Security

Hey AirHeads Community,

Our setup consists of:

• (2) 7205 controllers (master/local)
• (2) ClearPass 6.5 servers (publisher/subscriber)
• (2) Palo Alto Firewalls + Panorama (active/backup)

SSIDs include:

• Guest - Open/Captive Portal w/ Employee Login for BYOD (against AD)
• Employee - 802.1X against AD

RADIUS Accounting is enabled on Controller and Clearpass

PAN firewalls and PANORAMA added as Endpoint Context Servers

Insight Enabled on Clearpass

Added PAN update triggers in Enforcement Policy

Added PAN servers in Controller and enabled PAN integration on AAA profiles

*PAN admin account is super user for clearpass/controller.

We see the app_aruba user (local admin in PAN) shows up on the palo alto when sending traffic, but we don’t see any usernames for employees who authenticate on either SSIDs.

Any ideas or anything I could have overlooked?

Michael,

Assuming you went through my CPPM/PANW TechNote for configuration guidance?

ClearPass 6.X and PANW Integration V5

PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014).pdf

If you look under the Monitor/Accounting or Monitor/Access-Tracker [is their an Accounting Tab] do you see user sessions with accounting data in CPPM?

I did go through the technote. Everything seems to be configured, but i'm still not seeing the username. I collected the logs in Clearpass and don't see usernames being sent to PAN. I did find this:

pactrlmonitprofile Login contents full username ={None}|Logout contents full username={None}

pactrlmonitprofile Failed to fetch auth_token using the auth_URL=https://10.10.129.181/api/?type=keygen&user=app_aruba&password=$$$$$$$

Michael,

What version of PANW R U running?

There was a BUG in PAN-OS 7.0.0 that was fixed in 7.0.2 where we where unable to post info into the PAN.

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os-release-notes/pan-os-7-0-2-addressed-issues.html

BugID - 80993

PAN OS 6.1.4

Mike,

Back to a Q in my initial response..........

If you look under the Monitor/Accounting or Monitor/Access-Tracker [is their an Accounting Tab] do you see user sessions with accounting data in CPPM?

then if U have accounting data and [u did turn on the log interim accounting setting in CPPM?] and your not getting updates through and assuming you have provided the userid you using on CPPM to 'talk' to PANW firewall with the correct authority [i documented this is a later cppm technote if case you only have an earlier one]..... I'd raise a TAC case as the basics appear to be all their.

Yeah I covered all those, and we have the app_aruba is a super admin in palo

Finally solved the issue. Turned out to be some issues in the PAN configuration including:

UserID not being enabled (I had assumed it was prior to the clearpass work, lesson learned)

Some policies possibly denying the traffic (or not explicitely allowing the traffic in this case)

TAC was able to confirm the clearpass and controller configuration and through the logs, clearpass was sending the username to the PAN firewalls. We excluded Panorama from enforcement policy, it seemed to be a bit buggy, so we only included the actual firewalls and it seems to be running fine.

Thanks for the help.