Security

Reply
MVP
Posts: 360
Registered: ‎05-09-2013

ClearPass + Palo Alto Integration - Not sending username

Hey AirHeads Community,

 

Our setup consists of:

  • (2) 7205 controllers (master/local)
  • (2) ClearPass 6.5 servers (publisher/subscriber)
  • (2) Palo Alto Firewalls + Panorama (active/backup)

 

SSIDs include:

  • Guest - Open/Captive Portal w/ Employee Login for BYOD (against AD)
  • Employee - 802.1X against AD

 

RADIUS Accounting is enabled on Controller and Clearpass

PAN firewalls and PANORAMA added as Endpoint Context Servers

Insight Enabled on Clearpass

Added PAN update triggers in Enforcement Policy

Added PAN servers in Controller and enabled PAN integration on AAA profiles

 

*PAN admin account is super user for clearpass/controller.

 

We see the app_aruba user (local admin in PAN) shows up on the palo alto when sending traffic, but we don’t see any usernames for employees who authenticate on either SSIDs.

 

Any ideas or anything I could have overlooked?

 

[2015-11-30]-Image001.png

 

 


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Moderator
Posts: 477
Registered: ‎11-09-2012

Re: ClearPass + Palo Alto Integration - Not sending username

Michael,

 

Assuming you went through my CPPM/PANW TechNote for configuration guidance?

 

ClearPass 6.X and PANW Integration V5

 

PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014).pdf

 

 

If you look under the Monitor/Accounting or Monitor/Access-Tracker [is their an Accounting Tab] do you see user sessions with accounting data in CPPM?

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 360
Registered: ‎05-09-2013

Re: ClearPass + Palo Alto Integration - Not sending username

I did go through the technote. Everything seems to be configured, but i'm still not seeing the username. I collected the logs in Clearpass and don't see usernames being sent to PAN. I did find this:

 

 

pactrlmonitprofile Login contents full username ={None}|Logout contents full username={None}

 

pactrlmonitprofile Failed to fetch auth_token using the auth_URL=https://10.10.129.181/api/?type=keygen&user=app_aruba&password=$$$$$$$


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Moderator
Posts: 477
Registered: ‎11-09-2012

Re: ClearPass + Palo Alto Integration - Not sending username

Michael,

 

What version of PANW R U running?

 

There was a BUG in PAN-OS 7.0.0 that was fixed in 7.0.2 where we where unable to post info into the PAN.

 

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os-release-notes/pan-os-7-0-2-addressed-issues.html

 

BugID - 80993

 

 

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 360
Registered: ‎05-09-2013

Re: ClearPass + Palo Alto Integration - Not sending username

PAN OS 6.1.4


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Moderator
Posts: 477
Registered: ‎11-09-2012

Re: ClearPass + Palo Alto Integration - Not sending username

Mike,

 

Back to a Q in my initial response..........

 

If you look under the Monitor/Accounting or Monitor/Access-Tracker [is their an Accounting Tab] do you see user sessions with accounting data in CPPM?


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 360
Registered: ‎05-09-2013

Re: ClearPass + Palo Alto Integration - Not sending username

[2015-11-30]-Image002.png

[2015-11-30]-Image003.png


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Moderator
Posts: 477
Registered: ‎11-09-2012

Re: ClearPass + Palo Alto Integration - Not sending username

then if U have accounting data and [u did turn on the log interim accounting setting in CPPM?] and your not getting updates through and assuming you have provided the userid you using on CPPM to 'talk' to PANW firewall with the correct authority [i documented this is a later cppm technote if case you only have an earlier one]..... I'd raise a TAC case as the basics appear to be all their.

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 360
Registered: ‎05-09-2013

Re: ClearPass + Palo Alto Integration - Not sending username

Yeah I covered all those, and we have the app_aruba is a super admin in palo


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
MVP
Posts: 360
Registered: ‎05-09-2013

Re: ClearPass + Palo Alto Integration - Not sending username

Finally solved the issue. Turned out to be some issues in the PAN configuration including:

 

UserID not being enabled (I had assumed it was prior to the clearpass work, lesson learned)

Some policies possibly denying the traffic (or not explicitely allowing the traffic in this case)

 

TAC was able to confirm the clearpass and controller configuration and through the logs, clearpass was sending the username to the PAN firewalls. We excluded Panorama from enforcement policy, it seemed to be a bit buggy, so we only included the actual firewalls and it seems to be running fine.

 

Thanks for the help.


Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: