Palo Alto User-ID agent and Eduroam freeradius for seamless user authentication

The basic components of the environment

Palo Alto User-ID Agent is a software component of Palo Alto Networks’ security platform that helps identify and manage network users and their activities. It works by collecting user information from various sources, such as Active Directory, LDAP servers, and other authentication services, and associating that information with IP addresses and network activity logs.

By using User-ID, network administrators can gain visibility into user behavior, track user activity, and apply security policies based on user identity, rather than just on IP addresses or devices. This approach helps organizations improve their security posture by reducing the risk of unauthorized access, data breaches, and other security threats.

In summary, Palo Alto User-ID Agent is an essential component of the Palo Alto Networks security platform that provides granular visibility into user activity and enables administrators to apply security policies based on user identity, rather than just IP addresses or devices.

https://www.paloguard.com.au/User-ID.asp

Eduroam is a global federation of academic and research institutions that provides secure and seamless wireless network access to their users. FreeRADIUS is an open-source RADIUS server that is widely used for providing authentication, authorization, and accounting services for network access.

Eduroam uses FreeRADIUS to authenticate its users and manage their network access. Each participating institution runs a FreeRADIUS server that communicates with other FreeRADIUS servers in the Eduroam federation. When a user from one institution visits another participating institution, their credentials are authenticated by the FreeRADIUS server at the visited institution, which communicates with the user’s home institution’s FreeRADIUS server to verify the user’s credentials.

FreeRADIUS can be configured to use various authentication methods, including usernames and passwords, EAP-TTLS, EAP-PEAP, and EAP-TLS. These authentication methods provide secure authentication over wireless networks, making it possible for Eduroam users to access resources and services at other institutions securely.

In summary, Eduroam uses FreeRADIUS as its backend authentication and authorization system to provide secure and seamless wireless network access to users across different academic and research institutions.

Sanchez, Manuel & Millán, Gabriel & Cánovas, Óscar & Skarmeta, Antonio. (1970). Bootstrapping a Global SSO from Network Access Control Mechanisms. 170–180. 10.1007/978–3–540–73408–6_12.

Planed stpes

1. RADIUS server configure for accounting and logging
2. syslog configure to forward the accounting information to a Palo Alto gateways
3. Palo Alto Networks firewall Configure to use the User-ID agent as a syslog listener for source of user identity information for security policies

Freeradius server configuration ( step1 & 2 )

Enable detailed accounting

vim sites-enabled/eduroam

accounting {
#       detail
        log_accounting 
}

vim mods-enabled/linelog

linelog log_accounting {
        filename = ${logdir}/linelog-accounting
        permissions = 644

        Accounting-Request {
                Start = "Connect UserName %{User-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} FramedIPAddress %{Framed-IP-Address} )"
                Stop = "Disconnect UserName %{User-Name} (did %{Called-Station-Id} cli %{Calling-Station-Id} port %{NAS-Port} FramedIPAddress %{Framed-IP-Address} ) %{Acct-Session-Time} seconds"
}
}

Reload Freeradius and check logs
systemctl restart freeradius
tail -f /var/log/freeradius/linelog-accounting
tail -f /var/log/syslog # tail -f /var/log/messages

rsyslog - syslog forwarder

vim /etc/rsyslog.d/freeradius-acc.conf

*.* @FW-1-IP:514
*.* @FW-2IP:514
module(load="imfile" mode="inotify" )
input(type="imfile"
        File="/var/log/freeradius/linelog-accounting"
        Tag="RADIUS-ACC"
        Severity="app"
        Facility="local3")

vim /etc/rsyslog.conf 

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

Configure User-ID as syslog listener

Select Network > Zones and click the Name of the zone where syslog packets Hit!
Enable User Identification and click OK.

check whether Palo Alto SSH Session: Seeing syslog packets

in SSH session:
admin@GW1-pa5220> tcpdump filter "src 192.168.70.50 and port 514"

in a new SSH session:
admin@GW1-pa5220> view-pcap follow yes mgmt-pcap mgmt.pcap

Step 3

Creating a Syslog Parse Profile to identify users and IPs

for connect:

(RADIUS-ACC\ Connect){1}
UserName\s([a-zA-Z0-9\\\._-]+@[a-zA-Z0-9\\\._-]+) 
FramedIPAddress\s([0–9]{1,3}\.[0–9]{1,3}\.[0–9]{1,3}\.[0–9]{1,3})

for disconnect:

(RADIUS-ACC\ disconnect){1}
UserName\s([a-zA-Z0-9\\\._-]+@[a-zA-Z0-9\\\._-]+) 
FramedIPAddress\s([0–9]{1,3}\.[0–9]{1,3}\.[0–9]{1,3}\.[0–9]{1,3})


NB: 
1. UserName\s([a-zA-Z0–9\\\._-]+)  = shows only the username.
2. UserName\s([a-zA-Z0-9\\\._-]+@[a-zA-Z0-9\\\._-]+) = shows full string

Finally User-ID Monitored Server object with the IP of the syslog sender

check… check… check…

in SSH session:
admin@GW1-pa5220> show user ip-user-mapping all type SYSLOG

in SSH session:
show user ip-user-mapping ip <ip_address>