Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Palo Alto integration: How send domain name in UserID info

This thread has been viewed 1 times

  • 1.  ClearPass Palo Alto integration: How send domain name in UserID info

    Posted Apr 02, 2014 09:54 AM

    Ciao,

    I'm implementing integration between CPPM and PaloAlto. I'm using WiFi 802.1x with client onboarded. The CN in the certificate is push on PaloAlto without Active directory Domain Name and then PaloAlto policy are not matches.

     

    User Certificate: CN=USERID:

    PaloAlto UserID = USERID (doesn't match)

    DOMAIN\USERID will match

     

    Thanks



  • 2.  RE: ClearPass Palo Alto integration: How send domain name in UserID info

    Posted Apr 02, 2014 12:03 PM

    Hello,

     

    I'm not 100% on your question but we are limited today in regard to the data we can send to PANW. This is an exposed API limitation, not a CPPM limitation.

     

    Before I go deep....have you taken time to review my PANW/CPPM TechNote which covers in detail what can be acheived with our integration?

     

    Find it here 

     



  • 3.  RE: ClearPass Palo Alto integration: How send domain name in UserID info

    Posted Apr 03, 2014 08:59 AM

    Hi,
    thank for replay. I used exactly that document for implementation (great) with CPPM 6.3.1. The integration works in WiFi using DOMANI\USERID o DOMAIN\MACHINEID.
    The problem occurs for client onboarded.
    Is there possibility to specify a defautl domain using the API ?
    The scenario is allow smartdevices onborded, to use PANW integrations.

     

    Thanks



  • 4.  RE: ClearPass Palo Alto integration: How send domain name in UserID info

    Posted Apr 03, 2014 10:59 AM

    OK - We have a solution....bear with me and I'll be back here shortly to update...........



  • 5.  RE: ClearPass Palo Alto integration: How send domain name in UserID info

    Posted Apr 04, 2014 02:28 AM

    Sorry for my delay......here is a solution that we have used for a couple of customers.....

     

    In the WEB Login, on the Provisioning Settings.....in the Footer HTML....add the below code, this will append the DOMAIN (DANNYJUMP) to the userid....give this a go and let me know if this works for you.

     

    {nwa_script src=jquery.min}
    <script type="text/javascript">
    {* Change the following to automatically prepend a domain name on form submit *}
    var prependDomain = 'DANNYJUMP';
    {literal}
    $(document).ready(function() {
      $("input[name='user']").blur(function () {
        var u = $("input[name='user']"), user = u.val().trim();
        if (user.indexOf("\\") == -1) {
          u.val(prependDomain + "\\" + user);
        }
      });
    });
    {/literal}</script>


  • 6.  RE: ClearPass Palo Alto integration: How send domain name in UserID info

    Posted Apr 30, 2014 09:25 AM

    Hi, I have a similar issue that can't be resolved using the weblogin. Customer logs in to a dot1x network as 'davey' but the Palo Alto needs to see 'DOMAIN\davey'. Any ideas short of getting them always to login with the full domain and user name? Can we doctor the API URL to have a default setting?

     

    Cheers

     



  • 7.  RE: ClearPass Palo Alto integration: How send domain name in UserID info

    Posted May 01, 2014 12:37 PM

    Worked around my issue by getting the customer to always login using the DOMAIN\username format. I also changed the service rule so that the username MUST contain the domain name in its string. So if you don't login using the correct format, then CPPM cant categorise the service and auth fails.:smileyhappy: