Security

Reply
Contributor I
Posts: 48
Registered: ‎08-16-2014

Anyone using ClearPass to PaloAlto ID mapping for wired clients?

We have ClearPass 6.4 and a PaloAlto firewall running their v6 OS.  We set up the integration with PaloAlto which gives us a post-authentication trigger to use in policies so that the PaloAlto will receive user ID to IP address mappings.  We have used this trigger for wireless client policies, and the PaloAlto receives mapping information for them successfully.

 

We also use ClearPass to perform 802.1X and MAB authentication for wired Cisco switches, so we have two services to handle these requests. We have the PaloAlto post-authentication trigger invoked for these, but it looks like ClearPass does not know or have the IP address of the client that is being authenticated by the Cisco switch. In the ClearPass postauthctrl.log, we see entries such as:

 

2015-01-06 10:36:20,049 DEBUG root pactrlmonitprofile Sending UID mapping to Palo Alto device
2015-01-06 10:36:20,049 WARNING root pactrlmonitprofile Not sending userid object for padevice=10.X.X.X as the data or auth_token is empty

 

However, there are a scant few entries where there is client data shown in XML and a "success" response coming back from the PaloAlto call, so it doesn't look like it is without info for each and every wired client:

 

2015-01-10 12:03:37,447 DEBUG root pactrlmonitprofile Sending UID mapping to Palo Alto device
2015-01-10 12:03:37,447 DEBUG root pactrlmonitprofile Sending userid object for padevice=10.20.70.195
2015-01-10 12:03:37,764 DEBUG root pactrlmonitprofile Read response={<response status="success"><result><uid-response>...

 

Anyone out there using ClearPass this way?  If so, what does the device setup look like for your Cisco switches in ClearPass?  Thanks!

 

 

Guru Elite
Posts: 8,464
Registered: ‎09-08-2010

Re: Anyone using ClearPass to PaloAlto ID mapping for wired clients?

Do you get the error for both 802.1X and MAC-auth or just MAC-auth?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 48
Registered: ‎08-16-2014

Re: Anyone using ClearPass to PaloAlto ID mapping for wired clients?

So we did some deeper investigation in our lab.  Looks like 802.1X wired logins are the ones that fail to update the PA.  We see MAC auth ones succeed, but we may have the user mapping timeout on the PA set shorter than how often a device has to reauth, so we sometimes see a mapping in the PA but it is eventually removed, likely because of the timeout value in the PA for ID associations (if that makes sense).

 

I have attached a snippet of ClearPass logs for an 802.1X authentication that fails to update against the PA.  Thanks much!

 

Contributor II
Posts: 38
Registered: ‎11-24-2014

Re: Anyone using ClearPass to PaloAlto ID mapping for wired clients?

 

I am implementing clearpass and palo alto userid integration and encounter the same problem on mac auth devices. Looks like clearpass is not sending any userid to palo alto. Is this due to the fact that in mac auth username is mac address. 

 

Need help. 

Moderator
Posts: 488
Registered: ‎11-09-2012

Re: Anyone using ClearPass to PaloAlto ID mapping for wired clients?

I documented in the below guide how to deal with this issue... look in the section starting on Page18.

 

PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014).pdf

 

HTH


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: