Controller-less WLANs

Palo Alto Networks Firewall Integration with Aruba controller / Aruba Instant AP for User-Identification (User-ID) feature

by on ‎04-07-2015 09:31 AM

Environment - This article applies to Aruba OS and Aruba Instant OS.

 

Answer - User-Identification (User-ID) feature of the Palo Alto Networks (PAN) firewall allows network administrators to configure and enforce firewall policies based on user and user groups. User-ID identifies the user on the network based on the IP address of the device which the user is logged into. Additionally, firewall policy can be applied based on the type of device the user is using to connect to the network. Since the Aruba controller maintains the network and user information of the clients on the network, it is the best source to provide the information for the User-ID feature on the PAN firewall.

For the User-ID feature to work, the username should be in the format DOMAIN\USERNAME as Palo Alto Networks firewall user/group-mapping format understands only DOMAIN\USERNAME.
If the username is in the format username or username@domain.com, PAN will not be able to process the user groups mapping.

In the Aruba Controller / Aruba Instant AP, we dont have the option to add the domain-name to the username and its mandate the user-name should be in the format DOMAIN\USERNAME for the user groups mapping.

Below is the sample output from PAN without the domain, PAN was not able to map the user groups.

pan-test-user@PA-500> show user ip-user-mapping ip 10.68.105.24
IP address: 10.68.105.24 (vsys1)
User: test.user
From: XMLAPI
Idle Timeout: 1559s
Max. TTL: 1559s
Groups that the user belongs to (used in policy)  <====== Group is not mapped

Below is the sample output from PAN with the domain, PAN was able to map the user groups.

pan-test-user@PA-500> show user ip-user-mapping ip 10.68.105.24
IP address: 10.68.105.24 (vsys1)
User: aruba\test.user
From: XMLAPI
Idle Timeout: 1559s
Max. TTL: 1559s
Groups that the user belongs to (used in policy)
Group(s):    cn=employee,ou=staff,dc=aruba,dc=com  <====== Group is mapped

Comments
andrea.gelati@longwave.eu

Hi Vikram,

 

I noticied that workaround using "DOMAIN\USERNAME" format, doesn't work when Controller is configured with EAP termination and LDAP integration for authentication.

 

LDAP authentication fails and only works using "USERNAME" only.

 

Do you know if automatic domain addition (similarly to ClearPass function) is in road map for future ArubaOS or InstantOS?

 

Regards,

Andrea

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.