Security

This how-to configures RADIUS authentication on a Palo Alto device running PANOS 5.x / 6.0 and integrating that with Clearpass. The Palo Alto device will be configured to receive a RADIUS VSA from Clearpass and provide super-user access for an AD specific user.

As before, I have a lab running Clearpass 6.2.x. I have a Windows 2012 server with defined users and groups and I've built the necessary role mappings under Configuration > Identity > Role Mappings in Clearpass. I've also created Clearpass / Tips roles that are mapped to my Windows 2012 groups.

Clearpass:

Enable the Palo Alto Dictionary in Clearpass:

1. Administration > Dictionaries > RADIUS
2. Filter > Vendor Name > Contains > "Palo"
3. Click on "PaloAlto" and then click "Enable"

 

Add the Device to Clearpass:

 

1. Configuration > Network > Devices
2. Select "Add Devices"
   i. Name = <Name you'd like>
   ii. RADIUS Shared Secret = <Your shared secret>
   iii. Vendor Name = PaloAlto
3. Select "Save"

I use device groups for everything in Clearpass. This step can be optional, it's just my personal preference.

1. Configuration > Network > Device groups
2. Select "Add Device Group"
3. Fill in the "Name" field. I'll be using "Palo Altos" in this example
4. Select "List" under "Format"
5. Under the "List", move the Palo Alto Device from the "Available Devices" to "Selected Devices"
6. Click "Save"

Create a Palo Alto Enforcement Profile:

 

1. Configuration > Enforcement > Profiles
2. Click "Add Enforcement Profile"
3. Select "RADIUS based enforcement" as the Template
4. Provide a name, "Palo Alto RADIUS Admin"
5. Make sure that "Accept" is set under "Action"
6. Under Attributes:
   i. Type - "Radius: PaloAlto"
   ii. Name - "PaloAlto-Admin-Role (1)",
   iii. Value - "superuser"
7. Finally, click "Save"

Create a Palo Alto Enforcement Policy:

 

1. Configuration > Enforcement > Policies
2. Click "Add Enforcement Policy"
3. Under "Enforcement", provide a name, "Palo Alto Login Enforcement Policy"
4. Verify that RADIUS is the "Enforcement Type"
5. Select "[Deny Access Profile] for the "Default Profile
6. Select "Rules" and click "Add Rule"
7. Mine looks like this:
   i. Type - Tips
   ii. Name - Role
   iii. Operator - EQUALS
   iv. PaloAlto-Admins
8. Enforcement Profiles > "Profile Names" > "[RADIUS] Palo Alto RADIUS Admin"
9. Click "Save"

Create a Palo Alto Login Service:

 

1. Configuration > Services

2. Click "Add Service"

3. Select "Type" of "RADIUS Enforcement ( Generic )"

4. Provide a name for the service, "Palo Alto Firewall Logins"

5. Under "Service Rule" enter the following:

   i. Type - Connection
   ii. Name - "NAD-IP-Address"
   iii. Operator - "BELONGS_TO_GROUP"
   iv. Value - "Palo Altos"

6. Under Authentication:

   i. Authentication Methods - PAP
   ii. Authentication Sources - <your AD>

7. Under Roles select the "Role Mapping Policy" for your domain. Here's what mine looks like by clicking "Modify."

   i. Type - Authorization:Windows-2012
   ii. Name - memberOf
   iii. Operator - EQUALS
   iv. Value - CN=PaloAlto-Admins,CN=Users,DC=top,DC=local
   v. Actions > "Role Name" > "PaloAlto-Admins"
8. Under "Enforcement" > "Enforcement Policy" select the enforcement policy that we created > "Palo Alto Login Enforcement Policy"
9. Click "Save"

Configuration of the Palo Alto Device:

The steps below will be done through the GUI.

1. Go to Device > Server Profiles > RADIUS > "+ Add"

   

i. Name = Clearpass

   

Click "+ Add" in this menu:

   i. Name = FQDN of the Clearpass server

   ii. IP Address = <Clearpass IP address>
   iii. Secret = Shared secret for the Palo Alto device in Clearpass
   iv. Port = 1812

 

Click "Ok" in this menu

 

2. Go to Device > Authentication Profile > "+ Add"

   i. Name = PAN-Clearpass
   ii. Authentication = RADIUS
   iii. Server Profile = "Clearpass" (From step 1)

 

3. Go to Device > Authentication Sequence > "+ Add"

   i. Name = PAN-Auth-Sequence
   ii. Click "+ Add"
   iii. Select "PAN-Clearpass" (From step 2)

 

EDIT - 04/22/2014 - I had to take this additional setup on a Palo Alto device that had multiple Authentication profiles and RADIUS servers. It should be included as part of the steps to guarantee RADIUS authentication on a Palo Alto device.

 

4. Go to Device > Setup > Management Settings > Authentication Settings

 

   i. Click the Widget button in the corner

   ii. Select "PAN-Clearpass" under Authentication Profile"

   iii. Save this configuration

 

You should now be able to log into the GUI and the CLI on a Palo Alto device with Clearpass. You can verify this on the CLI by typing:

show admins

 

Also, the AD account will show up before the "@" symbol on a successful CLI connection:

mcourtney@PA-200>

 

This will show up in the GUI under:

 

Dashboard > Logged In Admins

 

You can verify that things are working by logging into a Palo Alto device and viewing the results in Access Tracker found under Monitoring > Live Monitoring.

Let me know what you think and if it works out.

 

-Mike

I have a question about the CPPM to PAN authentication.  When you add the PAN ip address are you using the Management IP or the IP to the Trusted Ethernet port?  Since the management port is used to offload some actual work.  I tried the Trusted Ethernet port first and it is not working.  I switched it to the IP for the management port.  I am still not able to get the devices to talk.  I could really use some help.  Got a ticket open with TAC and we are getting no where fast

Hi Memphis,

 

I've set this up against the management port on a Palo. The configurations that I'm most familiar with are with the Palo in v-wire mode, so I haven't tried to authenticate against other IPs on the box. What version of PAN are you running? My lab box is currently running 6.0.2, the newest release. Last weekend I ran through the Clearpass / Palo Tech Note on this version and it all worked as expected.

 

The first thing I would do is to SSH into the PAN device and see if you can ping the Clearpass box. This should establish some level of connectivity. Next, I would do the same thing from the CLI in Clearpass. On the cli, it should be something like the following:

 

network ping <your PAN mgmt>

 

Have you tried to use the monitor tab in the PAN UI to see if traffic is coming in from Clearpass?

 

-Mike

Memphis,

 

Please take a look at my CPPM+PANW TechNote to see if this assit you through the integratioh process.

 

Find it here..... then fire me any questions.... danny@arubanetworks.com.

 

http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

 

 

Thanks but I started with this doc a few months ago and continued as the software versions advanced.  I tried the process with Support and have an open ticket.  They have been remoted into my machine and downloaded logs and still can't figure out whu the 2 devices are not talking. 

CPPM Version 6.3.2.63239

 

Palo Alto 500 Version 3.06

Memphis,

 

I just wanted to check, you're running version 3.06? If so, anyway you can update that box?

 

-Mike

You need a minimum of PANOS 5.x


Please excuse my errors as sent using my small useless keyboard on my smartphone.

Regards
--d

Danny Jump | Technical Marketing Engineer - Networking Services | Aruba Networks
o: 408-513-8938<408-513-8938> (diverts to cell)
e: danny@arubanetworks.com<DANNY></DANNY>

Sorry the version was entered wrong.  I have the latest 6.0.1

 

Hi Memphis,

 

Are you seeing anything in Event Viewer? There could be an authentication issue between the two devices that may show up in there.

 

-Mike

The only traffic I am seeing in the PA Monitor is the traffic between the CPPM and Aruba Networks for the updates.

I can comfortable tell you that dozends of customers have succesfully integrated CPPM + PANW. Typically, from what I've seen its related to one of two things config as their are multiple moving parts.

 

1. Config on CPPM especially as we have multiple items that need configuring  - please re-check/follo my doc to ensure all config is complete.

 2. Policy config on PANW - Use the MONITOR TAB to see if you can see the traffic from CPPM veng dropped.

 

 

I do have some traffic coming from my Aruba Clearpass through the firewall but that us updates to the device to aruba networks.  I see the userid is an AD account we set up just for that.  Other than that there is not traffic from the CPPM.

This it looks very much like configuration.....

 

Insight is defiatly enabled?

 

In event tracker for a user that has authenticated do you see the accounting tab?

 

If not then ensure accounting and interim accounting are correcrly configured on the CTRL's and CPPM ?

The following are all checked except the last one.  did not see that even mentioned in any docs

x Enable this server for endpoint classification
x Enable this server for performance monitoring display
x Enable Insight
   Enable as Insight Master     Current Master Blank

Not seeing any recoords in the accounting window.

Log Accounting Interim-Update Packets is set to TRUE

Hi Memphis,

 

I'm going to take a step back for a second. You're trying to authenticate the PAN 500 against RADIUS, right? The Tech Note that Danny referenced is for sending connection attributes to the PAN after you authenticate. His Tech Note definitely does work - the new one is version 4. I think we're still just setting up RADIUS at this point, let me know if I'm wrong.

 

Here's what we have so far:

 

1. The PAN 500 is able to ping Clearpass

2. Clearpass is able to ping the PAN 500

3. The initial Insight server config and interim accounting is enabled

4. You're running versino 6.0.1. At this point, go ahead and upgrade that to 6.0.2. It will get us all on the same page.

 

Here's where we are stuck:

 

1. We still are not able to authenticate PAN users via RADIUS

2. The PAN attempts are not showing up in Clearpass in Access Tracker or in the Event Viewer

3. We don't see anything in the Monitor tab in the PAN. 

 

Questions that I have:

 

1. You are trying to authenticate the PAN on the PAN management port, correct? There was talk of a 

2. Is this CPPM instance a VM? If so, do you have the management port and the data port configured?

3. If 2 is yes, is there a host level firewall in between Clearpass and the PAN?

 

Additoinal step:

 

1. Create a new generic radius service in Clearpass and call it "CATCH ALL RADIUS."

2. This service will defined with no requirements

3. Enter PAP as the authentication method.

4. There will be no roles

5. Use the sample default deny as the enforcement profile

6. Make this the last active service. This will effectively "catch" any stray RADIUS requests that come into the system using PAP, which the Palo uses.

 

Thanks!

 

-Mike

1. You are trying to authenticate the PAN on the PAN management port, correct? Yes

2. Is this CPPM instance a VM? If so, do you have the management port and the data port configured?  Yes

3. If 2 is yes, is there a host level firewall in between Clearpass and the PAN? No

 

The PAN and CPPM are on the same switch but 2 diff subnets.  10.1.2 CPPM & 192.168.1 for PAN

Since they can ping each other and CPPM itraffic is going through firewall to aruba servers

I went through the steps one at a time and found this inconsistancy:

7. Under Roles select the "Role Mapping Policy" for your domain. Here's what mine looks like by clicking "Modify."

   i. Type - Authorization:Windows-2012  (I Do not have this option)
   ii. Name - memberOf
   iii. Operator - EQUALS
   iv. Value - CN=PaloAlto-Admins,CN=Users,DC=top,DC=local
   v. Actions > "Role Name" > "PaloAlto-Admins"

 

So does this need to be the AD login?

Hi Memphis,

 

"iv." would be something that is appropriate to your environment. For instance, you could do the following:

 

i. Type - Authorization:Windows-2012 
   ii. Name - Groups
   iii. Operator - EQUALS
   iv. Value - Domain Admins
   v. Actions > "Role Name" > "PaloAlto-Admins"

 

The example I used was based on my lab setup. It should definitely be tailored for your environment.

 

-Mike

hi mike. whatif it is via CPPM Local Database? What is going to be the value ? thank you

Hi VenusD,

 

The first thing that you will do is to go to the Authentication tab and change the authentication source from Active Directory to "[Local User Repository]."

 

Next, in the Enforcement Policy, you can add a rule that states:

 

Tips - Role - Equals - [User Authenticated]

 

to verify that it works. Later, you can write a rule that states:

 

Tips - Role - Equals - "The Role Associated to the account in the Local User Repository"

 

in case you wanted to lock down the service.

 

Hope this helps!

 

-Mike

Thanks Mike. Could i still use the Local Database username and password on Palo Alto even if i have configured Radius Servers on PA.

 

Memphis,

 

To take a look at what groups you belong to, connect to your 802.1X ssid (if it's connected to Clearpass) and go to Access Tracker. Click on your specific username and do the following:

 

1. Click on the Input Tab

2. Click on the Authorization Attributes

 

This will show the groups that you're part of. At first, they'll come across as a "memberof" value. You'll see a "Groups" field if you authenticate using "Groups" in your service. Took me a few months to figure this out last year... it's much easier than doing regexes against the "memberof" field.

 

-Mike

Same question.  Whatif my environment is not via AD . It only authenticates to CPPM. What settings should i choose. Thank you

Just want to jump in here...... if you see accountgn data for a user - This not work..!!

 

Check you have accounting confiured in the Ctrl. I want you to check on the AAA Profile you are using that..... RADIUS Interim Accounting is enabled and that RADIUS Accountng Server Group is defined......

Radius Interun Accounting is turned on but RADIUS Accountng Server Group is not defined.  How do I know which one to use?

I set the RADIUS Acct Server Group to my default, pointing to my RADIUS Servers

In response to your earlier question, the end goal here is to get authenticated user information (Userid = ip\Computername) to the PA 500.  The User agent for the PA on my DC is not puicking up apple and android information even though they log into the domain with a valid account.  That information is available in the Aruba Controller and CPPM device.  If I can configure the CPPM for the RADIUS then I will be able to identify all users.  We are a private school and everyone on the network has an account.  They don't all have an authenticated domain device.  If it is a BYOD then we can't see their information as I pointed out before.

Yeah, defiing the RADIUS Accounting Server Group should do it...... please check now that you are see the Accountign Tab for a authenticated User.....if Yes, then your close now assuming all the other starts align for your config to getting this working.

 

 

Can you have more than one service for users?  The doc had you create a new service for the policies and profiles it walked you through.  Since I already had a service could I just add this to that existing service?

Yep sure no problem.... just think about the enforcement policy and will the condition you set match?

 

Then in your service definition add the policy on the enforcemnt profile..... R U getting data through now to PANW?

 

show user ip-user-mapping all  [on the PANW CLI}

 

Nothing is going through.  

Do you see the accounting TAB I sent a screen shot for on a previous post?

 

 

I'm as certian as I can be this is config related.

Want to circle back and see how your getting on?

I am seeing the Policies Used window and it is using the primary service. I do have a ticket open and the engineer has read this post and the original doc.  He feels we can get the configuration resolved today (I hope).  I will let you know..  I feel it is a simple configuration we have not done yet to tie it all in.

Using the PAN cli I can definitly ping the clearpass device.  I am using the PA management IP, however I see no traffic in the PAN from the clearpass.

Boston, would you mind if I reposted this to the Palo Alto Forum.  I will make sure you get credit for this post.  I am having some issues and I think the PA community can help me and they could use this doc.

Hi Memphis,

 

My post is just getting RADIUS authentication working on a Palo; Danny's doc is the one that enables user information from Clearpass to be pushed to PA. 

 

You can shave my authentication piece, that's not an issue, but I think you're working through Danny's guide.

 

Thanks!

 

-Mike

My Guide already exist somewhere in the PANW comunities/Web site, they host a copy and as I update/refresh they repost it also. I'm not exactly sure where it is though - sorry.

 

If you want to post a link to my doc thats the best.... reposting the doc uncontolled becomes at times an issue as as I update my TechNote to reflect features changes CPPM/PANW are making.... more are coming .... I'd hate for someone to have an out of date version.

 

http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

 

 

Hi All,

 

This thread has been helpful and I think I almost have it implemented.  I am running into one snag though... let me paint the picture.

 

Palo Alto Panorama Server

ClearPass Server

 

Followed the oringal posters steps.  I see requests hit CPPM and they are being accepted, and classified properly.

The radius response back to Panorama is "superuser"

Panorama however shows this in the system logs:

 

 

 

I am unable to login.

 

Am I missing something small  here?

 

Thanks for the help.

Hi Pace,

 

In your enforcement profile, try to send back #4, rather than #2 from the Palo Alto dictionary. #4 is:

 

PaloAlto-Panorama-Admin-Role

 

Your Radius response would then look like:

 

Radius:PaloAlto:PaloAlto-Panorama-Admin-Role | superuser

 

-Mike

Thanks Mike!  4 did not work but 3 did.

 

PaloAlto-Panorama-Admin-Role (3)

 

 

Thanks for the help!

 

Cheers!

One other quick question.  How would I apply a user to one of my pre defined Admin Roles?  So that when say I login, I only have access to certian tabs (instead of superuser).

 

 

NM I figured it out!

 

Cheers!

 

You need to send the Admin Role group name that  you create in Panorama in the radius response (instead of superuser).

 

I made a basic user profile named "basic" and added it.  worked like a charm.

 

Thanks again for the help.

Ok, I see the thread has been dead a while, but I thought I would give it a try.

 

I am authenticating to Clearpass just fine, and the PAN shows that I am logged in. However, the message I get on the PAN at login is 

• Unknown role for user <user.name>

My appologies if I overlooked a similar post -- sometimes its hard to follow a thread when you get the number of drive-bys that I seem to get....

 

Hi ckdalrymple,

 

What are you sending to the PA in your enforcement policy? Could you provide a screenshot of your "Output" tab from the connection in Access Tracker?

 

Thanks!

 

-Mike

Sorry, thought I had sent this already.

 

Never mind.  

 

From the "Duh...." or "DOH!" department... Superuser does not equal superuser.

 

I love it when broswers capitalize on you....

Hi CKDALRYMPLE,  I have the same issue. I was able to authenticate and it says successful . SSH login is ok but not HTTPS. 

Error on GUI login is "Unknown role for user"

 

have you managed to get it working? 

Dear Boston and all,

 

i try to add clearpass to PAN,

 

but at step 2, i cant click OK,

 

any advice for this ?

 

The advanced tab is missing information.

Why aren't you using TACACS+ instead of RADIUS?

Dear Cappalli,

 

the advance tab is only allow list,

 

and i using radius is from clearpass 6.5 sir

I am also trying out the Palo alto firewall authentication via RADIUS using ClearPass as well, but it is not working for me.

 

I keep getting the error "Invalid username or password" on the Palo Alto but my username andn password are very correct.

 

Any ideas please?

This Howto is very well written and easy to follow.

Thanks very much for writing it, it saved me a lot of time:)