cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Who Me Too'd this topic

ISE send bad information for Palo-Alto User-ID Agent

Charly
Level 1
Level 1

Hi,

From our Firewall PALO ALTO, I try to get informations from ISE SNMP logs in order to identify users connected to ISE, to give them access to ressources.... I need to be able to link Username and IP address...

 

Then, I get info from this log : (for example)

CISE_RADIUS_Accounting 0000018222 2 0 2018-03-19 10:29:14.575 +01:00 0000939068 3002 NOTICE Radius-Accounting: RADIUS Accounting watchdog update, ConfigVersionId=114, Device IP Address=10.10.10.241, RequestLatency=2, NetworkDeviceName=NAD_10.10.10.241, User-Name=EUROPE\\TESTUSER, NAS-IP-Address=10.10.10.241, NAS-Port=13, Framed-IP-Address=10.20.202.7, Class=CACS:0a4058f100000cbe5aaf7bf8:SJLISE01/309110859/18792, Called-Station-ID=00-a2-89-b9-d9-60, Called-Station-ID=70-6b-b9-7d-3f-80:Boardriders-Employee, Calling-Station-ID=e4-a4-71-50-29-2c, NAS-Identifier=EU-SJL-WLC2504-CA1-1-241, Acct-Status-Type=Interim-Update, Acct-Delay-Time=0, Acct-Input-Octets=1643432, Acct-Output-Octets=9346103, Acct-Session-Id=5aaf7bf8/e4:a4:71:50:29:2c/7968, Acct-Authentic=RADIUS, Acct-Session-Time=1774, Acct-Input-Packets=7687, Acct-Output-Packets=8562, Acct-Input-Gigawords=0, Acct-Output-Gigawords=0, Event-Timestamp=1521451754, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN,

 

I can link "User-Name=" with "Framed-IP-Address="

 

But, as we need to treat users with their domains, I need to get the info :

User-Name=EUROPE\TESTUSER, with only 1 backslash !!!

 

I tried to get the right info with regex manipulations in our Firewall, but no success.

 

The only way is to get the right info from ISE. Can we change the log form in ISE, removing 1 backslash ?

Please Help!

 

Thanks

Who Me Too'd this topic