The Palo Alto User-ID feature is awesome as long as you can feed it IP-to-User mappings. PAN provides agents to do this which work in many environments, but not usually without Active Directory. I wrote RadiUID to perform this function in situations where all you have is RADIUS.
UPDATE: RadiUID version 2.3.1 has been released and the content of this post has been updated with the new features and screenshots. RadiUID can be installed on a Linux OS, or downloaded as a prebuilt Docker image. Upgrade and Install instructions for both options can be found here
Approx Reading Time: 5-15 Minutes
You see, at its core, the User-ID system still performs firewalling based on IP address, but it uses ephemeral (dynamic and short lived) IP-to-User mappings to match user or group-based access-lists to IP packets. So in order to have a working User-ID system, you have to provide it with these mappings, which typically come from your identity management system (which interacts with user endpoints for authentication purposes). The identity management system of choice is, of course, Active Directory and most of the tools provided by Palo Alto for retrieving the IP-to-User mappings target Active Directory.
Well I ran into a problem with this recently. I have a customer which likes Palo Alto firewalls and the user-based filtering feature, but they have zero Active Directory. In fact, they have zero Microsoft infrastructure. Instead they use a cloud-based directory service which provides a LDAP and RADIUS interface for their endpoints. They use wireless for almost all endpoints which utilizes 802.1X authentication against this cloud service, but there is nowhere in the system to source the IP-to-User mappings for the Palo Alto system. Except perhaps the RADIUS protocol itself…
Anybody who has used RADIUS has probably seen the option on authenticators (wireless systems, VPN concentrators, etc) for sending RADIUS accounting information to a server for logging and tracking purposes. I have often seen this feature go unused on the authenticators, but the RADIUS accounting information has exactly the information I need for the Palo Alto User-ID system.
After a few late nights and some hacking at Python to get it to do what I want, I got a working solution. And after a little more testing and polishing, it can be easily installed and used by anybody. For your consideration: RadiUID.
RadiUID is a Linux-based application which runs as a background service and was built to take everyday RADIUS accounting information generated by RADIUS authenticators like wireless systems, firewalls, etc (which contain username and IP info) and send that ephemeral IP and username mapping info to a Palo Alto firewall to be used by the User-ID system for user or group-based access-list filtering.
RadiUID uses FreeRADIUS as a backend service to listen on RADIUS accounting ports (typically TCPUDP 1813) and write received accounting information to accounting logs.
RadiUID then parses these logs, pulls down the User and IP mapping information and pushes those mappings to the Palo Alto firewall using the published RESTful XML API.
In the interest of keeping this article terse and useful to somebody just wanting to get it setup and running: here are the requirements and the 5-minute install/setup steps.
OS: Any modern RHEL/ Debian distro (CentOS6, CentOS7, Ubuntu14, and Ubuntu17 have been validated) or Docker
Interpreter: Python 2.7.5 (Also works on Python 2.6.6 and up)
PAN-OS Version: 6.X or 7.X
RadiUID has been tested in few environments to date as it was purpose-built for a specific environment, but it should be very adaptable as it uses standardized RADIUS accounting to source user information and the published API to push that info to firewalls.
It has currently been tested with the following RADIUS servers and authenticators:
Identity Systems: JumpCloud RADIUS service, Windows 2012 NPS Server (with Active Directory)
Authenticators: Meraki Wireless Access Points, Cisco Wireless (Controller-based), Ruckus Zonedirector
30-Second Docker Install Instructions
From the Docker host, download and run the image in interactive mode. There are two image options: 1: RadiUID + SSH, or 2: RadiUID only. If you prefer to have SSH access directly to the container running RadiUID without having to access the Docker host, then you want option 1; if you would rather access the RadiUID command line through Docker, then you want option 2.
Option 1 (RadiUID + SSH): >
docker run -it -p 1813:1813/udp -p 1813:1813/tcp -p 222:22/tcp --name radiuid -t packetsar/radiuid-ssh:latest
Option 2 (RadiUID Only): >
docker run -it -p 1813:1813/udp -p 1813:1813/tcp --name RADIUID -t packetsar/radiuid:latest
- If you ran the image with SSH: The default SSH username and password is root/radiuid. Run the command
passwd rootto change the SSH password.
- The command above to run the container with SSH publishes the SSH service on TCP port 222. You will need to connect to that port with your SSH client to get access to the container.
- To exit interactive mode with the container from Docker without stopping the container, the key stroke is CTRL+P, then CTRL+Q.
Once attached to/logged into the new container, run the command
radiuid show config set to see the default configuration.
radiuid clear target all command to delete the default firewall target configurations, then use the
radiuid set target (parameters) command to configure the application with your Palo Alto target firewall paramaters.
radiuid set client (parameters) command to configure FreeRADIUS to accept RADIUS accounting data from your RADIUS authenticators.
Once configuration is complete, run the
radiuid service all restart to restart the services so the new configuration takes effect.
Take a look at your logs using the
radiuid show log command to see what the application is doing.
5-Minute OS Install Instructions
Install OS with appropriate IP and OS settings and update to latest patches. Check out the CentOS Minimal Server – Post-Install Setup and the Ubuntu Server – Post Install Setup for help with some of the post-OS-install configuration steps
Install the Git client (unless you already have the files)
sudo yum install git -y
Download the RadiUID repo to any location on the box
git clone https://github.com/PackeTsar/radiuid.git
Change to the directory where the RadiUID main code file (radiuid.py) and config file (radiuid.conf) are stored
(OPTIONAL) Change to a development branch (perform this step only if you are prepared for a version which is under active development and may have broken features)
git checkout devX.X.X
Run the RadiUID program in install mode to perform the install of the service
—-NOTE: Make sure that you have the .conf file in the same directory as the .py directory for the initial install
sudo python radiuid.py install
Follow the on-screen prompts to install FreeRADIUS and the RadiUID service
The installer should let you know if everything installed correctly and services are running.
Using native Linux commands to view log files, clear logs, restart services, etc can be a pain with all the paths to remember, binaries to use…..blah.
I was getting sick of typing out long and repetitive commands to administrate RadiUID, so I wrote a simple command interpreter which gives you short and easy commands to use for regular administration of the service.
You can use the TAB key to help with typing in commands and it will utilize the Auto-Complete feature which is new in version 2. Also, you can hit ENTER after typing in different parts of commands to see the available options at that point.
The Munge Engine
The Munge Engine is new in version 2.2.0 and is a rule-based string processor which is used in RadiUID to filter and process User-IDs based on rules you configure. The munge rule-set is broken down into rules and steps which are processed based on the numerical ordering you assign to them.
Below is a sample ‘munge’ configuration in RadiUID which will have the effect of finding User-ID’s with a double backslash and rebuilding that User-ID with only a single backslash, then it will match any User-ID with the term ‘vendor’ in it and prevent it from being passed out of the engine and into the Palo Alto.
NOTE: The double-backslash in the
101.0 match statement is represented by a quad-backslash because BASH recognizes the backslash character as an escape. You will always need to use a double-backslash to represent a single-backslash. You also should always wrap your regular expressions in quotes when entering them.
radiuid set munge 101.0 match "\\\\" partial
radiuid set munge 101.10 set-variable domain from-match "^[a-zA-Z0-9]+"
radiuid set munge 101.20 set-variable user from-match "[a-zA-Z0-9]+$"
radiuid set munge 101.30 set-variable slash from-string "\\"
radiuid set munge 101.40 assemble domain slash user
radiuid set munge 102.0 match "vendor" partial
radiuid set munge 102.10 discard
Below is an output of the
radiuid request munge-test "somedomain.comsomeuser" debug
command which can be used to test a munge rule-set and see the steps taken by the engine to process a given input.
New in v2.3.X
- RadiUID is now available as a Docker image on Docker Hub. Small code changes were made to allow RadiUID to recognize when it is being run in a container and to be able to stop, start, and restart services while the container is running.
If you would like to help out by contributing code or reporting issues, please do!
Visit the GitHub page (https://github.com/PackeTsar/radiuid) and report an issue, request a feature, or fork the project, commit some changes, and submit a pull request.
If you are reading this, then you have probably read this entire post and possibly even installed the app. If you did, please let me know what you think! And please let me know if you find bugs or have suggestions for feature additions. Or better yet, contribute some code to the project. This project was born of necessity and I doubt I am the only one out there with this particular problem.