Security

Reply
Regular Contributor I

Clearpass Panorama Integration - authentication error

Hi,
 
I've been following the technote but not seeing users appear in Panorama.
 
The Clearpass log shows it is trying but is getting a permissions error from PA:
 
2014-10-21 15:26:46,544 DEBUG  root             pactrlmonitprofile Read response={<response status = 'error' code = '403'><result><msg>User not authorized to perform this operation.</msg></result></response>
 
But our user has the right permissions - User-ID agent under XML API. 
 
Unfortunately none of the troubleshooting commands in the technote seem to work on Panorama. Can anyone suggest how to troubleshoot this further?
 
regards,
 
B

 


--
ACMA ACMP
Aruba

Re: Clearpass Panorama Integration - authentication error

What version of PANOS?   There was a specific fix for this very issue; but it was back in version 5.0.5:

 

49114Customer was unable to add User-IP Mapping to a firewall using the API and the following error message was displayed : “User not authorized to perform this operation”. This problem occurred with an admin account created with the “User-ID Agent” privilege only. The issue has been resolved with this release.

 

 

Also, did you input all the PAN endpiont serial numbers in the Palo Alto Networks Panorama Endpoint Context Server configuration?

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Regular Contributor I

Re: Clearpass Panorama Integration - authentication error

Hi,

 

Software is 6.0.5. We have entered all the serial numbers and the Panorama one too just in case.

 

Current perms attached, the user has most perms under web as well.

 

The user is under the Panorama Admins not Device Admins, would that make a difference?

 

 


--
ACMA ACMP
Regular Contributor I

Re: Clearpass Panorama Integration - authentication error

Anyone have experience with this?


--
ACMA ACMP
Regular Contributor I

Re: Clearpass Panorama Integration - authentication error

Issue still unresolved...

 

No usernames appearing and no logs/errors in either PA or CP.

 

Enforcement profiles shows it is working.


--
ACMA ACMP
Regular Contributor II

Re: Clearpass Panorama Integration - authentication error

Let me do some mock and i'll get back to you.

 

 

 

Re: Clearpass Panorama Integration - authentication error

have you opened a TAC ticket?

Regular Contributor I

Re: Clearpass Panorama Integration - authentication error

Was working with my local Aruba tech on this, but time to open one I think. I did have a case open with Palo Alto but no result. Also I didn't manage to get any information on how to verify the push is working from the PA end. It seems the Collect Logs is the only mechanism. 

 

I have just upgraded Clearpass to 6.3.6 and we are now seeing some usernames in Panorama, but not all clients IPs have one. Would like to figure out why it doesn't occur for all users.

 

The second issue is the Panorama integration doesn't seem to work at all, so my workaround is to push to all firewall appliances instead (i.e. one enforcement profile with a rule for each appliance in the network).

The downside of this is we are pushing to firewalls that don't even know about a particular IP. Might this be causing push failures since 8 firewalls have to updated for every login event?

 

So I have just refined this a bit at the expense of complicating the Enforcement Policy. Now we check NAS IP address and only push to the relevant firewalls for that NAS's location. First indications are this hasn't made the push any more reliable.

 

Worth noting if I manually create and post the XML it works every time :)

 

 


--
ACMA ACMP
Contributor II

Re: Clearpass Panorama Integration - authentication error

Was curious if you had any resolution on this issue. We just received a PA5060 to demo, and I'm seeing the same error you are despite following the technotes/having their professional services guy walk us through the integration.

 

2015-02-28 01:09:06,077 INFO root pactrlmonitprofile PA_Panorama_Username_Transform=none
2015-02-28 01:09:06,077 DEBUG root pactrlmonitprofile Sending UID mapping to Palo Alto device
2015-02-28 01:09:06,078 WARNING root pactrlmonitprofile Not sending userid object for padevice=172.29.40.252 as the data or auth_token is empty
2015-02-28 01:09:06,078 DEBUG root pactrlmonitprofile Sending userid object for padevice=172.29.40.252
2015-02-28 01:09:06,246 DEBUG root pactrlmonitprofile Read response={<response status = 'error' code = '403'><result><msg>User not authorized to perform this operation.</msg></result></response>} from padevice

 

Our ClearPass install is on 6.4.4 and the PAN-OS is 6.1.2 so neither are particularly old. I'll be opening a TAC ticket of my own shortly but figured it wouldn't hurt to ask if you had found a solution for this yet. :)

Regular Contributor II

Re: Clearpass Panorama Integration - authentication error

For information, i have the same error with a customer and the problem coming from password complexity on PAN...

 

There is a tech note on Palo Alto Web Site (Need a account or use Google Cache...)

http://webcache.googleusercontent.com/search?q=cache:UgTTp3XX5csJ:https://live.paloaltonetworks.com/t5/tkb/articleprintpage/tkb-id/TechnologiesSDKsArticles/article-id/382+&cd=3&hl=fr&ct=clnk&gl=fr

 

ACMP 6.4 / ACMX #107 / ACCP 6.5
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: