Security

Hi guys!

I have an issue with palo alto integration and Mac address authentication.

when the client pass the first authentication (The MAC address is unknown) this information is sent to Palo Alto, so the user and ip are associated.

When the client have access to network the second time use the MAC authentication in this case instead od "Username" the MAC Address is sent to Palto Alto appliance.

Can you help me?

thanks in advance
Andrea

I captured the mac-caching usecase in this TechNote.... its not in my General PANW technote but this 'Advanced TechNote'.. PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014).pdf

---

@dannyjump wrote:

I captured the mac-caching usecase in this TechNote.... its not in my General PANW technote but this 'Advanced TechNote'.. PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014).pdf

---

HI, i need a clirifcation.

I have two service, one for mac caching and one for mac auth.

I nedd to add the following enforcement profile into both services?

---

@Andrea wrote:

---

@dannyjump wrote:

I captured the mac-caching usecase in this TechNote.... its not in my General PANW technote but this 'Advanced TechNote'.. PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014).pdf

---

HI, i need a clirifcation.

I have two service, one for mac caching and one for mac auth.

I nedd to add the following enforcement profile into both services?

---

And I see that there is not the option "IP-Address-Change-Notify" i have clearpass 6.5.3

Regards

Andrea

Hi all,

i have updated to Clearpass 6.5.6 but the issue remains and the value "IP-Address-Change-Notify" not apperas.

Regards

Andrea

If the folks from aruba are busy, then please stay tuned. I'm building it in my lab. I have done it for eap-peap but not for mac auth. Will update you here.

Thanks,

Andrea - Please open a TAC case.

Are you specifically asking if you can send the username instead of the MAC to the PAN when a MAC auth happens?

HI,

correct this is my objective.

Is it possible?

Regards

Andrea

Andrea,

I got the basic guest working with PAN. CPPM sends the guest account info as such:

if the guest username was guestname@company.com

PAN receives it as company.con\guestname  which is good enough. This is if the guest logs in with webauth.

For MAC auth though, I wasn't able to get it to work :(

@DannyJump had a great tech note titled (PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014)

If you follow pages 18 onward, your should get the basic workflow configured, to that point I will suggest calling TAC for help.

The technote has some options for the session_check that I couldn't find in my CPPM 6.6 or 6.5.

anyways let me know if you need help getting to that point. and let me know if TAC can help.

HI,

you have experienced exactly my issue.

With web-auth all works, with mac auth there is something wrong.

I have an open ticket with the TAC, i hope that they can help us.

Regards

Andrea Acampa

did anybody find an answer to this? i'm having this issue now myself. 

Did you try what i have documented in my PANW Advanced Techniques Technote? 

PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014).pdf 

hey danny, we're running 6.6 so the session notify policies weren't relevant. We were doing the RADIUS username update though and policy manager was showing the usernames. 

Got it working now. The issue for us (which i worked out after reading the v6 PANW integration guide - thanks for writing such helpful docs by the way!) was that i had the radius accounting format wrong coming from our Cisco WLC and the accounting records weren't linking up with the auth records.

Once i fixed this all started working fine. 

Thanks

Scott

S W E  E  T  :D