Security

Reply
New Contributor
Posts: 1
Registered: ‎08-03-2012

Do I need ClearPass to integrate my PaloAlto with my Campas Aruba Network using My 3600 Master contr

I have a Campas network using Aruba3600 and 3400 controllers. My Master is a 3600 and I have 120 schools with both 3600 and 3400 local controllers. We have just installed a Palo Alto 5060. I would like to use the Palo Alto in conjuction with my Aruba controllers. My question is can it be done with my current config with Airwave V7.7.3 and my controllers are on V6.3.1.0, or do I need to add a ClearPass server?

 

Thanks

David

New Contributor
Posts: 3
Registered: ‎07-09-2013

Re: Do I need ClearPass to integrate my PaloAlto with my Campas Aruba Network using My 3600 Master c

Question for you, what information are you looking to extract from user traffic?

 

Customers that have both ClearPass Guest (AmigoPod) and Palo Alto can take advantage of an API that pushes guest user context from ClearPass to the Palo Alto. In the past the Palo Alto would simply show a NAT’ed IP address. With the API enabled the Palo Alto will show the guest user’s First Name and Last Name right in the Palo Alto Dashboard and reports. 

 

Additional context can be collected by ClearPass Guest including email address, cell phone number and who their sponsor is that approved their guest access. The integration gives network admins complete visibility and accountability for all their guest users as opposed the “anonymous” NAT’ed IP addresses of the past.

 

With ClearPass, all of the above is possible.

MVP
Posts: 130
Registered: ‎06-11-2013

Re: Do I need ClearPass to integrate my PaloAlto with my Campas Aruba Network using My 3600 Master c

@cshaffer: you are talking about ClearPass Guest 3.9 (AmigoPod). With ClearPass 6.x the Palo Alto integration has been removed from ClearPass Guest and has been moved to ClearPass Policy Manager (CPPM)

 

Within CPPM you can add an Endpoint Context Server, which can either be a Palo Alto firewall or Panorama. CPPM will be able to update the IP-to-User-mappings in the Palo Alto using the Palo Alto's XMLAPI. CPPM will have to receive accounting information in order for this to work.

 

CPPM will only send the username to the Palo Alto; but it is not anymore restricted to the guest application, this will also work for 802.1X.

 

This integration can be very useful if you need to traffic and need to know which user has sent that traffic. You can also use the UserID information in your security policies.

 


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
Moderator
Posts: 488
Registered: ‎11-09-2012

Re: Do I need ClearPass to integrate my PaloAlto with my Campas Aruba Network using My 3600 Master c

Please find a TechNote that I've written covering CPPM and PANW Integration. I'm in the process of updating it to reflect a few new feature we released in our latest CPPM 6.3.0 release a couple of weeks back I hope to have this released in the next two-weeks. This should give you a good techncal overview.

 

Any questions, ping me.

 

http://www.arubanetworks.com/wp-content/uploads/TechNote_ArubaAndPaloAltoNetworksIntegration.pdf

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor I
Posts: 180
Registered: ‎12-17-2008

Re: Do I need ClearPass to integrate my PaloAlto with my Campas Aruba Network using My 3600 Master c

Hi,

 

Noticed a misake on page 4 in the doco..

 

After configuring the RADIUS interim accounting on CPPM, ensure this is also enabled on the NAS device. Also importantly (this is the default for Aruba controller) ensure that the calling-­station-‐ID is set to use the MAC address of the NAS

 

I believe that should say MAC Address of the Client.

 

cheers


--
ACMA ACMP
Moderator
Posts: 488
Registered: ‎11-09-2012

Re: Do I need ClearPass to integrate my PaloAlto with my Campas Aruba Network using My 3600 Master c

Thanks Ben.

 

I'll adjust accordingly. :)


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor I
Posts: 180
Registered: ‎12-17-2008

Re: Do I need ClearPass to integrate my PaloAlto with my Campas Aruba Network using My 3600 Master c

Fantastic, the XML API perm requirement would be good to include also!

 

I am currently integrating with Panorama, but I found that the troubleshooting commands in the doc are unavailable on this appliance, perhaps firewalls only. 

 

Are there any other troubleshooting commands for the Panorama side, or places in the GUI to look? 

 


--
ACMA ACMP
Search Airheads
Showing results for 
Search instead for 
Did you mean: