Security

Reply
Occasional Contributor I

Clearpass Integration with PalloAlto FW (Health Status no 802.1x)

Hello Guys,

 

We have a Clearpass PoC with one of our very VIP sensitive customers.

 

The Scenario is that they just need to check the health status of the desktops (Wired) and send the health Status (Healthy, Quarantine, Unknown) to PaloAlto Firewall, without 802.1x integration with any switch.

 

We already have the document of the integration, but this is the first time we are doing such integration and we have some confusions:

 

1- Do we need to add the PANW context server in CPPM and/or Palo Alto Networks Panorama Context Server?

 

2- In the Context server configuration in CPPM, do we need to keep the Service Base URL as per the below or we need to substitute the server_ip?
PANW context server.JPG
3- As there is no authentication (i.e. dot1x), shall we upgrade to CPPM 6.6.x?

4- Please Advise if you can priovide a sample configuration for our case from Cleparpass and PaloAlto side?

 

Thanks,

Zahran

Zahran,
ACCP,ACMP,ASE
Moderator

Re: Clearpass Integration with PalloAlto FW (Health Status no 802.1x)

Jordan, answers Inline below

1- Do we need to add the PANW context server in CPPM and/or Palo Alto Networks Panorama Context Server?

[djj] - If you have Panorama then you can just add Panorama assuming firewall is being managed by Panorama.

 

2- In the Context server configuration in CPPM, do we need to keep the Service Base URL as per the below or we need to substitute the server_ip?
PANW context server.JPG[djj] - Never change it.


3- As there is no authentication (i.e. dot1x), shall we upgrade to CPPM 6.6.x?

[djj] - So you want to leverage onconnect and then use an enforcement profile to send data to PANW, that should be OK.

4- Please Advise if you can provide a sample configuration for our case from Cleparpass and PaloAlto side?

[djj] - Config for what exactly?


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor I

Re: Clearpass Integration with PalloAlto FW (Health Status no 802.1x)

Thanks a lot for your reply Danny.

 

For Onconnect shall we configure the SNMP Traps from the Switches to the cleaprass ?

 

In order to just push the health update to PANW; Do we need to configure an Onconnect enforcement using the Onconnect enforcement template and follow the below:

Configure SNMP v2c or v3 MIB access on the wired switch.
 *Configure SNMP traps from the wired switch to the ClearPass appliance.
 *Define a Network Access Device with SNMP information and physical ports to be used with OnConnect Enforcement (at Configuration > Network > Devices).
 *Configure Windows Management Instrumentation details in the Profile settings (at Configuration > Profile Settings > WMI Configuration).
 *Configure a service using the ClearPass OnConnect Enforcement template (at Configuration > Services > Add, select ClearPass OnConnect Enforcement in the Type drop-down list).

Sample Workflow:

 1.Log in to a domain-joined endpoint.
 2.Connect the endpoint to the port configured for OnConnect Enforcement.
 3.The switch will send an SNMP trap to ClearPass with the endpoint MAC details.
 4.ClearPass will learn of the endpoint IP and device details through profiling (for example, DHCP).
 5.Using WMI, ClearPass will then initiate a scan against the endpoint to identify the logged-in user.
 6.Based upon the user information, the endpoint can be placed into an appropriate VLAN or have its port bounced to apply a different policy.

 

 

 

Or we just need to update the CPPM to v 6.6 and add an enforcement profile to push the Health Status to the PANW? 

 

Thanks,

Zahran

 

Zahran,
ACCP,ACMP,ASE
Moderator

Re: Clearpass Integration with PalloAlto FW (Health Status no 802.1x)

Hi Zahran,

 

I'm now much clearer on your ask and plans. So.... if you want Onconnect you should plan on using 6.6.2 [6.6.3 will be released this week barring no last minute issues]. Yes, as part of Onconnect switches must send SNMP link notification to CPPM, depending on the switches we've seen differing results.... what switch are you using?

 

The switch must also support SNMP write's.

 

Now for the difficult piece. Today I'm pretty sure you CAN'T achieve what you want with the Onconnect and PAN integration of sending a posture update. The post-auth enforcement profile triggers of a RADIUS accounting start, as there is no RADIUS here this is not going to work.

 

We're going to have to rethink this, nothing comes to mind immediately... let me noodle on this....got to go out now need to go coach basketball..... :)

 

 


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor I

Re: Clearpass Integration with PalloAlto FW (Health Status no 802.1x)

Hi Danny,

 

Thank you very much for your helpful and prompt support.

I hope all is well with your basket ball coaching :)

 

Great, your notes make it clear on what options we have now.

 

Many thanks a gain.

 

Thanks,

Zahran

Zahran,
ACCP,ACMP,ASE
New Contributor

Re: Clearpass Integration with PalloAlto FW (Health Status no 802.1x)

Dear Danny,
Can't we do it through the API integration rather than the Raduis?
Moderator

Re: Clearpass Integration with PalloAlto FW (Health Status no 802.1x)

That was my initial thought, we'd do this as a post_auth enforcement action, but were tied into the same restriction in that post_auth is triggered from RADIUS accounting start or interim-accounting update. We need to do this post-auth as we need the IP address to let PANW know as this is key for them to help match the session. We can't do an HTTP enforcement as this fires before we have the IP address. 


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: