Security

Reply
Super Contributor I
Posts: 318
Registered: ‎05-09-2013

ClearPass + Palo Alto Integration - Not sending username

Hey AirHeads Community,

 

Our setup consists of:

  • (2) 7205 controllers (master/local)
  • (2) ClearPass 6.5 servers (publisher/subscriber)
  • (2) Palo Alto Firewalls + Panorama (active/backup)

 

SSIDs include:

  • Guest - Open/Captive Portal w/ Employee Login for BYOD (against AD)
  • Employee - 802.1X against AD

 

RADIUS Accounting is enabled on Controller and Clearpass

PAN firewalls and PANORAMA added as Endpoint Context Servers

Insight Enabled on Clearpass

Added PAN update triggers in Enforcement Policy

Added PAN servers in Controller and enabled PAN integration on AAA profiles

 

*PAN admin account is super user for clearpass/controller.

 

We see the app_aruba user (local admin in PAN) shows up on the palo alto when sending traffic, but we don’t see any usernames for employees who authenticate on either SSIDs.

 

Any ideas or anything I could have overlooked?

 

[2015-11-30]-Image001.png

 

 

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Moderator
Posts: 455
Registered: ‎11-09-2012

Re: ClearPass + Palo Alto Integration - Not sending username

Michael,

 

Assuming you went through my CPPM/PANW TechNote for configuration guidance?

 

ClearPass 6.X and PANW Integration V5

 

PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014).pdf

 

 

If you look under the Monitor/Accounting or Monitor/Access-Tracker [is their an Accounting Tab] do you see user sessions with accounting data in CPPM?

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Super Contributor I
Posts: 318
Registered: ‎05-09-2013

Re: ClearPass + Palo Alto Integration - Not sending username

I did go through the technote. Everything seems to be configured, but i'm still not seeing the username. I collected the logs in Clearpass and don't see usernames being sent to PAN. I did find this:

 

 

pactrlmonitprofile Login contents full username ={None}|Logout contents full username={None}

 

pactrlmonitprofile Failed to fetch auth_token using the auth_URL=https://10.10.129.181/api/?type=keygen&user=app_aruba&password=$$$$$$$

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Moderator
Posts: 455
Registered: ‎11-09-2012

Re: ClearPass + Palo Alto Integration - Not sending username

Michael,

 

What version of PANW R U running?

 

There was a BUG in PAN-OS 7.0.0 that was fixed in 7.0.2 where we where unable to post info into the PAN.

 

https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os-release-notes/pan-os-7-0-2-addressed-issues.html

 

BugID - 80993

 

 

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Super Contributor I
Posts: 318
Registered: ‎05-09-2013

Re: ClearPass + Palo Alto Integration - Not sending username

PAN OS 6.1.4

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Moderator
Posts: 455
Registered: ‎11-09-2012

Re: ClearPass + Palo Alto Integration - Not sending username

Mike,

 

Back to a Q in my initial response..........

 

If you look under the Monitor/Accounting or Monitor/Access-Tracker [is their an Accounting Tab] do you see user sessions with accounting data in CPPM?


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Super Contributor I
Posts: 318
Registered: ‎05-09-2013

Re: ClearPass + Palo Alto Integration - Not sending username

[2015-11-30]-Image002.png

[2015-11-30]-Image003.png

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Moderator
Posts: 455
Registered: ‎11-09-2012

Re: ClearPass + Palo Alto Integration - Not sending username

then if U have accounting data and [u did turn on the log interim accounting setting in CPPM?] and your not getting updates through and assuming you have provided the userid you using on CPPM to 'talk' to PANW firewall with the correct authority [i documented this is a later cppm technote if case you only have an earlier one]..... I'd raise a TAC case as the basics appear to be all their.

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Super Contributor I
Posts: 318
Registered: ‎05-09-2013

Re: ClearPass + Palo Alto Integration - Not sending username

Yeah I covered all those, and we have the app_aruba is a super admin in palo

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Super Contributor I
Posts: 318
Registered: ‎05-09-2013

Re: ClearPass + Palo Alto Integration - Not sending username

Finally solved the issue. Turned out to be some issues in the PAN configuration including:

 

UserID not being enabled (I had assumed it was prior to the clearpass work, lesson learned)

Some policies possibly denying the traffic (or not explicitely allowing the traffic in this case)

 

TAC was able to confirm the clearpass and controller configuration and through the logs, clearpass was sending the username to the PAN firewalls. We excluded Panorama from enforcement policy, it seemed to be a bit buggy, so we only included the actual firewalls and it seems to be running fine.

 

Thanks for the help.

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: