Palo Alto Firewall integration

  • 10
  • Idea
  • Updated 4 months ago
If you want to integrate Aerohive with Palo Alto the suggested route is to run a script on a Kiwi Syslog Server which parses the Aerohive log and then updates the Palo Alto with Username/IP address mapping. A working VB script for Kiwi is provided below.
The process is simple, can this HTTP/HTTPS request be integrated into the APs and configured by HiveManager.

'Program written by Russell Aspinwall, MBCS May 2013
'For PANOS v5 and later
'
'
' To Generate the API Key for Agentless Operation use the following URL
'
' https://[Serverip]/api/?type=keygen&u...
'
' The Username and Password must match a valid user already defined on the Palo Alto Firewall
' The user must have API access
'
'log data is expected to look like: 2013-04-01 14:06:05 info ah auth: Station 1cab:a7e6:cf7f ip 10.5.50.52 username astrong hostname Strong-iPad3-6 OS Apple iOS
'

Function Main() 'Kiwi syslog requires the content of the script to be contained in a Main() function
'----CHANGE THESE TO MATCH FIREWALL----
strAgentServer="192.168.50.252"
strAgentPort="5006"
'----CHANGE THESE TO MATCH FIREWALL----

'----CHANGE THIS TO MATCH AD DOMAIN NAME!----
strDomain = "vadlab"

'-----ADD API KEY HERE FOR AGENTLESS OPERATION
strKey="LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09"
'-----ADD API KEY HERE FOR AGENTLESS OPERATION

set xmlHttp = CreateObject("Msxml2.ServerXMLHTTP")
'This is a Kiwi variable for the content of the log message
strLog = Fields.VarCleanMessageText
ptrn = "ip (\d+\.\d+\.\d+\.\d+).*username (\w+) .*hostname (.*)OS (.*)"
If InStr(strLog,"n/a")=0 Then 'Will not run script if there is no username
'// Create the regular expression.
set re = New RegExp
re.Pattern = ptrn
re.IgnoreCase = False
re.Global = True
'// Perform the search and sort in collection object
Set hostInfo = re.Execute(strLog)
'// Assign the user and address to variables
strUser = hostInfo(0).SubMatches.Item(1)
strAddress = hostInfo(0).SubMatches.Item(0)
strHost = hostInfo(0).SubMatches.Item(2)
strOS = hostInfo(0).SubMatches.Item(3)
'// Check variables are being popultated correctly - yes
Fields.VarCustom01 = strAddress
Fields.VarCustom02 = strUser
Fields.VarCustom03 = strHost
Fields.VarCustom04 = strOS
'// Build the XML message for Firewall API
strXMLcmd ="&cmd=1.0update"
strXMLusr =""
strXMLcmd2 =""
strXMLfirewall = strXMLcmd & strXMLusr & strXMLcmd2
Fields.VarCustom06 = strXMLLine

'//Post using Firewall REST API
sUrl = "http://" & strAgentServer & "/api/?type=user-id&action=set&key="& strKey & strXMLfirewall
Fields.VarCustom07 = sUrl
On Error Resume Next
xmlHttp.open "put", sUrl, False
xmlhttp.setRequestHeader "Content-type", "text/xml"
xmlHttp.setOption 2, SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS
xmlHttp.send
xmlHttp.close
End If
Main="OK" 'return value for Kiwi
End Function
Photo of russell

russell

  • 15 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 10
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Thanks for sharing this Russell!! I am certain many of the participants here will appreciate it!
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Mike,

Is there documentation for what SNMP traps HiveOS generates? (I am now interested in building a state table for PPSK sessions and wonder if it is possible via this route.)

If not today, could this come in the future?

Nick
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Nick,
Sorry, the documentation on SNMP is fairly weak. Yes, that's somewhere on my (long) list of things to address. You can see the trap list within HiveManager by going to Home->Administration->Auxilliary Files->MIB files. The one you are looking for is ah_trap_mib.txt
Photo of russell

russell

  • 15 Posts
  • 0 Reply Likes
If the HiveManager included within the GUI the option to specify a Palo Alto Firewall, IP Address, Username and Password then the API could be captured as a automatic process. This key could then be used to perform a http or https connection to the PAN device without reference to the Kiwi server.

After lengthly testing yesterday, a colleague attempted to demonstrate this today. When in Debug mode the Mapping URL (sURL in the script) was created successfully and could be manual pasted into a web browser to create the mapping (Custom07 field). However, in normal mode the Kiwi server failed to make the http connection today which is odd.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2487 Posts
  • 449 Reply Likes
RADIUS servers must be configured and capable of returning the real identity of a user via the User-Name AVP in an Access-Accept.

Abstractly, it should also really be the concern of the RADIUS implementation alone to do what you want to achieve via its AAA information, not the NAS.
(As an added bonus, it is then not coupled to the vendor of the NAS and works heterogeneously.)
Photo of Gregor Vucajnk

Gregor Vucajnk, Official Rep

  • 74 Posts
  • 27 Reply Likes
Thank you for this contribution Russell. Lets see what is happening with the http connections...
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
Does anyone know if this is possible with PPSK instead of 802.1X?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You normally should not do this via syslog from a NAS (AP/switch) today with 802.1X as it most deployments trivially security vulnerable to identity spoofing via identity privacy.

Where HiveOS only sees the EAPOL and EAP outer identity, not the inner identity that the EAP terminating RADIUS server uses, this is fundamentally broken and probably largely unusable.

The only absolutely correct way to implement this that ticks all the boxes is with a state table at the RADIUS server, usually via a plug-in, where you get full access to AAA information that can then be exposed as needed.
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
Nick, Do you know of any plugins for this that would work with NPS?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Nothing exists on the market to do this as far as I know. I looked extensively a few weeks ago.

Because of this, as chance has it, I am actually writing one at the moment for NPS / PaloAlto integration. Hopefully it will be ready soon.
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
When you've got it running - I'm happy to do some testing for you. I've got some clients who would really love it!
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
The syslog/identity spoofing wouldn't be an issue if you are using PPSK though.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
If you are just using PPSKs, use syslog to your heart's content although I feel it is an intrinsically flaky, vulnerable interface to layer against behind the scenes. SNMPv3 would be slightly better.

I will let you know how I get on with the NPS plug-in. The thing that is going to take me some time is synchronisation of state between multiple NPS instances.

I will also look at the best method of getting PPSK session information and see if I can add that too, be it SNMP or, reluctantly, syslog.

(I would always prefer not to have to use syslog for this purpose as it would clearly be vulnerable to fake sessions being reported via MITM injection, if achievable, where SNMPv3 would not.)
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
This is a pretty common setup to support UserID for Palo Alto by many different vendors. It works great.

PPSK will also work - we are just sending syslog messages with the user ID (tie that to the PPSK), IP address, and device type. You can also use Captive Web Portal if you want. In order to modify the script, here are the log messages we'll send for each type of auth:

802.1X:
2013-07-01 14:06:05 info ah auth: Station 1cab:a7e6:cf7f ip 10.5.50.52 username astrong hostname Strong-iPad3-6 OS Apple iOS

PPSK:
2013-07-01 14:43:18 info ah_auth: Station 1cab:a7e6:cf7f ip 10.5.50.52 username Abby Strong hostname Strong-iPad3-6 OS Apple iOS

CWP:
2013-07-01 14:50:46 info ah_auth: Station 1cab:a7e6:cf7f ip 10.5.50.52 username abby@ahdemo.local hostname Strong-iPad3-6 OS Apple iOS
Photo of Chris Ellis

Chris Ellis

  • 8 Posts
  • 2 Reply Likes
Does this mean that Aerohive will guarantee that from now on, these log messages will never alter in format?

Will any alteration to the format be recorded in the change log?

Does Aerohive guarantee that HiveOS emits these log messages at all points within the internal authentication state machine?

Does Aerohive guarantee that the user name is always valid when the log message is emitted and can Aerohive confirm that the username emitted is not vulnerable to identity spoofing?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
It does not usually work for 802.1X as explained above and should not be deployed without much consideration as it is normally trivially security vulnerable.

With PEAP/MS-CHAP-v2 or TTLS/(PAP, CHAP etc.), you could set the outer identity to, for example, admin, set the inner identity to john and log on with your password.

HiveOS and the PaloAlto system would then believe that admin was logged on and not john.
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
Changing the outer identity isn't all the common unless you have a supplicant that supports it - Odyssey makes it easy, but Windows doesn't even support that and OS X and iOS don't make it easy. Usually people use anonymous. I appreciate your opinion on this, but just because something isn't perfect 100% doesn't make it a non-solution. Many customers would be willing to accept the limitation in order to acquire the information, as we've seen with Palo Alto's integrations with many major vendors in the market. They're all posted on the Palo Alto Networks partner center at https://login.paloaltonetworks.com. :-)
Photo of Chris Ellis

Chris Ellis

  • 8 Posts
  • 2 Reply Likes
Abby, this is not just a non-solution, it is a security vulnerability. It opens a network to identity spoofing and privilege escalation, with minimal auditing.

Any organisation that actively deploys such a solution is professionally negligent in my mind.

Aerohive should in no way be endorsing such a solution.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Windows has supported setting it easily since Windows 7. Android phones support setting it easily too.



I feel that the point is missed that it is not the commonality of setting a different outer identify that is the issue, it is rather the triviality of doing it that is. Also, as many security professionals will tell you, security through obscurity does not exist.

Considering that you can impersonate another user to either falsely implicate them or get a higher level of access to resources in the case that that it is being using to federate for access control purposes, it is a non-solution. Deploying it is professionally negligent in such use cases.

I would venture the idea that many customers would not be aware of this vulnerability and would be concerned if they knew it existed, and the implications that flow from it. Where administrators take actions in good faith based on a false audit trail, it would be rather reprehensible.

The lack of insight and perception in the industry in general here is surely of concern. Many are tempted to argue the appeal to authority fallacy that 'other major vendors do this, therefore it is not a problem'. That, however, does not somehow magically make the security vulnerability go away.

Regards,

Nick
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
sounds like an excellent case to use our new client management functionality to assign a custom device certificate and use EAP-TLS which will only send the subject line of the cert rather than dealing with an outer identity at all :-).
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Identity privacy still applies with device certificates with only the server's identity needing to being exposed in the exchange via its certificate, the client's certificate being tunnelled back in the inner-EAP.

Remember also that HiveOS presently truncates the outer identity to 31 characters due to a flaw in its implementation. This means that in many cases today without privacy, the identity information is unusable from the certificate because it is incomplete.

In many environments for BYOD access, it is also preferable to use a user name and password and not device certificates. (That is moot here, though.)

It is broken and security vulnerable and clearly should not be in abstract:

1) If the identity information comes instead from the EAP terminating RADIUS server based on its information, it is not vulnerable.

2) If the RADIUS back end is capable of returning the real identity in the User-Name AVP of an Access-Accept AND is configured to do so AND the identity truncation bug gets fixed THEN the syslog or SNMP information would be correct.

Presently, where an organisation is using authentication via a TLS based EAP (all practical 802.1X deployments), they should not use HiveOS's SNMP or syslog data as an identity information source for access control or logging purposes in other systems.

(Where a security boundary is traversed with spoofed identity information, you have a real problem that needs resolving as it is a critical security vulnerability.)
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
Thanks for the log samples Abby. Our BYOD clients that use PPSK will love this integration
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2476 Posts
  • 447 Reply Likes
Does not using a syslog source feel intrinsically flaky to you? You would be layering against effectively a private implementation detail and not a more robust interface like an SNMP trap would offer...
Photo of Aaron Scott

Aaron Scott

  • 43 Posts
  • 9 Reply Likes
Obviously a proper solution would be great - say direct integration from Aerohive to PaloAlto, like what was suggested at the start of the thread.

But short of that, and in absence of anything else at the moment the syslog is the only viable option for us.

But to answer your question... yes, scrapping log messages to me does seem a bit flaky.
Photo of Chris Ellis

Chris Ellis

  • 8 Posts
  • 2 Reply Likes
Log scraping is always the epitome of poor engineering. While on the surface it may appear to work, the resulting solution is fragile at best.

In my view any solution which uses log scraping should be avoided at all costs, and any decision to use such a solution should be fully informed. I'm disappointed that a reputable engineering company would advocate such a solution.

Solutions which use log scraping have many points of failure, they are not robust solutions and have high maintenance costs. Consider what happens if the format of the log message changes in a point release.

Fundamentally, logging is not intended to be used in this manner. Logging is intended as a debugging tool for engineers and as an informative tool for administrators.

There are no guarantees that the log message will stay consistent and any change almost certainly would not be documented in a change log. There are no guarantees that the log messages are emitted in all use-cases.

Authentication and Authorization forms a critical part of modern IT systems. As such, it is important that he information used by such processes is correct.

When such a solution is vulnerable to identify spoofing, it is not just a non-solution, is its a vulnerability. A vulnerability which opens an organisations network to privilege escalation.

I would have thought there are far better ways to implement this functionality. As Nick has pointed out, it should be implemented by the centralised AAA server.

Failing that, presumably a solution using SNMP traps is possible. A tool like SNMPTT could easily be used to build a solution which updated the Firewall based on SNMP traps.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I have posted a blog on an issue I've encountered developing a NPS extension for 802.1X SSO purposes in a vendor agnostic way. It may interest some here:

Network Policy Server (NPS) and 802.1X SSO – The Case of the Missing RADIUS Class Attribute
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
Just stumbled across this thread. I am with Nick 100% with regard to security best-practices.

When I saw the syslog/script based integration a few months ago (via another route, not this thread) I also thought there must be a way to do this with SNMP traps or RADIUS accounting which will at least be more scalable and a little more secure.

So more as a challenge than anything else, I wrote an integration using SNMP a few months ago. The first iteration only supports SNMPv1/v2 traps but I was planning on adding SNMPv3 support - however I suspect that Aerohive will have a direct integration available soon so not sure it's worth developing further...

It's written as a Windows service (in C#), is multi-threaded and very scalable. I had plans to productise it for a small fee, and even built in a licensing mechanism (again more as a little challenge to myself than any real expectation to sell thousands of copies to the Aerohive/Palo Alto masses!)

Anyway, here's a link to a ZIP containing the software and some release notes (yet again, a little grandiose for something so simple but that's the kind of guy I am!)

ftp://ftp.proximitycomms.com/pub/PANAHUserID.zip

If there really is an interest, I'll have a think about what to do with it...but as I say, I have a sneaky suspicion we'll see something official from Aerohive soon as it's an obvious tie-up for them in my view. And as Nick says, for 802.1x, there are some other considerations too.
Photo of Corey Kemp

Corey Kemp

  • 7 Posts
  • 0 Reply Likes
Hello Roberto, I would like to try out your trial for the SNMP UID Agent you have created. I have completed the install process and require the license file.  How do I go about getting hold of this?  Thanks

Corey
Photo of GJ van Weelden

GJ van Weelden

  • 1 Post
  • 0 Reply Likes

Hi Roberto, Can I get a trial license for your userid integration? We use approx.250 AP's at this moment.

Thanks!

Gertjan

Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
Hi Gertjan,

Please can you e-mail me at rcasula@proximitycomms.com?

Thanks.
Photo of Dan Ware

Dan Ware

  • 14 Posts
  • 2 Reply Likes
Roberto, could I get a trial license for 363 APs?  I tried emailing you but received no response.

Thanks
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Roberto,

You may be interested to know that HiveOS now supports a User-Name AVP being provided in an Access-Accept and will update its accounting and the information that it sends in SNMP traps and syslog information accordingly.

Where the RADIUS server returns the EAP inner-identity normalised, this resolves the identity spoofing security vulnerability. (To achieve this in NPS, you need to write an extension to do this. It is possible in FreeRADIUS via appropriate configuration.)

6.1r2, due in September, further resolves the truncation to 31-characters bug of the client's user name. Hooray!

An issue with going down the SNMP traps approach is that there is no acknowledgement of receipt from the trap destination and no retry in the case of failure. It is vulnerable to packet loss. This means that solutions that go down this approach, that wish to be reliable, have to maintain a state table/machine and periodically poll to ensure that the data that has been received via traps is accurate, generating appropriate events to the User-ID API to reconcile the difference where appropriate.

This is one of the reasons why I chose the RADIUS accounting approach for integration in my implementation. (Not without hurdles as there are a few accounting bugs in HiveOS that this turned up, due to be fixed in 6.1r2.)

Nick
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
Hi Nick,

Yes I've seen the changes in 6.1r1 in one of your other posts and I read your blog post about the fun you've been having with the NPS extension!

I agree RADIUS accounting is a better integration once the bugs are worked out.

For a PPSK SSID though, which is actually one of the primary use cases in our customer base - or other situations where there's no RADIUS server specified in the config - how are you getting accounting info generated? I think there is a cludge available in that if you configure all APs to be RADIUS proxies, they will send accounting data based on the proxying rules for ALL SSIDs (which is why currently ID Manager will log accounting events for all SSIDs, not just the IDM-enabled ones as at the moment it uses the same CLI commands as the RADIUS proxy does)...but not sure if this is exploiting a bug which might be fixed in a future release...

I actually started writing the background polling mechanism (for a few reasons to ensure the integrity of the mappings) but it felt like too much work - I think I'd probably have looked at RADIUS accounting instead tbh as there are other benefits there.

Roberto
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
My use cases have been for 802.1X only but I will enhance the solution that I have been working on to support PPSK access, with the ability to map to user accounts in a directory for SSO purposes, when sensible to do so.
(I will release the solution publicly if-and-when the issues are worked out in NPS and HiveOS.)

I have asked for consideration to be given to seeing RADIUS accounting for PPSK and PSK access implemented in HiveOS here:

http://community.aerohive.com/aerohiv...

SNMP traps and periodic poll is the only viable and pragmatic approach today, albeit suboptimal, that I can see for PPSK access. (I have chosen not to implement this in my code and will instead wait in hope for HiveOS to get the ability to properly account to a RADIUS server.)

It would be great if you, as a reseller, have any leverage or ability to push Aerohive to get this fixed in their code sooner rather than later.

Cheers,

Nick
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
Actually, as a reseller I have less leverage than a customer (much to my annoyance!). A lot of my feature requests have been implemented, but only where I've been able to cite end-user dissatisfaction. If it's just me saying it, I get a lot of sympathy from the Aerohive guys in the UK, but it doesn't seem to cut any ice with the US (same applies to some of the excellent ideas the UK Aerohive SEs have had).

I'll certainly highlight the requirement and point them to this thread...but as I say, I have a "sneaky suspicion" we may see something more "integrated" from Aerohive themselves before too long...
Photo of kart0074

kart0074

  • 9 Posts
  • 0 Reply Likes
We are trying to get User-ID data from aerohive to our Palo Alto. We have been trying to get the syslog idea to work and it hasnt. Now we are looking at using a windows server as the RADIUS server, and then just running a user id agent there. Does anyone have a good way to do this? It shouldnt be so hard to get the user information!
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
If you are using 802.1X with Microsoft's Network Policy Server, there is no way to do this today in a reliable and secure way.

I have, however, developed an extension to bridge the two systems together and am in the late stages of testing/QA.

It will, however, require:

1) A hotfix for NPS to be installed that resolves a bug in making the Class attribute available for binding purposes in a way that is generally compatible with all NASes. (See my blog post for more information, I am unsure when this is likely to be available.)

2) On the Aerohive front, HiveOS 6.1r2 to resolve a few RADIUS accounting bugs that I don't wish to have to special case and hack around in release code. (I have been told this is due in September.)

Nick