Security

Reply
Frequent Contributor I
Posts: 270
Registered: ‎09-24-2010

Clearpass/Palo Alto Integration

Does the user account used to log into the firewall need to be a domain admin account?  I had this working fine until I removed domain admin rights from the service account used to log into the firewall.

Guru Elite
Posts: 8,196
Registered: ‎09-08-2010

Re: Clearpass/Palo Alto Integration

No, you usually use a local admin user on the Palo.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 270
Registered: ‎09-24-2010

Re: Clearpass/Palo Alto Integration

[ Edited ]

I think I know whats going on.  It a RADIUS auth acct and I have domain admins attached to allow on the backend server.

Moderator
Posts: 473
Registered: ‎11-09-2012

Re: Clearpass/Palo Alto Integration

I show in my latest TechNote how to utilize the PAN inbuilt domain RBAC to minimize the account privileges required to this account. 

 

Can't understand why it would need domain admins rights, ubless you are have created some differing auth-profile/auth-sequence.... can U check your auth sequence stil lcheck the Local DB for your user? 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Frequent Contributor I
Posts: 270
Registered: ‎09-24-2010

Re: Clearpass/Palo Alto Integration

I have enabled RADIUS auth only into the FW's (admin mgmt into the fw's).  In NPS (Server 2012), you can only add an AD group (as far as I understand).  That group seems to only work if in domain admins.

Search Airheads
Showing results for 
Search instead for 
Did you mean: