Security

Reply
Regular Contributor I
Posts: 186
Registered: ‎03-27-2013

ClearPass and Palo Alto integration with guest mac caching

Hi guys!

I have an issue with palo alto integration and Mac address authentication.

when the client pass the first authentication (The MAC address is unknown) this information is sent to Palo Alto, so the user and ip are associated.


When the client have access to network the second time use the MAC authentication in this case instead od "Username" the MAC Address is sent to Palto Alto appliance.

 

 

Can you help me?

thanks in advance
Andrea

Andrea
Moderator
Posts: 457
Registered: ‎11-09-2012

Re: ClearPass and Palo Alto integration with guest mac caching

I captured the mac-caching usecase in this TechNote.... its not in my General PANW technote but this 'Advanced TechNote'.. PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014).pdf


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor II
Posts: 207
Registered: ‎09-11-2013

Re: ClearPass and Palo Alto integration with guest mac caching

Are you specifically asking if you can send the username instead of the MAC to the PAN when a MAC auth happens?

Regular Contributor I
Posts: 186
Registered: ‎03-27-2013

Re: ClearPass and Palo Alto integration with guest mac caching

HI,

correct this is my objective.

 

Is it possible?

 

Regards

Andrea

Andrea
Regular Contributor I
Posts: 186
Registered: ‎03-27-2013

Re: ClearPass and Palo Alto integration with guest mac caching


dannyjump wrote:

I captured the mac-caching usecase in this TechNote.... its not in my General PANW technote but this 'Advanced TechNote'.. PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014).pdf


HI, i need a clirifcation.

I have two service, one for mac caching and one for mac auth.

I nedd to add the following enforcement profile into both services?

enf-prof.JPG

Andrea
Regular Contributor I
Posts: 186
Registered: ‎03-27-2013

Re: ClearPass and Palo Alto integration with guest mac caching


Andrea wrote:

dannyjump wrote:

I captured the mac-caching usecase in this TechNote.... its not in my General PANW technote but this 'Advanced TechNote'.. PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014).pdf


HI, i need a clirifcation.

I have two service, one for mac caching and one for mac auth.

I nedd to add the following enforcement profile into both services?

enf-prof.JPG




And I see that there is not the option "IP-Address-Change-Notify" i have clearpass 6.5.3

 

Regards

Andrea

Andrea
Regular Contributor I
Posts: 186
Registered: ‎03-27-2013

Re: ClearPass and Palo Alto integration with guest mac caching

Hi all,

i have updated to Clearpass 6.5.6 but the issue remains and the value "IP-Address-Change-Notify" not apperas.

 

Regards

Andrea

Andrea
Regular Contributor II
Posts: 207
Registered: ‎09-11-2013

Re: ClearPass and Palo Alto integration with guest mac caching

If the folks from aruba are busy, then please stay tuned. I'm building it in my lab. I have done it for eap-peap but not for mac auth. Will update you here.

 

Thanks,

Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: ClearPass and Palo Alto integration with guest mac caching

Andrea - Please open a TAC case.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Regular Contributor II
Posts: 207
Registered: ‎09-11-2013

Re: ClearPass and Palo Alto integration with guest mac caching

Andrea,

 

I got the basic guest working with PAN. CPPM sends the guest account info as such:

if the guest username was guestname@company.com

PAN receives it as company.con\guestname  which is good enough. This is if the guest logs in with webauth.

For MAC auth though, I wasn't able to get it to work :(

 

@DannyJump had a great tech note titled (PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014)

If you follow pages 18 onward, your should get the basic workflow configured, to that point I will suggest calling TAC for help.

The technote has some options for the session_check that I couldn't find in my CPPM 6.6 or 6.5.

anyways let me know if you need help getting to that point. and let me know if TAC can help.

Search Airheads
Showing results for 
Search instead for 
Did you mean: