A month or so ago through a bit of digging I discovered this gem on packetpushers. http://packetpushers.net/radiuid/
As you may be aware PAN offers a variety of agents and methods of mapping user to IP address. Via agents, WMI scraping, or filtering syslog. What you may or may not be aware of is that PAN have published a RESTful XML API for pushing User-ID to their agents, and their firewalls.
Why is this useful, and why do I care?
This is particularly useful in environments where you’d like to track wireless users that are authenticating to your wireless network, either using PEAP, or TLS. The wireless controller has visibility of the authenticated user, as well as the IP address as the access point sits in line. Majority of wireless vendors support the export of this information via RADIUS accounting. RadUID has two components, a RADIUS accounting server (via FreeRADIUS), and a python script that scrapes the accounting logs and pushes relevant fields to the PAN.
Full documentation on how to install this tool is available on the link to John W Kerns blog on the packetpushers website. I have just documented the change I made in the configuration file to get this to work with Ruckus.
This is tested on my home PAN appliance 7.1 and home Zonedirector running 9.8 (I’m lazy and it works)
Installed FreeRADUIS via the install script.
Installed RadiUID. Run through the settings via the conf file.
Configured firewall user-id user.
run the script and configure your RADIUS sources/clients.
Configure your Zonedirector to send accounting to your new accounting server and apply to WLAN profile.
Create your radiUID user on your PAN.
Initially I thought this was going well until I started to test with a my wireless client. Logged in and immediately saw that RadiUID server was conking out.
I identified that the service was crashing only when accounting information was being received, so was probably due to the information that it had gathered to be scraped.
I noticed the fields that we are interested in are; Framed-IP-Address, User-Name, and Acct-Authentic. The last field being of interest as this is our delineatorterm – ie needs to be unique.
So I fired up wireshark as packets never lie.
tcpdump -i ens160 port 1813 -v
I decided to user Accounting Session ID as my delineatorterm as this was unique with RADIUS accounting requests. I replaced spaces with dashes -.
Jump onto the PAN cli and do a show user ip-user-mapping all
We have lift off. Stupidly placed my fqdn instead of my short domain name.. But I’m not rewriting this!