller Web Interface.
Click on the Configuration tab and select clock from the left hand menu. Make sure an NTP server is setup for the proper time zone to match the Palo Alto firewall.
Next click the logging menu item on the left hand side. Add a new logging server using the management interface of the Palo Alto Network firewall to receive the User-ID information. Multiple can be added if needed.
Next click the levels tab. Click the User logs check box, Captive portal and dot1x. Select the informational logging level and click done and apply. Also make sure to save the changes.
Next we want to validate the logging information. To do this access the CLI of the Aruba Networks controller. Via console or SSH. Enter enable mode. Once logged into the controller login to an 802.1x authenticated wireless network then type
show user log 20
You should see logging information similar to below. If you see this info we know proper authentication logging is taking place and the syntax of the log.
The Aruba portion of the setup should now be complete. Now login to the Web interface of the Palo Alto Networks firewall.
Once logged in click on the device tab. Then click the setup menu item. Make sure the proper time zone is set under the general settings.
Now click on the Services tab and make sure you are using the same NTP server as the Aruba Networks controller.
Next we will make sure the user-id syslog is allowed on the management interface. Go back to the management tab and select Management interface setting. Make sure USER-ID and USER-ID Syslog Listener-UDP is checked.
Now we need to setup the user-id syslog filter. Select the User Identification menu item on the left hand side. Next select the Palo Alto Networks User ID Agent Setup settings and click the Syslog Filters Tab.
Click add on the bottom to create a new filter. Enter a profile name and description and select Field Identifier. Now based on the log information from the Aruba Networks logs fill out the required boxes. From our log sample we have and event string of Authentication Successful a Username Prefix of username= an address prefix of IP= and the Delimiters are \s
Click ok twice to return to the main User Mappings tab. Now under Server Monitoring click add. Give the monitor a name such as Aruba controller. Click enable. Select the type of Syslog Sender. Enter the IP address of the Aruba controller under network address. Select the connection type of UDP. Now select the filter you just created and enter the default domain name used.
Now commit and save your changes.
Next login to the CLI of the Palo Alto Network firewall and type
show user server-monitor state all
You should see auth success messages here when a user connects to an 802.1x SSID.
You can also type
show user ip-user-mapping all
And you should see user-id information and SYSLOG in the from field for a successful deployment.