Security

last person joined: 12 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Integration

This thread has been viewed 3 times

  • 1.  Clearpass Integration

    Posted Aug 15, 2014 10:24 AM

    Does Clearpass integrate with Palo Alto Firewalls at all? 



  • 2.  RE: Clearpass Integration
    Best Answer

    EMPLOYEE


  • 3.  RE: Clearpass Integration

    Posted Aug 15, 2014 10:32 AM

    cool.. is it only if we are using Clearpass as our MDM solution?



  • 4.  RE: Clearpass Integration

    EMPLOYEE
    Posted Aug 15, 2014 11:51 AM
    No. Basic RADIUS is integrated as well.

    Also, there is direct Palo integration on controllers running 6.3 and higher.


  • 5.  RE: Clearpass Integration

    Posted Aug 15, 2014 11:56 AM

    I am running 6.4.1.0 -- where is the Palo section?



  • 6.  RE: Clearpass Integration

    EMPLOYEE
    Posted Aug 15, 2014 12:00 PM

    .PALO Config



  • 7.  RE: Clearpass Integration

    EMPLOYEE
    Posted Aug 15, 2014 12:01 PM
    To configure the server info:

    Configuration > All profiles


    Then you need to enabled the "PAN integration" check box in your AAA profile(s)


  • 8.  RE: Clearpass Integration

    Posted Aug 15, 2014 02:41 PM

    So…..we can setup policy on Palo for guests and be able to identify guest accounts? For example, if guest “test123” is streaming Netflix all day, Palo will identify the guest user as “test123”?



  • 9.  RE: Clearpass Integration

    EMPLOYEE
    Posted Aug 15, 2014 03:11 PM

    Does the link here:  Pano Feature Explained answer your question?

     



  • 10.  RE: Clearpass Integration

    Posted Aug 15, 2014 03:18 PM

    sorta.. I dont know if we will get detailed information with Guest users though.



  • 11.  RE: Clearpass Integration

    EMPLOYEE
    Posted Aug 15, 2014 03:22 PM

    RR8,

     

    The controller simply passes on the username and password to PAN.  Pan needs to do something with that username and password, like authenticate it to a database and assign it to a specific profile.  What can be monitored after the user info is passed onto PAN is a PAN question....



  • 12.  RE: Clearpass Integration

    Posted Aug 15, 2014 03:42 PM

    RR*,

     

    Tim has pointed you to two TechNotes aof mine which spell out how to configure CPPM + PANW. One of the doc clearly discusses some more advanced deployments utilizing PAN HIP Objects.

     

    To answer your speciic question, YES, we will send the guest userid (P.S. we never send the password) to the PANW and the PANW can then enforce a policy based upon the userid or lots of other attributes we send, that can be used to limit this user from download/streaming content.

     

     



  • 13.  RE: Clearpass Integration

    Posted Aug 15, 2014 03:49 PM

    cool thanks!  I will give it a try



  • 14.  RE: Clearpass Integration

    Posted Aug 21, 2014 04:02 PM

    Is there another tech note or write up for the configurations necessary on the PANW side?  I got the Clearpass side all setup.. Looks like the tech note attached in this thread has some incorrect information... There is no Dynamic option when adding a new address??

     

    Capture.JPG

     



  • 15.  RE: Clearpass Integration

    Posted Aug 21, 2014 04:17 PM

    RR8,

     

    Looks like you have an OLD TechNote their of mine. Please take a look at the V4 TechNote covering CPPM+PANW on the support site.

     

     



  • 16.  RE: Clearpass Integration

    Posted Aug 22, 2014 03:06 PM

    very confusing.. so I have to create tags and apply to a hip profile to get this working?