Security

Reply
Contributor II
Posts: 90
Registered: ‎12-06-2014

Clearpass for VPN access

I have my firewall for VPN users setup to 802.1x auth (radius) to clearpass. I want to setup a second form of validation, example 802.1x AD auth and machine auth allows access/authorization for VPN user access. Point me in the right direction ??  

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Clearpass for VPN access

What type of VPN? This will all vary based on capabilities of your VPN
solution.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 90
Registered: ‎12-06-2014

Re: Clearpass for VPN access

Palo Alto and Cisco ASA. Radius auth preferred, but open to suggestions. I've seen PA integration with CPPM but that requires particular licensing and HIT etc, which I don't want to do. Prefer to keep it simple if possible.

Jeremy Rouse
Technical Specialist II, Bird Rock Systems, Inc.
Phone: (858) 346-1384

"We Build Rock Solid Solutions"
www.birdrockusa.com
Super Contributor II
Posts: 355
Registered: ‎02-22-2011

Re: Clearpass for VPN access

You don't need any particular licensing for Palo Alto to use ClearPass as a RADIUS server. 

 

You can create a server profile in PA referencing the ClearPass servers and then create VPN / globalprotect profiles in PA that utilise this server group. The complex configuration is when you want to pass context data between the two systems for user / posture based firewall rules. This isn't necessary to implement basic VPN functionality. 

 

Scott

 

 

Contributor II
Posts: 90
Registered: ‎12-06-2014

Re: Clearpass for VPN access

I've already setup the basic radius profiles and that works. Now, for example, how do I configure clearpass to require both user and machine auth for the vpn users? 

Moderator
Posts: 492
Registered: ‎11-09-2012

Re: Clearpass for VPN access

my,

 

I just want to ad, that for the basic level of integration between CPP & PANW no special licnesing is required.

 

Follow my PANW/CPPM integration guide that covers the basic userid conig and you'll get username/domain/SRC IP@/device-type (generic).


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: Clearpass for VPN access

Is your VPN client capable of doing machine authentication?

 

If not, you'll have to use some logic in the Endpoints Repository to mimic this functionality.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: