The Palo Alto User-ID feature is awesome as long as you can feed it IP-to-User mappings. PAN provides agents to do this which work in many environments, but not usually without Active Directory. I wrote RadiUID to perform this function in situations where all you have is RADIUS.
UPDATE: RadiUID version 2.3.1 has been released and the content of this post has been updated with the new features and screenshots. RadiUID can be installed on a Linux OS, or downloaded as a prebuilt Docker image. Upgrade and Install instructions for both options can be found here
Approx Reading Time: 5-15 Minutes
You see, at its core, the User-ID system still performs firewalling based on IP address, but it uses ephemeral (dynamic and short lived) IP-to-User mappings to match user or group-based access-lists to IP packets. So in order to have a working User-ID system, you have to provide it with these mappings, which typically come from your identity management system (which interacts with user endpoints for authentication purposes). The identity management system of choice is, of course, Active Directory and most of the tools provided by Palo Alto for retrieving the IP-to-User mappings target Active Directory.
The Problem
Well I ran into a problem with this recently. I have a customer which likes Palo Alto firewalls and the user-based filtering feature, but they have zero Active Directory. In fact, they have zero Microsoft infrastructure. Instead they use a cloud-based directory service which provides a LDAP and RADIUS interface for their endpoints. They use wireless for almost all endpoints which utilizes 802.1X authentication against this cloud service, but there is nowhere in the system to source the IP-to-User mappings for the Palo Alto system. Except perhaps the RADIUS protocol itself…
The Solution
Anybody who has used RADIUS has probably seen the option on authenticators (wireless systems, VPN concentrators, etc) for sending RADIUS accounting information to a server for logging and tracking purposes. I have often seen this feature go unused on the authenticators, but the RADIUS accounting information has exactly the information I need for the Palo Alto User-ID system.
After a few late nights and some hacking at Python to get it to do what I want, I got a working solution. And after a little more testing and polishing, it can be easily installed and used by anybody. For your consideration: RadiUID.
RadiUID
RadiUID is a Linux-based application which runs as a background service and was built to take everyday RADIUS accounting information generated by RADIUS authenticators like wireless systems, firewalls, etc (which contain username and IP info) and send that ephemeral IP and username mapping info to a Palo Alto firewall to be used by the User-ID system for user or group-based access-list filtering.
RadiUID uses FreeRADIUS as a backend service to listen on RADIUS accounting ports (typically TCPUDP 1813) and write received accounting information to accounting logs.
RadiUID then parses these logs, pulls down the User and IP mapping information and pushes those mappings to the Palo Alto firewall using the published RESTful XML API.
In the interest of keeping this article terse and useful to somebody just wanting to get it setup and running: here are the requirements and the 5-minute install/setup steps.
Requirements
OS: Any modern RHEL/ Debian distro (CentOS6, CentOS7, Ubuntu14, and Ubuntu17 have been validated) or Docker
Interpreter: Python 2.7.5 (Also works on Python 2.6.6 and up)
PAN-OS Version: 6.X or 7.X
Tested Environments
RadiUID has been tested in few environments to date as it was purpose-built for a specific environment, but it should be very adaptable as it uses standardized RADIUS accounting to source user information and the published API to push that info to firewalls.
It has currently been tested with the following RADIUS servers and authenticators:
Identity Systems: JumpCloud RADIUS service, Windows 2012 NPS Server (with Active Directory)
Authenticators: Meraki Wireless Access Points, Cisco Wireless (Controller-based), Ruckus Zonedirector
30-Second Docker Install Instructions
From the Docker host, download and run the image in interactive mode. There are two image options: 1: RadiUID + SSH, or 2: RadiUID only. If you prefer to have SSH access directly to the container running RadiUID without having to access the Docker host, then you want option 1; if you would rather access the RadiUID command line through Docker, then you want option 2.
Option 1 (RadiUID + SSH): >docker run -it -p 1813:1813/udp -p 1813:1813/tcp -p 222:22/tcp --name radiuid -t packetsar/radiuid-ssh:latest
Option 2 (RadiUID Only): >docker run -it -p 1813:1813/udp -p 1813:1813/tcp --name RADIUID -t packetsar/radiuid:latest
- If you ran the image with SSH: The default SSH username and password is root/radiuid. Run the command
passwd rootto change the SSH password. - The command above to run the container with SSH publishes the SSH service on TCP port 222. You will need to connect to that port with your SSH client to get access to the container.
- To exit interactive mode with the container from Docker without stopping the container, the key stroke is CTRL+P, then CTRL+Q.
Once attached to/logged into the new container, run the command radiuid show config set to see the default configuration.
Run the radiuid clear target all command to delete the default firewall target configurations, then use the radiuid set target (parameters) command to configure the application with your Palo Alto target firewall paramaters.
Run the radiuid set client (parameters) command to configure FreeRADIUS to accept RADIUS accounting data from your RADIUS authenticators.
Once configuration is complete, run the radiuid service all restart to restart the services so the new configuration takes effect.
Take a look at your logs using the radiuid show log command to see what the application is doing.
5-Minute OS Install Instructions
Install OS with appropriate IP and OS settings and update to latest patches. Check out the CentOS Minimal Server – Post-Install Setup and the Ubuntu Server – Post Install Setup for help with some of the post-OS-install configuration steps
Install the Git client (unless you already have the files)
>sudo yum install git -y
Download the RadiUID repo to any location on the box
>git clone https://github.com/PackeTsar/radiuid.git
Change to the directory where the RadiUID main code file (radiuid.py) and config file (radiuid.conf) are stored
>cd radiuid
(OPTIONAL) Change to a development branch (perform this step only if you are prepared for a version which is under active development and may have broken features)
>git checkout devX.X.X
Run the RadiUID program in install mode to perform the install of the service
—-NOTE: Make sure that you have the .conf file in the same directory as the .py directory for the initial install
>sudo python radiuid.py install
Follow the on-screen prompts to install FreeRADIUS and the RadiUID service
The installer should let you know if everything installed correctly and services are running.
Command Interface
Using native Linux commands to view log files, clear logs, restart services, etc can be a pain with all the paths to remember, binaries to use…..blah.
I was getting sick of typing out long and repetitive commands to administrate RadiUID, so I wrote a simple command interpreter which gives you short and easy commands to use for regular administration of the service.
You can use the TAB key to help with typing in commands and it will utilize the Auto-Complete feature which is new in version 2. Also, you can hit ENTER after typing in different parts of commands to see the available options at that point.
The Munge Engine
The Munge Engine is new in version 2.2.0 and is a rule-based string processor which is used in RadiUID to filter and process User-IDs based on rules you configure. The munge rule-set is broken down into rules and steps which are processed based on the numerical ordering you assign to them.
Below is a sample ‘munge’ configuration in RadiUID which will have the effect of finding User-ID’s with a double backslash and rebuilding that User-ID with only a single backslash, then it will match any User-ID with the term ‘vendor’ in it and prevent it from being passed out of the engine and into the Palo Alto.
NOTE: The double-backslash in the 101.0 match statement is represented by a quad-backslash because BASH recognizes the backslash character as an escape. You will always need to use a double-backslash to represent a single-backslash. You also should always wrap your regular expressions in quotes when entering them.
1 | radiuid set munge 101.0 match "\\\\\\\\" partial |
1 | radiuid set munge 101.10 set-variable domain from-match "^[a-zA-Z0-9]+" |
1 | radiuid set munge 101.20 set-variable user from-match "[a-zA-Z0-9]+$" |
1 | radiuid set munge 101.30 set-variable slash from-string "\\\\" |
1 | radiuid set munge 101.40 assemble domain slash user |
1 | radiuid set munge 102.0 match "vendor" partial |
1 | radiuid set munge 102.10 discard |
Below is an output of the
radiuid request munge-test "somedomain.comsomeuser" debug
command which can be used to test a munge rule-set and see the steps taken by the engine to process a given input.
New in v2.3.X
Added Features
- RadiUID is now available as a Docker image on Docker Hub. Small code changes were made to allow RadiUID to recognize when it is being run in a container and to be able to stop, start, and restart services while the container is running.
Contribute
If you would like to help out by contributing code or reporting issues, please do!
Visit the GitHub page (https://github.com/PackeTsar/radiuid) and report an issue, request a feature, or fork the project, commit some changes, and submit a pull request.
Final Thoughts
If you are reading this, then you have probably read this entire post and possibly even installed the app. If you did, please let me know what you think! And please let me know if you find bugs or have suggestions for feature additions. Or better yet, contribute some code to the project. This project was born of necessity and I doubt I am the only one out there with this particular problem.
I’ve had a few people ask me about the potential of leveraging radius accounting logs for Palo Alto Networks UserID. This is fantastic work!
He John,
thanks for the post, really good to see how we can leverage API’s to achieve things the “business” has not (yet) provided us with.
Haven’t used it myself, but I believe the Palo Alto’s can also run regex type expressions over live log files to identify usernames and IP addresses.
yea they can. I believe that is how they can integrate with Cisco’s ISE. But unfortunately most syslogs from supplicants don’t contain the necessary information.
This is great! I was looking for a tool to do just this a couple of weeks before this article was published! One problem, I am using a PA-200 which has no concept of vsys, so when radiuid tries to connect to the API, it fails as the firewall doesn’t understand the :vsys# in the url – I presume I can edit the radiuid.py file to remove the references to vsys, but not sure where I need to do this – can you give me any pointers?
Thanks!
Hey Dan! That’s an interesting problem. Yea you can edit the file to fix it, but I would rather write a bug fix into the app to make it easy for somebody in the future to use. I’ll shoot you an email so we can work on a fix.
Dan it looks like your email address isn’t working. Hit me up on Twitter (@packetsar).
Have done so! I also had an issue when installing onto a Raspberry Pi that the freeradius service on that version of Linux is named freeradius, rather than radiusd.. again I tweaked the radiuid.py file to change a couple of references to the service name so it would go past that stage, not sure if this would affect things down the line at all.
Hi John,
Thanks for this extremely useful tool!
We are using this in an environment with a couple of thousand wireless users but in our busy times after about 108 client updates we are getting the error:
Something may have gone wrong in push to 10.xxx.xxx.xxx:vsys1
…
414 Request-URI Too Large
I saw in the Palo Alto XML API technical documentation that they say: “When the API request is 2K or longer, you should use HTTP POST instead of GET to avoid errors from the webserver.”
I wonder if this is relevant to this issue?
Kind Regards,
Ian
Thanks Ian! I actually wrote a fix a while back to split up the requests when there are alot of users in the request. I may just need to adjust the numbers for that. I am writing a bunch of fixes and getting ready to release v2.1.0 right now. I will add this big fix into that release. It should be out in a day or two.
https://github.com/PackeTsar/radiuid/issues/17
Ian – I just released v2.1.0 today which should fix this issue as well as expose some new features. See the link below.
https://github.com/PackeTsar/radiuid/releases/tag/2.1.0
Hi John,
Thanks for your quick response! We will give the new version a go and let you know how it works.
Cheers,
Ian
Hi John,
Looks like the new version fixes the issue – thanks for that!
Cheers,
Ian
This is really useful thank you. I only have one issue. Mobile clients seem to be working well, however any windows devices are logging as domain\\username. Is there any way to strip this?
Thanks for you help.
So RadiUID is pushing mappings to the Palo Alto with two backslashes?
Thanks for your reply John. Yes, it works ok from a mobile device they are received by freeradius as username and pushed to the palo alto as domain\username however windows devices are received by freeradius as domain\\username and pushed to palo alto as domain\domain\\username.
Thanks Again, appreciate it.
Yea I think I can write in something to filter that. Would it make sense to put another value in the config file? Something like ‘userfilter’ and you can specify your own regular expression which will parse all the usernames passing through?
yes, I think that would probably work OK. Thanks
OK. I am working on a feature that should solve this for you. I should have something ready in a few days. If you can, hit me up on twitter and I’ll send you a development release to test before I finalize and publish it.
No problems, happy to take a look for you. Have sent you a twitter message.
Adam – The new version of RadiUID should have a good solution for this issue. You can build munge rules which will match, process, and reconstruct User-ID’s which have double-backslashes on the fly. The example rule-set at the below link should do what you need. Let me know if you have any issues with this.
https://github.com/PackeTsar/radiuid#the-munge-engine
Hello John,
How can I troubleshoot the ‘Directory /var/log/freeradius/radacct/ is currently empty’ error message? Brand new install on Ubuntu 16.04 – followed the step-by-step guide.
Have confirmed (using tcpdump) accounting messages are definitely reaching the server.
A few things here:
(1) – RadiUID naturally consumes log files from that folder and discards them, so it is normal to see that directory as empty if RadiUID is running in the background and processing those log files. Do a “radiuid show log” to see if accounting logs are being processed and UIDs being sent to the Palo Alto. If you see no activity, then check a few other things.
(2) – Do a “radiuid show status” to see if the RadiUID and FreeRADIUS services are currently running. If not, start them up with a “radiuid service all start”.
(3) – Check that you have configured FreeRADIUS with the appropriate IP block and shared RADIUS secret using the “radiuid set client” commands. Remember to restart all services after you modify any configs using “radiuid service all restart”
How embarrassing – user error my apologies.
When I was changing the accounting server on the Ruckus Zone Director, chrome was overwriting the secret key with the password of the management interface and I did not notice. Now that I have put in the correct secret key user-ID’s are flying in!
Thank you for all your work, it’s an amazing tool to say the least.
Good to hear!
Hi John,
Thanks for the useful tools. Could you please advice about the timing and accounting stop action as below
1. Can we tune RadiUID accounting log manipulation time to be faster than 10 seconds ? e.g. 5 seconds
2. Can we tune RadiUID to ignore the accounting log with stop action ? right now it treat the accounting stop as same as the accounting start so when it get radius stop it will send user mapping to the firewall again which extended the user timeout while the user has stopped using the system, it would be the better if it can treat the accounting stop action to trigger the logout action to the firewall instead of login.
BZ – Yes both of those can be done. Give me a couple days and I’ll write in a fix to make those functions configurable.
I opened a couple issues in the repo for this
https://github.com/PackeTsar/radiuid/issues/25
https://github.com/PackeTsar/radiuid/issues/26
BZ – RadiUID v2.4.0 is out and has the features you were talking about along with some others. Check it out.
https://github.com/PackeTsar/radiuid/releases/tag/2.4.0
Hi John,
Thanks for your great product! I am trying to use munge to remove a trailing domain from the username because we are using certificate authentication so the username is hardcoded in the certificate as the full username. The munge “test” works but as soon as the munge parameters are added it no longer sends any API to the firewall… This is what we are using:
radiuid set munge 101.0 match “unwanteddomain.com” partial
radiuid set munge 101.10 set-variable domain from-string “correctdomain”
radiuid set munge 101.20 set-variable user from-match “([^@]+)”
radiuid set munge 101.30 set-variable slash from-string “\\”
radiuid set munge 101.40 assemble domain slash user
The regular expression basically removes everything from the @onwards in order for us to match just the username. This is is correct when testing for both [email protected] and [email protected] getting converted to correctdomain\username.
I see entries in the logs saying that munge is leaving some entries alone and others it is changing correctly but nothing gets sent via API. As soon as I remove the munge rules it sends the API once again. We have tried with and without the ‘accept’ parameter as rule 101.50 which I am not sure if I should be using or not because there is some conflicting information.
System is a freshly built Ubunutu 16.04. Any help would be much appreciated.
Marcus – Your config looks good. Are you restarting the service (“radiuid service radiuid restart”) after configuring munge? If that doesn’t work, send me an email ([email protected]) with the logging output.
I found a major bug in v2.4.0 code which was caused a crash when munge rules are present in the config. It has been fixed in v2.4.1 which I just released today. Upgrade your system to 2.4.1 and let me know if that fixes the issue.
Upgrade Instructions: https://github.com/PackeTsar/radiuid#upgrade-processes
Hi John,
I did the upgrade to 2.4.1 and I am now having some even more strange results. In the logs, since the time of the upgrade, there has been nothing reported but at the same time we did actually see the mappings appear on the firewall correctly but in the format of domain\domain\user.
To fix this I removed the default domain from the config which left it up to the munge engine to reconstruct the domain\user correctly. This unfortunately then broke the second SSID which was already getting the usernames in just the ‘username’ format. I’ve adapted the munge config to fix this but i now have an even stranger issue….
Since removing the default domain from the radiuid config, nothing appears to happen at all. In the logs it simply repeats “No Accounting Logs Found. Nothing to Do.” despite there being constant radius accounting being sent. I am wondering if i broke something during the upgrade (or maybe the crash is still happening). I might blow away the installation and start with a fresh 2.4.1 and see if that makes a difference.
For interest of anyone else, here is the updated munge config:
radiuid set munge 101.0 match “unwanteddomain.com” partial
radiuid set munge 101.10 set-variable domain from-string “domain”
radiuid set munge 101.20 set-variable user from-match “([^@]+)”
radiuid set munge 101.30 set-variable slash from-string “\\”
radiuid set munge 101.40 assemble domain slash user
radiuid set munge 101.50 accept
radiuid set munge 102.0 match “.*” complete
radiuid set munge 102.10 set-variable user from-match “.*”
radiuid set munge 102.20 set-variable domain from-string “domain”
radiuid set munge 102.30 set-variable slash from-string “\\”
radiuid set munge 102.40 assemble domain slash user
Usernames come through in 2 formats ‘username’ and ‘[email protected]’. The first half of the script strips the unwanted domain.com and adds domain\ at the beginning. The second half of the script matches all other usernames and adds the domain to the beginning. The 101.50 accept entry must be included or a username will be processed twice and end up with 2 domains attached.
Regards,
Marcus
Marcus – Try stopping the RadiUID service (radiuid service radiuid stop) and use the “radiuid run” command to run the app interactively and see the live output.
Hi John,
It appears to start without issue. I am going to explore the possibility that there is no radius accounting being sent from the RADIUS client.
Marcus
Sounds good. Just make sure you have an IP block configured for RADIUS clients (radiuid set client) and make sure to restart services after making changes.
Hi John,
Just wondering if you’ve been able to test this with PAN-OS 8.0+?
PAN-OS 8 introduced some changes to the User ID features:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os-release-notes/pan-os-8-0-release-information/cli-and-xml-api-changes-in-pan-os-8-0
We are testing PAN version 8.0.3 at the moment and the basic functionality of RadiUID appears to be OK. We will do a full test tomorrow and I’ll let you know if we find anything that is broken.
Cheers,
Ian
Ian – I have not tested it myself, but I have word from a few users in the field who are successfully using RadiUID with PAN-OS 8.
Thanks John.
We have been running on v8.03 for a week now and can confirm it is working fine.
Cheers,
Ian
Hi John,
When using a ‘discard’ munge rule, should that prevent whatever is matched from being evaluated from the subsequent rules? In the instructions it reads like it should be processed no further but in practice it looks like it does.
Thanks heaps,
Marcus
Marcus – The discard action in munge removes the user-id and prevents it from being sent to the PAN. It is a way to match a user-id and block it completely.
The “accept” action is the one which stops further rule processing and sends the user-id through as it is after previous rules/steps have been processed.
Hi John,
That is what i suspected, but if i have multiple rules and the rule matches the first rule which is set to ‘discard’, it will then keep processing it and match a later rule.
I have a munge debug for you if you like?
Regards,
Marcus
Yes please send over the “show config set” and the munge debug.
You can DM me on Twitter (@packetsar)
This munge issue shoud be fixed in v2.4.2. See the below link for details on the bug.
https://github.com/PackeTsar/radiuid/issues/30
Hi John,
I just wanted to do a sanity check. Any reason that the FreeRADIUS included/installed with RadiUID couldn’t be used as a full blown RADIUS server? You mention using FreeRADIUS for accounting, but no mention of it being capable of authentication and authorization. I doubt you have any hand in disabling or limiting the capabilities of the included FreeRADIUS, but I just wanted to get confirmation. Is there any customization you’ve made to FreeRADIUS, any changes to the default FreeRADIUS installation that we should be aware of?
Also, are you aware of any deployments of RadiUID with Ubiquiti UniFi Controller authenticators?
Lastly, I’m going to attempt at making this work on a Raspberry Pi 3. I noticed one mention of the FreeRADIUS service name being different in the RPi deployment of FreeRADIUS. I’ll keep you updated and I hope we can find a fix should it become an issue.
Thanks for all your hard work.
Andre
Hey Andre,
Yes you should be able to use the FreeRADIUS install as a full blown server. The only modifications made to FreeRADIUS by RadiUID is the adding of RADIUS clients to the client list file. This is done when you configure RadiUID RADIUS clients using the “radiuid set client X.X.X.X/X somepassword” command. You can see the modifications made to the client list file using the command “radiuid show clients file” and edit it manually with “radiuid edit clients”, but in reality, it is just a config file in the FreeRADIUS directories.
I don’t recall anybody using Ubiquiti, but if it is a standard RADIUS speaker, then it should be OK.
I know of one user who got this running on a Raspberry Pi. The last I heard it was working well. RadiUID should be able to detect and adapt to different service names on different platforms. Let me know if you have any issues.
Hi,
have two questions
1- I have ubiquiti controller and AP that uses WPA-EAP with MS NPS … I configured my AP to send accounting info to RADIUID but it always saying no accounting logs, while I can see tcpdump and /var/log/radius/radacct data.
2- How I send MS NPS server 2012 R2 account data to RADIUID?
Note: we use AD in the 2012 R2
here is tcpdump
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
14:07:33.650748 IP 172.25.55.6.32787 > localhost.localdomain.radius-acct: RADIUS, Accounting-Request (4), id: 0xa2 length: 228
14:07:34.728106 IP 172.25.55.6.32787 > localhost.localdomain.radius-acct: RADIUS, Accounting-Request (4), id: 0xae length: 210
here is RADIUID
2017-10-09 14:07:17: ********************SUCCESSFULLY INITIALIZED THE FOLLOWING FIREWALLS********************
2017-10-09 14:07:17: 1: 172.25.55.1:vsys1
2017-10-09 14:07:17: *******************************************CONFIG FILE SETTINGS INITIALIZED*******************************************
2017-10-09 14:07:17: ***********************************RADIUID SERVER STARTING WITH INITIALIZED VARIABLES…******************************
2017-10-09 14:07:17: No Accounting Logs Found. Nothing to Do.
2017-10-09 14:07:27: No Accounting Logs Found. Nothing to Do.
2017-10-09 14:07:37: No Accounting Logs Found. Nothing to Do.
2017-10-09 14:07:47: No Accounting Logs Found. Nothing to Do.
2017-10-09 14:07:57: No Accounting Logs Found. Nothing to Do.
2017-10-09 14:08:07: No Accounting Logs Found. Nothing to Do.
2017-10-09 14:08:17: No Accounting Logs Found. Nothing to Do.
2017-10-09 14:08:27: No Accounting Logs Found. Nothing to Do.
here is var/log/radius/radacct
Mon Oct 9 14:07:34 2017
Acct-Session-Id = “59D7FE11-00000025”
Acct-Status-Type = Start
Acct-Authentic = RADIUS
User-Name = “first.last”
NAS-IP-Address = 172.25.55.6
NAS-Identifier = “44d9e7xxxxxx”
NAS-Port = 0
Called-Station-Id = “44-D9-E7-x-x-x:myssid”
Calling-Station-Id = “84-41-67-x-x-x”
NAS-Port-Type = Wireless-802.11
Connect-Info = “CONNECT 0Mbps 802.11b”
Class = 0x498404f60000013700010200ac19370400000000000000000000000001d3350d22a4725a0000000000001ff3
Event-Timestamp = “Oct 9 2017 14:07:34 EDT”
Tmp-String-9 = “ai:”
Acct-Unique-Session-Id = “893d421344d482fe967d33bb7e64aa33”
Timestamp = 1507572454
Mike – have you configured the clients in RadiUID? You need to configure client IP blocks (radiuid set client…) with a pre-shared key for RADIUS message authentication. You also need to set that key on the Ubiquiti controller when configuring the RADIUS accounting server (which points to RadiUID).
I saw that too (path wrong there is no uninstalled folder
radiuid show acct-logs
2017-10-10 12:47:36: ##### COMMAND ‘show acct-logs’ ISSUED FROM CLI BY USER ‘root’ #####
########################## FILES IN DIRECTORY /var/log/uninstalled/radacct/ ##########################
######################################################################################################
***** Directory /var/log/uninstalled/radacct/ is currently empty *****
######################################################################################################
######################################################################################################
never mind I just run the radiuid install and type all the information again then start working
THANKS
no framed IP in accounting packet from Unifi UAP 🙁
Have you looked at the Accounting logs to see if the clients IP is being reported with a different key?
yes, it is not there.. I contact UBNT about it and they released new firmware that sending framed IP but not my hardware..
My controller has 1x_identity column that showing domain username with IP address.
Looks I need to do script to get this data (JSON) format and add it to XML and send it to the firewalls .. I’m not that good in scripting but I will try
Many thank for helping me on that!
I did that. if it is wrong or misconfigured will var/log/radius/radacct get any data if it configured wrong or not configured at all?
below is in client.conf
client 172.25.55.6 {
secret = 123456789
shortname = Created_By_RadiUID
[[email protected] raddb]# radiuid show clients
2017-10-10 11:39:30: ##### COMMAND ‘show clients’ ISSUED FROM CLI BY USER ‘root’ #####
########################## CURRENT FREERADIUS RADIUS CLIENTS ##########################
#######################################################################################
#######################################
# IP Block | Shared Secret #
#=====================================#
#
| client 172.25.55.6 { #
#######################################
Success!
#######################################################################################
#######################################################################################
Does this solution require Authenticator i.e. VPN gateway to send Radius auth to the Identity server (i..e.Duo Auth Proxy, first IP) on tcp port 1812 and accounting to RadiUID server (second IP) on tcp port 1813 ? What if I can configure only one Radius server for auth and accounting on VPN gateway ?
Yes you will need to send RADIUS account data to RadiUID. If your authenticator doesn’t have an option for a separate accounting server, then can you forward accounting logs on the authentication server?
I am not in charge of of auth server, but will certainly try it. Appreciate your prompt answer
Hello,
I have a question prior to installing RadiUID. In my scenario there is Cisco WLC and wireless users are being authenticated against Active Directory through Microsoft NPS server.
For this case, is there a windows version of RadiuID that I can install on MS NPS server. If not I will install RadiUID on separate server but what will be forwarded to this server? Radius accounting on authenticator (Cisco WLC in this case) or accounting logs on NPS? Or which one you recommend?
Thanks,
Gokhan
There is no Windows version of RadiUID. It runs on Linux only. The WLC will be the authenticator which will send RADIUS accounting messages to RadiUID. NPS will only act as the authentication server but will have no direct interaction with RadiUID.
Thank you for your answer, does RADIUS accounting messages include the domain name information? I can also get syslog from WLC but in my scenario there are 2 domains and the users are not unique in these domains therefore I need to ensure that I also get the domain information (WLC authentication logs only include username not domain information there fore syslog is not an option). I hope RadiUID will solve this problem, right?
Regards,
Gokhan
Excellent work on this, any ideas if it will work with the Palo Alto User-ID Agent instead of directly with a firewall ?
Most User-ID deployments I have run into utilize a user-id Agent … and more recently panorama as a user-id agent.
That would be a game changer for many folks out there…
Cheers
Sean
HI John,
I’m trying to figure out why some time the usernames map as the actual names and other times they map as hex
Username: f099b6xxx
Hey Dan! So I have never seen usernames come through as hex. Have you looked at the logs to see if RadiUID really is just seeing hex?
It doesn’t look like enough digits from your example but is that actually the MAC address of a client?
Hi, How use RadiUID with Windows NPS?