Palo Alto Firewall integration

  • 9
  • Idea
  • Updated 2 months ago
If you want to integrate Aerohive with Palo Alto the suggested route is to run a script on a Kiwi Syslog Server which parses the Aerohive log and then updates the Palo Alto with Username/IP address mapping. A working VB script for Kiwi is provided below.
The process is simple, can this HTTP/HTTPS request be integrated into the APs and configured by HiveManager.

'Program written by Russell Aspinwall, MBCS May 2013
'For PANOS v5 and later
'
'
' To Generate the API Key for Agentless Operation use the following URL
'
' https://[Serverip]/api/?type=keygen&u...
'
' The Username and Password must match a valid user already defined on the Palo Alto Firewall
' The user must have API access
'
'log data is expected to look like: 2013-04-01 14:06:05 info ah auth: Station 1cab:a7e6:cf7f ip 10.5.50.52 username astrong hostname Strong-iPad3-6 OS Apple iOS
'

Function Main() 'Kiwi syslog requires the content of the script to be contained in a Main() function
'----CHANGE THESE TO MATCH FIREWALL----
strAgentServer="192.168.50.252"
strAgentPort="5006"
'----CHANGE THESE TO MATCH FIREWALL----

'----CHANGE THIS TO MATCH AD DOMAIN NAME!----
strDomain = "vadlab"

'-----ADD API KEY HERE FOR AGENTLESS OPERATION
strKey="LUFRPT14MW5xOEo1R09KVlBZNnpnemh0VHRBOWl6TGM9bXcwM3JHUGVhRlNiY0dCR0srNERUQT09"
'-----ADD API KEY HERE FOR AGENTLESS OPERATION

set xmlHttp = CreateObject("Msxml2.ServerXMLHTTP")
'This is a Kiwi variable for the content of the log message
strLog = Fields.VarCleanMessageText
ptrn = "ip (\d+\.\d+\.\d+\.\d+).*username (\w+) .*hostname (.*)OS (.*)"
If InStr(strLog,"n/a")=0 Then 'Will not run script if there is no username
'// Create the regular expression.
set re = New RegExp
re.Pattern = ptrn
re.IgnoreCase = False
re.Global = True
'// Perform the search and sort in collection object
Set hostInfo = re.Execute(strLog)
'// Assign the user and address to variables
strUser = hostInfo(0).SubMatches.Item(1)
strAddress = hostInfo(0).SubMatches.Item(0)
strHost = hostInfo(0).SubMatches.Item(2)
strOS = hostInfo(0).SubMatches.Item(3)
'// Check variables are being popultated correctly - yes
Fields.VarCustom01 = strAddress
Fields.VarCustom02 = strUser
Fields.VarCustom03 = strHost
Fields.VarCustom04 = strOS
'// Build the XML message for Firewall API
strXMLcmd ="&cmd=1.0update"
strXMLusr =""
strXMLcmd2 =""
strXMLfirewall = strXMLcmd & strXMLusr & strXMLcmd2
Fields.VarCustom06 = strXMLLine

'//Post using Firewall REST API
sUrl = "http://" & strAgentServer & "/api/?type=user-id&action=set&key="& strKey & strXMLfirewall
Fields.VarCustom07 = sUrl
On Error Resume Next
xmlHttp.open "put", sUrl, False
xmlhttp.setRequestHeader "Content-type", "text/xml"
xmlHttp.setOption 2, SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS
xmlHttp.send
xmlHttp.close
End If
Main="OK" 'return value for Kiwi
End Function
Photo of russell

russell

  • 15 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 9
Photo of kart0074

kart0074

  • 9 Posts
  • 0 Reply Likes
currently we have the aerohive AP acting as the radius server which is why we tried to use the solution\script from above. We could get that to work, so we contacted Palo Alto and they suggested removing the radius server from the AP and moving it to a windows server, which then they said we could just run a user id agent on that box. So neither will work?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2474 Posts
  • 446 Reply Likes
Neither will work properly. PaloAlto support are definitely incorrect about the agent.

The only agent that they have available is for domain joined machines only, which has nothing to do with RADIUS or 802.1X. It snoops the event log on domain controllers for logon and logoff events and uses that for identity purposes. (There is no support for BYOD, therefore.)

The script above should not be used for 802.1X at it is:

1) Security vulnerable where the EAPOL and EAP outer identity and not the EAP inner-identity is sent. (I do not know what the behaviour of the built-in RADIUS server is here as I have never used it. It is always vulnerable today with NPS. FreeRADIUS is vulnerable without configuration to return the inner-identity normalised in the User-Name attribute of an Access-Accept.)

2) Is always unreliable due to the design of the Syslog protocol which has no acknowledgement and retry in the case of failure, so its intrinsically fragile to packet loss, however it occurs. (Syslog is intended to be a debugging aid only.)

Nick
Photo of kart0074

kart0074

  • 9 Posts
  • 0 Reply Likes
sorry i guess i should have said this. THe only users we want to identify right now are domain users on our 802.1x SSID. Any options then? thanks for the help. I have been looking everywhere to get some help on this.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2474 Posts
  • 446 Reply Likes
You do have an option them. If all the clients are domain joined, just use the agent that PaloAlto have available which should query your domain controllers to snoop their Event Log for domain logon and logoff events. (It will have nothing to do with your 802.1X SSID, however. You cannot be specific to that SSID only.)

Does that make sense? :)
Photo of kart0074

kart0074

  • 9 Posts
  • 0 Reply Likes
Currently we have user id agents monitoring all of our domain controllers, but do not get the user ID information for the WiFi users. Yes it does make sense that if working it wouldnt be able to determine what SSID it came from. All we shoud need is IP address to User name. since the AP is configured as the RADIUS server, would that be messing up the logging on the DC?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2474 Posts
  • 446 Reply Likes
No, RADIUS and 802.1X is unrelated to that scenario. Are you sure that your users are logging on interactively to the computer with their domain credentials and not local ones? (There may also be issues to do with them already being logged on when they connect to the network or cached credentials allowing login while disconnected etc.)
Photo of kart0074

kart0074

  • 9 Posts
  • 0 Reply Likes
Yea i see what you are saying. Some where i am missing something though. They are logging in with thier domain credentials. If we disable an account in AD it prevents them from accessing the WiFi. Looking through the event logs on the DC that we have our aerohive pointed to i dont see any logon events for WiFi users.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2474 Posts
  • 446 Reply Likes
Yes, but are they logging on interactively via the Windows login screen on the computer (before getting a desktop) or merely using their domain credentials to access the wireless via 802.1X, the latter will not work as it will not appear in the event log. (It is that latter case that I am dealing with in my NPS extension.)
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
There are several different options for the UserID agent. In addition to looking in the domain controllers' security event logs for logon/logoff events, you can configure periodic polling of the domain controllers' session tables which can catch users that logged on using cached credentials.

You also have the option of configuring the UserID agent to poll Exchange servers in much the same way that DCs are polled, which provides another method of catching user logons if you are Outlook/Exchange users.

In addition, you can configure client WMI polling which will perform WMI queries against the clients themselves to establish the identity of the logged in user (though this has scaling issues in large environments, causes additional network traffic and requires the clients' firewall to allow WMI connections).

If you are using Windows Vista or later, you can configure the SSID settings so that the user is authenticated to the wireless network during the workstation login process BEFORE the domain login occurs. This means the workstation will be connected to the network and the user will authenticate fully against AD at login rather than using cached credentials. The standard UID agent should then pick them up just like on the wired network.

This last option works well if your users are fully wireless. If they transition from wired to wireless (i.e. the logged on to the domain wired and then unplugged and went wireless while still logged on), any of the polling mechanisms will take a little while to map the user.

The RADIUS accounting option Nick has been looking at will address this. As per my earlier post, I have an SNMP trap-based integration which is more reliable than the PAN UserID agent method (for the reasons explained above), though there is a chance that the SNMP traps from the APs could be lost if your LAN/WAN are prone to packet loss. Still, it works very well in the networks where I have deployed it.

One other little gotcha. It's important to make sure that the subnet(s) your wireless clients are on are included in the UID agent include list for the appropriate firewall interface.
Photo of kart0074

kart0074

  • 9 Posts
  • 0 Reply Likes
they are just using it to get on the ssid. They are coming in on phones and ipads mainly. So this is where there is no way to do this then until the changes are made and your extension is working? thanks again
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
If they are not member workstations then the PAN UserID agents will not help directly. You do have the option of the GlobalProtect app on the iPhone if you have the necessary licenses on the firewall, but a VPN via the firewall probably feels a little overkill for what you are trying to achieve.

As I say, my SNMP agent works in your scenario pretty well with the caveats above (more robust than the syslog method at least). A download link for you to try it out is provided in an earlier post. I'd be interested in your feedback - at the moment this is very much a beta thing and provided "as is". If it works for you, I can provide you with a longer eval license file to unlock it.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2474 Posts
  • 446 Reply Likes
Roberto's approach is the best available today until we are able to get a RADIUS accounting based approach working.

I have a conference call with the NPS product team tomorrow to discuss the bug I want resolving as it is blocking a generic solution for 802.1X. I will update my blog post with any pertinent new information.
Photo of kart0074

kart0074

  • 9 Posts
  • 0 Reply Likes
it looks like this will work for us. I am having an issue getting from the agent to thw firewall. It tells me the user is not authorized to perform this function in the event log for the agent. I turned on debugging to view this info. any thoughts? Also we would like to get a license file. If you are selling this let me know how much and how to pay you. Thanks.
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
Hi there,

Did you follow the release notes to set up a specific user account in the firewall and use that account to obtain the API key? And have you enabled UserID access in the management profile (if using in-band) or global management port settings (if using OOB management)?

As I said in earlier posts, I was going to look at productising this, but I have a suspicion Aerohive will have their own solution in the future so not sure there's much point. I'll happily send you a license key that will allow the software to work unlimited for 60 days as a trial - can you provide an e-mail address?

Thanks,
Roberto
Photo of kart0074

kart0074

  • 9 Posts
  • 0 Reply Likes
yes i did setup the user as instructed, and then i even gave it device admin rights just as a test. Still no luck. We are running on OS 5.0.4. My email is bberes@johnsonbank.com
Photo of kart0074

kart0074

  • 9 Posts
  • 0 Reply Likes
ok i got the user working. I am getting the user info to my firewall. I do have one last question when you email me the license. Thanks!
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2474 Posts
  • 446 Reply Likes
Have you validated that the built-in HiveOS RADIUS server is using the EAP inner-identity in its SNMP traps by configuring a supplicant with something that spoofs another legal user on your network in the anonymous EAPOL outer-identity?

(I have never tested this as I have always used external RADIUS servers such as NPS or FreeRADIUS.)
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
Hi Nick,

From my testing, no the internal HiveOS RADIUS does not return the User-Name AVP to the client, so the only username you will see if using the internal RADIUS server will be the outer identity. In addition, when PEAP is configured as the authentication type, the outer identity is ignored from an authentication perspective so spoofing is trivially allowed. This looks like a feature request is needed.

With Microsoft NPS, I am aware there is an extension available (written originally for Eduroam) to get it to return the User-Name AVP to allow "proper" support for robust user identification even when identity privacy is used and that Aerohive now understand this AVP in the Access-Accept and use it for subsequent logging (so I suspect the SNMP trap will reflect this, but I haven't tested the extension yet).

From my testing though, if you are using NPS, aren't having to do a lot of proxying (ala Eduroam), are not concerned about SUPPORTING identity privacy and if you do not configure PEAP as an overrided authentication type in the Connection Request Policy, then the Network Policy will use the outer identity as the username for the actual authentication (for PEAP-EAP-TLS and PEAP-EAP-MSCHAP-V2); if a different outer identity is used, the authentication fails (both certificate and username/password).

So from a security perspective as far as accuracy of identity is concerned, it is the outer identity that has been verified. Obviously if you want to support identity privacy then you would need to configure NPS to support it (using a Connection Request Policy that implicitly specifies the EAP type) and you would need to use the extension to return the inner-identity to the AP.

I know you've done a lot more testing with this than I have, but does the above tally with your understanding?

Cheers,
Roberto
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2474 Posts
  • 446 Reply Likes
Hi Roberto,

I did not know the difference in behaviour where the CRP does not override the authentication. Thanks for mentioning this! As identity privacy is, in my opinion, a good thing this is not something that I would want to use or consider good practice.

One of the documented issues to be mindful of where you do not override is where NAP is used:
When you use NAP with 802.1X or VPN enforcement, you must configure settings in the connection request policy to override network policy authentication settings. If this setting is not enabled, NPS will deny network access requests by NAP client computers with the following reason: “The user attempted to use an authentication method that is not enabled on the matching network policy.” To fix this issue, configure connection request policy to override network policy authentication settings.
By returning the User-Name in the Access-Accept, you have the opportunity to normalise it to ensure it is always consistent.

Regards,

Nick
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2474 Posts
  • 446 Reply Likes
Release withdrawn for some updates.
Photo of Stefan van der Wal

Stefan van der Wal, Champ

  • 70 Posts
  • 24 Reply Likes
So, about the PAN Firewall integration. Is there any chance it's going to get simplified? I've seen some other vendors who manage to use an API and I must admit, it's a lot easier to sell to the customers than using syslog scraping. Would there be any future plans for this?
Photo of Stefan van der Wal

Stefan van der Wal, Champ

  • 70 Posts
  • 24 Reply Likes
Belay that last remark. PAN-OS 6 is able to receive Syslog messages. So now at least it's a direct line.
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
Hi Stefan,

You're right there is indeed now syslog parsing available in PAN-OS 6. There are some scaling issues (not to mention security and reliability) due to the sheer volume os syslog data produced by HiveOS.

This was the reason I wrote a robust agent based on SNMP rather than SYSLOG (see earlier in this thread). Written as a Windows service, fully configurable, multi-threaded and scalable up to very large deployments. Have you looked at this? I've got a number of customers using it and it's working very well for them...

Regards,
Roberto
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2474 Posts
  • 446 Reply Likes
Do you know if Aerohive return the inner identity in the User-Name AVP now when using the built-in RADIUS server? Or do we only see the EAP outer identity still?
Photo of Stefan van der Wal

Stefan van der Wal, Champ

  • 70 Posts
  • 24 Reply Likes
I am collaborating with a colleague who's an experienced PAN engineer. We'll try out every single method. I'll go through your method Roberto, it looks very interesting. I'll try and answer that question from you as well Nick.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2474 Posts
  • 446 Reply Likes
It did not use to, but I'm just wondering if that has changed in 6.1r3. My approach using RADIUS accounting with NPS isn't yet viable in a general purpose sense because of: https://community.aerohive.com/aerohive/topics/use_the_framed_ip_address_avp_containing_a_clients_ip...
Photo of Stefan van der Wal

Stefan van der Wal, Champ

  • 70 Posts
  • 24 Reply Likes
Roberto, I'd like to compliment you on the windows service. I had a chance to try it out last week and it worked like a charm!
Photo of Dan Ware

Dan Ware

  • 14 Posts
  • 2 Reply Likes
So I hear 6.6r1 has functional RADIUS accounting. Any new possibilities of direct HiveOS-PaloAlto integration?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2474 Posts
  • 446 Reply Likes
Not in 6.6r1, particularly as there's an issue where the Acct-Multi-Sesson-Id may change or be missing from Accounting-Request packets in that release.
Photo of Dan Ware

Dan Ware

  • 14 Posts
  • 2 Reply Likes
6.6r1b as well?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2474 Posts
  • 446 Reply Likes
Yes. This area is now actively being worked on, just bide your time for a little longer.
HiveOS 6.5r3, incidentally, has more RADIUS fixes in it than 6.6r2 at present.
(Edited)
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
I am very interested in a direct integration between PaloAlto and HiveOS as well. They are both fantastic products!
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2474 Posts
  • 446 Reply Likes
Hi Will,

We are all tentatively looking to the HiveOS release after 6.6r2 to get things working reliably against the feature branch for SSO purposes. HiveOS 6.6r2 has a few issues that make the accounting unreliable at the moment when it is used to drive a state machine, these are being worked on.

HiveOS 6.5r3, in the golden LTS branch, did not ship with a backport of the RADIUS behaviours/features of HiveOS 6.6r2, and itself came with other fixes that 6.6r2 did not contain.

Hopefully this will end up being viable against both branches even if/where different behaviour remains.

Cheers,

Nick
(Edited)
Photo of Matt Eggert

Matt Eggert

  • 1 Post
  • 0 Reply Likes
Is this pipe dream dead?  We've been waiting for like 4 years for a fluid Aerohive/PA integration to work.  I haven't seen any progress on the for front.  Our sales people like to keep telling us...it's coming it's coming...but nowhere in sight from where I'm standing.  
Photo of Dan Ware

Dan Ware

  • 14 Posts
  • 2 Reply Likes
After waiting so long for a direct integration, I ended up switching to Windows NPS and running a powershell script on the authentication event as described in this blog:

http://halcoberry.blogspot.com/2015/0...


It works okay... Not all users get mapped all the time, but it's better than nothing!
(Edited)
Photo of Robert

Robert

  • 5 Posts
  • 2 Reply Likes
Is this script still usable?

I would like to intergrate it also with my pa220. But get error on line 64 wich says xml Http.send.

i enabled the xml api for the user and generated the api key.
Photo of Dan Ware

Dan Ware

  • 14 Posts
  • 2 Reply Likes
The script hasn't been working for me for a few months. I'm guessing it has something to do with a change in command formatting in either HiveOS or PanOS but I haven't had the time to look into it.
Photo of Robert

Robert

  • 5 Posts
  • 2 Reply Likes
Is there any other way then to intergrate the 2 systems together. I would like to monitor my users in my palo alto.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2474 Posts
  • 446 Reply Likes
Photo of Robert

Robert

  • 5 Posts
  • 2 Reply Likes
Thx for the information.

I found a solution without the use of a syslog server but directly to the UserID-agent. If people want a working solution i can post it here.
Photo of Will Rhodes

Will Rhodes

  • 43 Posts
  • 9 Reply Likes
Please do. i'm using syslog but would like to know what my options are. 
Photo of Zach West

Zach West

  • 1 Post
  • 0 Reply Likes
Can you please post your solution?  That would be most appreciated!
Photo of Robert

Robert

  • 5 Posts
  • 2 Reply Likes
My post is on  page 3 in a new reply.
Photo of Dan Ware

Dan Ware

  • 14 Posts
  • 2 Reply Likes
I would like to see your solution Robert. I think it would be helpful for others in the future if you could share!  Thanks