-
Notifications
You must be signed in to change notification settings - Fork 0
Home
The User-Identification RADIUS Script, developed by the CESANet Core Networks team, is a solution to address the issue of seamlessly passing 802.1x authentication details from Windows NPS servers to the Palo Alto firewalls, enabling sites to easily implement their strategies pertaining to BYOD and the like. The initial versions of the script were written in Visual Basic Script, to allow for maximum compatibility with the variety of versions of Windows servers that exist throughout our system, however in Windows Server 2012, a series of DHCP cmdlets were implemented within Powershell, greatly simplifying the process of querying DHCP to determine the IP address of clients. This provided significant performance increases in our testing, and thus a production Powershell version of the script was fleshed out, supporting only Windows Server 2012.
When a user authenticates to an 802.1x network, events are triggered on the Windows NPS server; these events state the username and physical address of the client authenticating, but sadly do not contain the IP address assigned to the client through DHCP, which is required for user authentication. Furthermore, the WMI polling of the Palo Alto devices does not track such events, leading to situations wherein technologies such as captive portal must be leveraged to ensure authentication to the Palo Alto devices, and apply the appropriate policies to the user. The script, triggered on any successful 802.1x authentication event, takes the known details (the username and physical address) and resolves this physical address against the existing leases in DHCP into an IP address, builds a relevant user-id mapping request, and sends this to the firewall through way of the devices XML API.
- At least 1 Windows 2012 Server running NPS
- As a convention, the script should be stored in a DFS share for replication purposes ie %domainname%\scripts\
- The script needs to be configured to trigger on a Windows Event 6272
- The User-ID timeout set in the Palo-Alto User ID Agent must be less than the session timeout on the wireless controller
- Task must be configured to run under the designated sync account for the content filter at sites
- Said account must be granted log on as service, log on as batch job rights, in addition to full permissions to read, write and modify to the installation directory of the Palo-Alto User ID Agent, and additionally be a member of the "DHCP Users" builtin group in Active Directory
- UIDConfig.xml must be present in the installation directory of the Palo-Alto User ID Agent, and customised to the sites configuration as per the samples in this repository
- The Microsoft.Powershell.Management module to be installed and callable from the user account executing the script
Modify UIDConfig.xml to fit your sites configuration. A brief rundown of the various attributes are:
wlc - the address of the WLC at your site. This attribute is used for legacy instances, wherein the NPS accounting log on the server was queried and filtered by originating WLC.
Domain - the Windows domain the script is being implemented for. To ensure the user's are mapped in an accurate format, the script ensures every username is prefixed by the Domain.
LogPath - the log location for your NPS accounting details (default: C:\Windows\System32\LogFiles). This is used for the legacy feature of querying NPS accounting logs.
LogFormat - the format the NPS logs will be in, or DHCP to query DHCP for the mapping information. Valid values are DTS, IAS and DHCP.
AgentServer - the server the Palo Alto User ID Agent is installed on, if you are using a software agent.
AgentPort - the port the Palo Alto User ID Agent is listening on, if you are using a software agent.
Debug - a flag that will write basic debugging information to the install path, for troubleshooting purposes. This has varying levels of verbosity. Valid values are 0 (no debugging), 1 (basic debugging) and 2 (verbose debugging)
DHCPServer - the hostname of the DHCP servers to run your queries against. You can define multiple of these if required. If this is on the same server as NPS, put the NPS server's hostname here.
Key - the API key used when passing user-id events to the firewall. Details on how to generate these are here. If you are not posting directly to the firewall, leave this as "Key".
VSYS - the virtual system the mapping is for. For large multi-tenanted systems, this should be configured, for single virtual system deployments, this should remain "vsys1".
Agent - whether or not your site is utilising the Palo Alto User ID agent software. If this is set to 1 it will post to the AgentServer and AgentPort above, if not, it will post to the PostAddr below.
Timeout - the timeout for mappings posted through this script. This should be less than the session timeout on your Wireless LAN Controller.
PostAddr - the API address of the firewall. If you are utilising the CESANet XMLAPI Proxy product designed to reduce CPU load on the firewall, the address of this deployment should be used, otherwise the API address of the firewall should be used. An important sidenote - this should always end in a '/' - failure to do so will cause errors.
Proxy - if you are using the aforementioned XMLAPI Proxy product, set this to one, otherwise, leave this as 0.
Multipass - in some instances, the NPS 802.1x authentication event triggers the script to execute before a lease has been granted for the client. If this is occurring, setting this flag to 1 will do 2 passes over DHCP per execution, ensuring this momentary delay does not result in a 'missed' mapping. If this is not a problem, leave this as '0'.
- Place your modified UIDConfig.xml in C:\Program Files (x86)\Palo Alto Networks\User-ID Agent\
- Place uid-radius-script.ps1 in your sites DFS share (%domainname%\scripts)
- Create a scheduled task to trigger on Windows Event 6272 (the easiest way to achieve this is to find a 6272 event in the Windows Event Viewer, right click it and select "Attach Task to Event").
- Once created, go to the properties of the event, alter it to run under the content filter sync account at your site, with highest privileges, whether the user is logged in or not, and to queue new instances if called concurrently.
- Export the task to XML.
- Edit the tasks XML to reflect the example XML (User-ID Script.xml) in this repository - particularly the ValueQueries, Command and Arguments attributes.
- Delete the original task, and import the modified XML
- Ensure you ExecutionPolicy on the Server allows execution of unsigned scripts. For more details see here.
- Enable the task
- You should then see 802.1x authenticated users appearing in the User-ID Agent
Should you experience any difficulty with the above, or have any queries/site specific issues, please contact the CESANet WAN Support Team, who will be happy to provide assistance in this matter.