Meraki AP Syslog to Palo Alto firewall for User ID

I recently got a Meraki AP as a demo unit. Using Palo Alto’s Syslog listener, you can get user-id info from these units, if you are doing 802.1X authentication.

Just follow the instructions here, with some adjustments…

Navigate to the Device tab, User Identification menu item, then the User Mapping tab. There, select the gear icon, and on the following pop-up screen, select Syslog Filters.
Add a new filter, with these properties:
Profile Name: Meraki AP v1.0.0
Type: Regex Identifier
Event Regex: 8021x_eap_success
Username Regex: identity='([a-zA-Z0-9\\\._]+)
Address Regex: client_ip='([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

Then, use your newly created filter for your Syslog Listener.

In my experience, it looks like the Meraki only logs authentication events every so often. Perhaps it is caching them? At any rate, set the Cache timeout value to something greater than the default 45 minutes. I set mine to 480, though this may need tuning, depending on the environment.

Also, be aware that the first time you authenticate after setting this up, you’ll probably show up in the ip-user-mapping with no IP address. That’s because when you initially authenticate, the first Syslog message from the Meraki shows an IP of 0.0.0.0. Subsequent authentication attempts have your IP address in them. Not sure how this works out in the long term.

I wouldn’t say this is quite production ready, but it is definitely worth playing with, if you happen to have both a PA firewall and a Meraki AP.