This how-to configures RADIUS authentication on a Palo Alto device running PANOS 5.x / 6.0 and integrating that with Clearpass. The Palo Alto device will be configured to receive a RADIUS VSA from Clearpass and provide super-user access for an AD specific user.
As before, I have a lab running Clearpass 6.2.x. I have a Windows 2012 server with defined users and groups and I've built the necessary role mappings under Configuration > Identity > Role Mappings in Clearpass. I've also created Clearpass / Tips roles that are mapped to my Windows 2012 groups.
Clearpass:
Enable the Palo Alto Dictionary in Clearpass:
1. Administration > Dictionaries > RADIUS
2. Filter > Vendor Name > Contains > "Palo"
3. Click on "PaloAlto" and then click "Enable"
Add the Device to Clearpass:
1. Configuration > Network > Devices
2. Select "Add Devices"
i. Name = <Name you'd like>
ii. RADIUS Shared Secret = <Your shared secret>
iii. Vendor Name = PaloAlto
3. Select "Save"
I use device groups for everything in Clearpass. This step can be optional, it's just my personal preference.
1. Configuration > Network > Device groups
2. Select "Add Device Group"
3. Fill in the "Name" field. I'll be using "Palo Altos" in this example
4. Select "List" under "Format"
5. Under the "List", move the Palo Alto Device from the "Available Devices" to "Selected Devices"
6. Click "Save"
Create a Palo Alto Enforcement Profile:
1. Configuration > Enforcement > Profiles
2. Click "Add Enforcement Profile"
3. Select "RADIUS based enforcement" as the Template
4. Provide a name, "Palo Alto RADIUS Admin"
5. Make sure that "Accept" is set under "Action"
6. Under Attributes:
i. Type - "Radius: PaloAlto"
ii. Name - "PaloAlto-Admin-Role (1)",
iii. Value - "superuser"
7. Finally, click "Save"
Create a Palo Alto Enforcement Policy:
1. Configuration > Enforcement > Policies
2. Click "Add Enforcement Policy"
3. Under "Enforcement", provide a name, "Palo Alto Login Enforcement Policy"
4. Verify that RADIUS is the "Enforcement Type"
5. Select "[Deny Access Profile] for the "Default Profile
6. Select "Rules" and click "Add Rule"
7. Mine looks like this:
i. Type - Tips
ii. Name - Role
iii. Operator - EQUALS
iv. PaloAlto-Admins
8. Enforcement Profiles > "Profile Names" > "[RADIUS] Palo Alto RADIUS Admin"
9. Click "Save"
Create a Palo Alto Login Service:
1. Configuration > Services
2. Click "Add Service"
3. Select "Type" of "RADIUS Enforcement ( Generic )"
4. Provide a name for the service, "Palo Alto Firewall Logins"
5. Under "Service Rule" enter the following:
i. Type - Connection
ii. Name - "NAD-IP-Address"
iii. Operator - "BELONGS_TO_GROUP"
iv. Value - "Palo Altos"
6. Under Authentication:
i. Authentication Methods - PAP
ii. Authentication Sources - <your AD>
7. Under Roles select the "Role Mapping Policy" for your domain. Here's what mine looks like by clicking "Modify."
i. Type - Authorization:Windows-2012
ii. Name - memberOf
iii. Operator - EQUALS
iv. Value - CN=PaloAlto-Admins,CN=Users,DC=top,DC=local
v. Actions > "Role Name" > "PaloAlto-Admins"
8. Under "Enforcement" > "Enforcement Policy" select the enforcement policy that we created > "Palo Alto Login Enforcement Policy"
9. Click "Save"
Configuration of the Palo Alto Device:
The steps below will be done through the GUI.
1. Go to Device > Server Profiles > RADIUS > "+ Add"
i. Name = Clearpass
Click "+ Add" in this menu:
i. Name = FQDN of the Clearpass server
ii. IP Address = <Clearpass IP address>
iii. Secret = Shared secret for the Palo Alto device in Clearpass
iv. Port = 1812
Click "Ok" in this menu
2. Go to Device > Authentication Profile > "+ Add"
i. Name = PAN-Clearpass
ii. Authentication = RADIUS
iii. Server Profile = "Clearpass" (From step 1)
3. Go to Device > Authentication Sequence > "+ Add"
i. Name = PAN-Auth-Sequence
ii. Click "+ Add"
iii. Select "PAN-Clearpass" (From step 2)
EDIT - 04/22/2014 - I had to take this additional setup on a Palo Alto device that had multiple Authentication profiles and RADIUS servers. It should be included as part of the steps to guarantee RADIUS authentication on a Palo Alto device.
4. Go to Device > Setup > Management Settings > Authentication Settings
i. Click the Widget button in the corner
ii. Select "PAN-Clearpass" under Authentication Profile"
iii. Save this configuration
You should now be able to log into the GUI and the CLI on a Palo Alto device with Clearpass. You can verify this on the CLI by typing:
show admins
Also, the AD account will show up before the "@" symbol on a successful CLI connection:
mcourtney@PA-200>
This will show up in the GUI under:
Dashboard > Logged In Admins
You can verify that things are working by logging into a Palo Alto device and viewing the results in Access Tracker found under Monitoring > Live Monitoring.
Let me know what you think and if it works out.
-Mike