Solved: Re: ISE 2.2 - CISE_Guest

craiglebutt · ‎04-07-2017

HI

Our customer would like 2 years record of Guest Traffic. The Guest traffic is going out via a Palo Alto, which is all working, but the issue is capturing logs.

I've looked at the Palo Alto ISE doc and followed, but doesn't work, think this is because its portal guest authentication. So I'm sending the Syslog for Authentications to a Kiwi server, this is configured Facility Code Local 6. I can capture the initial creation and log on user in the logs under heading of CISE_Guest so I the IP and MAC, but after that, there is no more data captured for when that account logs in.

I can see on PAN live logs the user authenticating, but this is not in the logs.

I'm logging against category

Guest

Accounting

RADIUS Accounting

Passed Authentications

This log will be captured and imported to sawmill, so the data manager can pair up the web logs from Palo Alto and ISE for guest.

Any one got any hints?

Cheers

Jason Kunst · ‎04-11-2017

ok from ISE side i don't see any issues.

I just checked with our PXgrid integration team and they noted that the guest information is consumable this way as well. If Palo Alto would integrated that way it might be easier for all

View solution in original post

Jason Kunst · ‎04-07-2017

I don't completely understand the issue

Can you setup us through what happens on ise guest now

And what you would like to happen?

Also what are your authorization rules?

craiglebutt · ‎04-07-2017

Hi

Mobility Anchor created, the guest traffic goes out via port 2 of wlc to DMZ. A rule on the PA to allow traffic to interact with ISE for sponsored guest.

This all works, but on the Palo Alto, it just show the web traffic with IP address, doesn't display the authentication of the user.

So I need to export this from the ISE to a separate syslog so the data manager can merge the web traffic and auth traffic to one log

What I would like integrate the ISE Guest Authentication on to the Palo Alto to display the web traffic with the guest details.

There is a link for this, but doesn't seem to work for 2.1 & 2.2

https://live.paloaltonetworks.com/t5/Integration-Articles/Integrating-Cisco-ISE-Guest-Authentication-with-PAN-OS/ta-p/98295

Authorization rules allow sponsored users to be authenticated to use the portal, this all works, it's just logs having issues with, as it is a hospital, they want to keep 2 years data, even though it is only a visitor, not for patients.

cheers

Jason Kunst · ‎04-07-2017

Ok you can send ise guest login via syslog to external server as well

Can't these be correlated?

Jason Kunst · ‎04-07-2017

You may need a tac case to debug why the logs are not being sent or incorrectly from ise

Can you send screenshot of your authz profile for guest as well

craiglebutt · ‎04-07-2017

HI

Looking at the syslog going to the Palo, the instructions say this, bellow but after further investigation, as the passed auth is coming from CISE_Guest, I'm guessing should look more like below (2.2)

1.3

Event Regex

([A-Za-z0-9].*CISE_Passed_Authentications.*Framed-IP-Address=.*)|([A-Za-z0-9].*CISE_RADIUS_Accounting.*Framed-IP-Address=.*)

Username Regex

User-Name=([a-zA-Z0-9\@\-\\/\\\._]+)|UserName=([a-zA-Z0-9\@\-\\/\\\._]+)

Address Regex

Framed-IP-Address=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

******************

2..2

Event Regex

([A-Za-z0-9].*CISE_Guest.*NADAddress=.*)|([A-Za-z0-9].*CISE_Guest.*GuestUserName=.*)

Username Regex

User-Name=([a-zA-Z0-9\@\-\\/\\\._]+)|UserName=([a-zA-Z0-9\@\-\\/\\\._]+)

Address Regex

NADAddresss=([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

cheers

Jason Kunst · ‎04-11-2017

ok from ISE side i don't see any issues.

I just checked with our PXgrid integration team and they noted that the guest information is consumable this way as well. If Palo Alto would integrated that way it might be easier for all

ajc · ‎08-16-2017

Hi Craig,

What you mean by 1.3 and below 2.2. Are those the ISE versions?

thanks