Security

last person joined: 17 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Do I need ClearPass to integrate my PaloAlto with my Campas Aruba Network using My 3600 Master contr

This thread has been viewed 0 times

  • 1.  Do I need ClearPass to integrate my PaloAlto with my Campas Aruba Network using My 3600 Master contr

    Posted Feb 05, 2014 11:28 AM

    I have a Campas network using Aruba3600 and 3400 controllers. My Master is a 3600 and I have 120 schools with both 3600 and 3400 local controllers. We have just installed a Palo Alto 5060. I would like to use the Palo Alto in conjuction with my Aruba controllers. My question is can it be done with my current config with Airwave V7.7.3 and my controllers are on V6.3.1.0, or do I need to add a ClearPass server?

     

    Thanks

    David


    #3600
    #3400


  • 2.  RE: Do I need ClearPass to integrate my PaloAlto with my Campas Aruba Network using My 3600 Master contr

    Posted Feb 05, 2014 11:45 AM

    Question for you, what information are you looking to extract from user traffic?

     

    Customers that have both ClearPass Guest (AmigoPod) and Palo Alto can take advantage of an API that pushes guest user context from ClearPass to the Palo Alto. In the past the Palo Alto would simply show a NAT’ed IP address. With the API enabled the Palo Alto will show the guest user’s First Name and Last Name right in the Palo Alto Dashboard and reports. 

     

    Additional context can be collected by ClearPass Guest including email address, cell phone number and who their sponsor is that approved their guest access. The integration gives network admins complete visibility and accountability for all their guest users as opposed the “anonymous” NAT’ed IP addresses of the past.

     

    With ClearPass, all of the above is possible.



  • 3.  RE: Do I need ClearPass to integrate my PaloAlto with my Campas Aruba Network using My 3600 Master contr

    Posted Feb 05, 2014 05:55 PM

    @cshaffer: you are talking about ClearPass Guest 3.9 (AmigoPod). With ClearPass 6.x the Palo Alto integration has been removed from ClearPass Guest and has been moved to ClearPass Policy Manager (CPPM)

     

    Within CPPM you can add an Endpoint Context Server, which can either be a Palo Alto firewall or Panorama. CPPM will be able to update the IP-to-User-mappings in the Palo Alto using the Palo Alto's XMLAPI. CPPM will have to receive accounting information in order for this to work.

     

    CPPM will only send the username to the Palo Alto; but it is not anymore restricted to the guest application, this will also work for 802.1X.

     

    This integration can be very useful if you need to traffic and need to know which user has sent that traffic. You can also use the UserID information in your security policies.

     



  • 4.  RE: Do I need ClearPass to integrate my PaloAlto with my Campas Aruba Network using My 3600 Master contr

    Posted Feb 08, 2014 05:07 AM

    Please find a TechNote that I've written covering CPPM and PANW Integration. I'm in the process of updating it to reflect a few new feature we released in our latest CPPM 6.3.0 release a couple of weeks back I hope to have this released in the next two-weeks. This should give you a good techncal overview.

     

    Any questions, ping me.

     

    http://www.arubanetworks.com/wp-content/uploads/TechNote_ArubaAndPaloAltoNetworksIntegration.pdf

     



  • 5.  RE: Do I need ClearPass to integrate my PaloAlto with my Campas Aruba Network using My 3600 Master contr

    Posted Oct 20, 2014 04:34 AM

    Hi,

     

    Noticed a misake on page 4 in the doco..

     

    After configuring the RADIUS interim accounting on CPPM, ensure this is also enabled on the NAS device. Also importantly (this is the default for Aruba controller) ensure that the calling-­station-‐ID is set to use the MAC address of the NAS

     

    I believe that should say MAC Address of the Client.

     

    cheers



  • 6.  RE: Do I need ClearPass to integrate my PaloAlto with my Campas Aruba Network using My 3600 Master contr

    Posted Oct 20, 2014 12:29 PM

    Thanks Ben.

     

    I'll adjust accordingly. :)



  • 7.  RE: Do I need ClearPass to integrate my PaloAlto with my Campas Aruba Network using My 3600 Master contr

    Posted Oct 20, 2014 10:37 PM

    Fantastic, the XML API perm requirement would be good to include also!

     

    I am currently integrating with Panorama, but I found that the troubleshooting commands in the doc are unavailable on this appliance, perhaps firewalls only. 

     

    Are there any other troubleshooting commands for the Panorama side, or places in the GUI to look?