Security

Hello,

I've been trying to find out where I have gone askew but can't see anything that I have done differently from the Tech Note that explains how to integrate Clearpass and Palo Alto Firewalls.  I do not know if my issue is on the Clearpass side or the Palo Alto side. Hoping that someone here can point me in a good direction!

I have my Insight Database enabled and running.

I've verified that RADIUS Interim Accounting is enabled on my Controller. (7210)

Post_Authentication is set to default Eager Handler Polling Freqency (30 seconds)

I've added the Enpoint Context Server for my Firewall in Clearpass and provided a Username and password I created in the Firewall that is a device admin.

I've configured a Palo Alto Trigger Update Enforcement Profile, using Session-Check, IP-Address-Change-Notification and the value drop down selected my Firewall IP.

Added the Enforcement Profile to my Current Enforcement Policy.  (Tips:Role EQUALS [User Authenticated])

The profile is already applied to a Service.

I configured Dynamic-Objects for Categories that I have in Clearpass.

When I run "debug user-id dump xmlapi-stats" on the firewall I have 0s which means I have some sort of configuration issue between the two devices. 

ereader@PA-3020> debug user-id dump xmlapi-stats

vsys: vsys1
num of input : 0
num of user login : 0
num of user logout : 0
num of dynamic address object register : 0
num of dynamic address object unregister: 0
num of user group : 0

ereader@PA-3020>

Looking in the Postauthctrl.log I am not seeing anything that is standing out as a glaringly obvious issue. I do see a few warnings from time to time that Request handling is already in progress. I don't necessarily want to post the whole log because there is quite a bit of user data in it. So I have taken a snippit of it and changed IPs and MACs so that I could provide as much info as possible.

Any assistance would be greatly appreciated. 

Attachment(s)

postauthctrl.modified.log.zip   1 KB 1 version

Please check in Access Tracker for an authentication to see if the Accounting Tab is shown?

Also, if possible following all these changes would you have the ability to stop/start the async-net daemon?

Looking for something link this n the postauthctrl.log file...

2014-03-20 18:19:56,432 DEBUG root pactrlmonitprofile PACtrlMonitProfile::process() for enf_profile_name=Palo Alto Enforcement
2014-03-20 18:19:56,432 DEBUG root pactrlmonitprofile SessionIPChangeNotifyMonitProfile::process()
2014-03-20 18:19:56,432 DEBUG root pactrlmonitprofile SessionIPChangeNotifyMonitProfile::_perform_ip_change_notify_checks()
2014-03-20 18:19:56,432 DEBUG root pactrlmonitprofile SessionIPChangeNotifyMonitProfile::_perform_user_checks()
2014-03-20 18:19:56,433 INFO root pactrlmonitprofile Active users ==> sizeof(qrd_user_set)=3
2014-03-20 18:19:56,433 INFO root pactrlmonitprofile Number of users = 6 being monitored against enforcement profile = Palo Alto Enforcement
2014-03-20 18:19:56,433 INFO root pactrlmonitprofile Active users sizeof(qrd_user_set)=3, associated with profile=Palo Alto Enforcement
2014-03-20 18:19:56,433 INFO root pactrlmonitprofile sizeof(user_set)=3|sizeof(all_user_set)=3|filtered_set=3
2014-03-20 18:19:56,433 INFO root pactrlmonitprofile sizeof(userid_key_set)=3
2014-03-20 18:19:56,433 DEBUG root pactrlmonitprofile loggedin_user_map size=3
2014-03-20 18:19:56,434 DEBUG root pactrlmonitprofile Persisted userid_map size=0
2014-03-20 18:19:56,434 DEBUG root pactrlmonitprofile Printing sizeof(qrd_device_info_map)=3
2014-03-20 18:19:56,434 INFO root sessionrestrictionhandler Request::Process returned True, adding this to the action list
2014-03-20 18:19:56,434 INFO root pactrlmonitprofile Login contents={
<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<login>
<entry name="soyunWin7@microsoft.com" ip="10.10.10.9"/><entry name="dannyjump@arubacafe.com" ip="10.10.10.1"/><entry name="danny@pan.com" ip="10.10.10.7"/>
</login>
</payload>
</uid-message>
}|Logout contents={None}
2014-03-20 18:19:56,434 DEBUG root pactrlmonitprofile Printing login contents with full username
2014-03-20 18:19:56,434 INFO root pactrlmonitprofile Login contents full username ={
<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<login>
<entry name="soyunWin7@microsoft.com" ip="10.10.10.9"/><entry name="dannyjump@arubacafe.com" ip="10.10.10.1"/><entry name="danny@pan.com" ip="10.10.10.7"/>
</login>
</payload>
</uid-message>
}|Logout contents full username={None}
2014-03-20 18:19:56,435 INFO root pactrlmonitprofile Register user contents={
<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<register>
<entry identifier="Windows" ip="10.10.10.9"/><entry identifier="Mac_OS_X" ip="10.10.10.1"/><entry identifier="Apple_iPhone" ip="10.10.10.7"/>
</register>
</payload>
</uid-message>
}|Unregister user contents={None}
2014-03-20 18:19:56,435 INFO root pactrlmonitprofile PADeviceFullUserName=false
2014-03-20 18:19:56,436 DEBUG root pactrlmonitprofile Sending UID mapping to Palo Alto device
2014-03-20 18:19:56,436 DEBUG root pactrlmonitprofile Sending userid object for padevice=192.168.255.200
2014-03-20 18:19:57,038 DEBUG root pactrlmonitprofile Read response={<response status="success"><result><![CDATA[

]]></result></response>} from padevice=192.168.255.200 for posting the data @ URL = https://192.168.255.200/api/?type=user-id&action=set&key=LUFRPT02NGJ3d08wc0R0cjdFbnpQd3Z6RitxN3ZWRDQ9dkxDaUpkeTQ2bUdXOExRMjhpbmo1UT09&cmd=%20%20%20%20%3Cuid-message%3E%20%20%20%20%3Cversion%3E1.0%3C/version%3E%20%20%20%20%20%3Ctype%3Eupdate%3C/type%3E%20%20%20%20%20%3Cpayload%3E%20%20%20%20%3Clogin%3E%20%20%20%20%3Centry%20name%3D%22soyunWin7%40microsoft.com%22%20ip%3D%2210.10.10.9%22/%3E%3Centry%20name%3D%22dannyjump%40arubacafe.com%22%20ip%3D%2210.10.10.1%22/%3E%3Centry%20name%3D%22danny%40pan.com%22%20ip%3D%2210.10.10.7%22/%3E%20%20%20%20%3C/login%3E%20%20%20%20%3C/payload%3E%20%20%20%20%3C/uid-message%3E%20%20%20%20
2014-03-20 18:19:57,039 WARNING root pactrlmonitprofile Not sending userid object for padevice=192.168.255.200 as the data or auth_token is empty
2014-03-20 18:19:57,039 DEBUG root pactrlmonitprofile Notify HIPReportHandler::login_user()
2014-03-20 18:19:57,039 INFO root hipreporthandler Received {['2477031e9334', '0026bb12af6d', '4860bc40243c']}

Yes I do have the Accounting Tab when I go under Access Tracker. Do you want any information from there?

Also I am not seeing the information like the example provided. There was a similar example in the white paper and I didn't see much similar.

This is what I am seeing in similar places.

2014-03-26 13:19:12,541 INFO   root             pactrlmonitprofile Login contents={None}|Logout contents={None}

So it's not providing any information it seems?

I just generated a new log to see if any difference has been made because we've been making sure the Firewall allows this Device to talk to it. The line that stands out the most to be says Not sending userid object for padevice=10.10.8.1 as the data or auth_token is empty

So I am not sure what I'm missing.

2014-03-26 13:19:12,527 DEBUG root pactrlmonitprofile Fetched Insight host=10.10.10.6
2014-03-26 13:19:12,540 DEBUG root pactrlmonitprofile Printing device_info from database=[['d89695e896a3', 'SmartDevice']]
2014-03-26 13:19:12,540 DEBUG root pactrlmonitprofile Printing qrd_device_info_map={'d89695e896a3': ('SmartDevice', '10.10.7.182')}
2014-03-26 13:19:12,540 INFO root pactrlmonitprofile List of registered devices(qrd_device_info_map) = [{'d89695e896a3': ('SmartDevice', '10.10.7.182')}]
2014-03-26 13:19:12,541 INFO root sessionrestrictionhandler Request::Process returned True, adding this to the action list
2014-03-26 13:19:12,541 INFO root pactrlmonitprofile Login contents={None}|Logout contents={None}
2014-03-26 13:19:12,541 INFO root pactrlmonitprofile Register user contents={None}|Unregister user contents={None}
2014-03-26 13:19:12,541 WARNING root pactrlmonitprofile Not sending userid object for padevice=10.10.8.1 as the data or auth_token is empty
2014-03-26 13:19:12,541 WARNING root pactrlmonitprofile Not sending userid object for padevice=10.10.8.1 as the data or auth_token is empty
2014-03-26 13:19:12,541 WARNING root pactrlmonitprofile Not sending userid object for padevice=10.10.8.1 as the data or auth_token is empty
2014-03-26 13:19:12,541 WARNING root pactrlmonitprofile Not sending userid object for padevice=10.10.8.1 as the data or auth_token is empty
2014-03-26 13:19:12,541 DEBUG root sessionrestrictionhandler PerformAction returned=None

Humm.... from your comments , how sure are you that some f/w policy is not blocking the comms from CPPM <->> PANW?

We use 443 for all the comms between CPPM & PANW device.

Originally we were seeing some traffic being blocked between the two. But we have sorted out the issue and can now communicate between the two. I can see an active logged in session on the Firewall using the account setup sepcifically for Clearpass. So that even shows that it is connecting now. 

About 10 minutes ago we noticed that we have started to see a few usernames populate in the Firewall. Do I have to wait for each user to reauthenticate through Clearpass to get it to update the data to the firewall? Since it doesn't seem to contain EVERY active user, only relatively recently authenticated users. 

Gld you manage to sort out your issue :)

When a user associates with an ssid and we (CPPM) authenticate the user with RADIUS:Accept AND we have Fingerprinted the device we will send a LOGIN record to the PANW. So Yes your correct users will need to re-auth, what I'm saying is once they are on the network, we don't keep telling PANW this....when they dissociate we will send a LOGOUT to PANW.

Thanks, this morning we are seeing much more information populate so it looks like we got it sorted out. So it seems the Firewall rule was the biggest issue I ran in to. 

When setting up integration with Palo Alto you need to make sure you have a rule that allows the the Data Port of your Clearpass Server to talk with the Firewall. We had a rule that allowed the management port to talk with our Firewall, and didn't realize that Clearpass was talking with Palo Alto using the Data Port.

I didn't remember reading anything about the different ports when I was going through the White Paper, but it makes sense to me when I stop to think about it. 

Glad U have it working.

Take a look at my TechNote 'Service Routing' which you can find here....

http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

In short, if the PANW IP@ is in the local IP SUBNET of the Data-Int we will use the Data, if its on the IP SUBNET of the Mgmt-Int we will use that.

Hope that helps.