Security

Reply
Occasional Contributor II
Posts: 14
Registered: ‎10-30-2009

ClearPass Palo Alto integration: How send domain name in UserID info

Ciao,

I'm implementing integration between CPPM and PaloAlto. I'm using WiFi 802.1x with client onboarded. The CN in the certificate is push on PaloAlto without Active directory Domain Name and then PaloAlto policy are not matches.

 

User Certificate: CN=USERID:

PaloAlto UserID = USERID (doesn't match)

DOMAIN\USERID will match

 

Thanks

Moderator
Posts: 493
Registered: ‎11-09-2012

Re: ClearPass Palo Alto integration: How send domain name in UserID info

[ Edited ]

Hello,

 

I'm not 100% on your question but we are limited today in regard to the data we can send to PANW. This is an exposed API limitation, not a CPPM limitation.

 

Before I go deep....have you taken time to review my PANW/CPPM TechNote which covers in detail what can be acheived with our integration?

 

Find it here 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor II
Posts: 14
Registered: ‎10-30-2009

Re: ClearPass Palo Alto integration: How send domain name in UserID info

Hi,
thank for replay. I used exactly that document for implementation (great) with CPPM 6.3.1. The integration works in WiFi using DOMANI\USERID o DOMAIN\MACHINEID.
The problem occurs for client onboarded.
Is there possibility to specify a defautl domain using the API ?
The scenario is allow smartdevices onborded, to use PANW integrations.

 

Thanks

Moderator
Posts: 493
Registered: ‎11-09-2012

Re: ClearPass Palo Alto integration: How send domain name in UserID info

OK - We have a solution....bear with me and I'll be back here shortly to update...........


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Moderator
Posts: 493
Registered: ‎11-09-2012

Re: ClearPass Palo Alto integration: How send domain name in UserID info

Sorry for my delay......here is a solution that we have used for a couple of customers.....

 

In the WEB Login, on the Provisioning Settings.....in the Footer HTML....add the below code, this will append the DOMAIN (DANNYJUMP) to the userid....give this a go and let me know if this works for you.

 

{nwa_script src=jquery.min}
<script type="text/javascript">
{* Change the following to automatically prepend a domain name on form submit *}
var prependDomain = 'DANNYJUMP';
{literal}
$(document).ready(function() {
  $("input[name='user']").blur(function () {
    var u = $("input[name='user']"), user = u.val().trim();
    if (user.indexOf("\\") == -1) {
      u.val(prependDomain + "\\" + user);
    }
  });
});
{/literal}</script>

Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Contributor II
Posts: 43
Registered: ‎12-14-2011

Re: ClearPass Palo Alto integration: How send domain name in UserID info

Hi, I have a similar issue that can't be resolved using the weblogin. Customer logs in to a dot1x network as 'davey' but the Palo Alto needs to see 'DOMAIN\davey'. Any ideas short of getting them always to login with the full domain and user name? Can we doctor the API URL to have a default setting?

 

Cheers

 

Contributor II
Posts: 43
Registered: ‎12-14-2011

Re: ClearPass Palo Alto integration: How send domain name in UserID info

Worked around my issue by getting the customer to always login using the DOMAIN\username format. I also changed the service rule so that the username MUST contain the domain name in its string. So if you don't login using the correct format, then CPPM cant categorise the service and auth fails.:smileyhappy:

Search Airheads
Showing results for 
Search instead for 
Did you mean: