Security

Reply
MVP
Posts: 371
Registered: ‎01-14-2010

Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

[ Edited ]

This how-to configures RADIUS authentication on a Palo Alto device running PANOS 5.x / 6.0 and integrating that with Clearpass. The Palo Alto device will be configured to receive a RADIUS VSA from Clearpass and provide super-user access for an AD specific user.

As before, I have a lab running Clearpass 6.2.x. I have a Windows 2012 server with defined users and groups and I've built the necessary role mappings under Configuration > Identity > Role Mappings in Clearpass. I've also created Clearpass / Tips roles that are mapped to my Windows 2012 groups.

Clearpass:

Enable the Palo Alto Dictionary in Clearpass:

1. Administration > Dictionaries > RADIUS
2. Filter > Vendor Name > Contains > "Palo"
3. Click on "PaloAlto" and then click "Enable"

 

Add the Device to Clearpass:

 

1. Configuration > Network > Devices
2. Select "Add Devices"
   i. Name = <Name you'd like>
   ii. RADIUS Shared Secret = <Your shared secret>
   iii. Vendor Name = PaloAlto
3. Select "Save"

I use device groups for everything in Clearpass. This step can be optional, it's just my personal preference.

1. Configuration > Network > Device groups
2. Select "Add Device Group"
3. Fill in the "Name" field. I'll be using "Palo Altos" in this example
4. Select "List" under "Format"
5. Under the "List", move the Palo Alto Device from the "Available Devices" to "Selected Devices"
6. Click "Save"

Create a Palo Alto Enforcement Profile:

 

1. Configuration > Enforcement > Profiles
2. Click "Add Enforcement Profile"
3. Select "RADIUS based enforcement" as the Template
4. Provide a name, "Palo Alto RADIUS Admin"
5. Make sure that "Accept" is set under "Action"
6. Under Attributes:
   i. Type - "Radius: PaloAlto"
   ii. Name - "PaloAlto-Admin-Role (1)",
   iii. Value - "superuser"
7. Finally, click "Save"

Create a Palo Alto Enforcement Policy:

 

1. Configuration > Enforcement > Policies
2. Click "Add Enforcement Policy"
3. Under "Enforcement", provide a name, "Palo Alto Login Enforcement Policy"
4. Verify that RADIUS is the "Enforcement Type"
5. Select "[Deny Access Profile] for the "Default Profile
6. Select "Rules" and click "Add Rule"
7. Mine looks like this:
   i. Type - Tips
   ii. Name - Role
   iii. Operator - EQUALS
   iv. PaloAlto-Admins
8. Enforcement Profiles > "Profile Names" > "[RADIUS] Palo Alto RADIUS Admin"
9. Click "Save"

Create a Palo Alto Login Service:

 

1. Configuration > Services

2. Click "Add Service"

3. Select "Type" of "RADIUS Enforcement ( Generic )"

4. Provide a name for the service, "Palo Alto Firewall Logins"

5. Under "Service Rule" enter the following:

   i. Type - Connection
   ii. Name - "NAD-IP-Address"
   iii. Operator - "BELONGS_TO_GROUP"
   iv. Value - "Palo Altos"

6. Under Authentication:

   i. Authentication Methods - PAP
   ii. Authentication Sources - <your AD>

7. Under Roles select the "Role Mapping Policy" for your domain. Here's what mine looks like by clicking "Modify."

   i. Type - Authorization:Windows-2012
   ii. Name - memberOf
   iii. Operator - EQUALS
   iv. Value - CN=PaloAlto-Admins,CN=Users,DC=top,DC=local
   v. Actions > "Role Name" > "PaloAlto-Admins"
8. Under "Enforcement" > "Enforcement Policy" select the enforcement policy that we created > "Palo Alto Login Enforcement Policy"
9. Click "Save"

Configuration of the Palo Alto Device:

The steps below will be done through the GUI.

1. Go to Device > Server Profiles > RADIUS > "+ Add"

   

i. Name = Clearpass

   

Click "+ Add" in this menu:

   i. Name = FQDN of the Clearpass server

   ii. IP Address = <Clearpass IP address>
   iii. Secret = Shared secret for the Palo Alto device in Clearpass
   iv. Port = 1812

 

Click "Ok" in this menu

 

2. Go to Device > Authentication Profile > "+ Add"

   i. Name = PAN-Clearpass
   ii. Authentication = RADIUS
   iii. Server Profile = "Clearpass" (From step 1)

 

3. Go to Device > Authentication Sequence > "+ Add"

   i. Name = PAN-Auth-Sequence
   ii. Click "+ Add"
   iii. Select "PAN-Clearpass" (From step 2)

 

EDIT - 04/22/2014 - I had to take this additional setup on a Palo Alto device that had multiple Authentication profiles and RADIUS servers. It should be included as part of the steps to guarantee RADIUS authentication on a Palo Alto device.

 

4. Go to Device > Setup > Management Settings > Authentication Settings

 

   i. Click the Widget button in the corner

   ii. Select "PAN-Clearpass" under Authentication Profile"

   iii. Save this configuration

 

You should now be able to log into the GUI and the CLI on a Palo Alto device with Clearpass. You can verify this on the CLI by typing:

show admins

 

Also, the AD account will show up before the "@" symbol on a successful CLI connection:

mcourtney@PA-200>

 

This will show up in the GUI under:

 

Dashboard > Logged In Admins

 

You can verify that things are working by logging into a Palo Alto device and viewing the results in Access Tracker found under Monitoring > Live Monitoring.

Let me know what you think and if it works out.

 

-Mike

Contributor II
Posts: 44
Registered: ‎02-07-2013

Re: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

I have a question about the CPPM to PAN authentication.  When you add the PAN ip address are you using the Management IP or the IP to the Trusted Ethernet port?  Since the management port is used to offload some actual work.  I tried the Trusted Ethernet port first and it is not working.  I switched it to the IP for the management port.  I am still not able to get the devices to talk.  I could really use some help.  Got a ticket open with TAC and we are getting no where fast

MVP
Posts: 371
Registered: ‎01-14-2010

Re: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

Hi Memphis,

 

I've set this up against the management port on a Palo. The configurations that I'm most familiar with are with the Palo in v-wire mode, so I haven't tried to authenticate against other IPs on the box. What version of PAN are you running? My lab box is currently running 6.0.2, the newest release. Last weekend I ran through the Clearpass / Palo Tech Note on this version and it all worked as expected.

 

The first thing I would do is to SSH into the PAN device and see if you can ping the Clearpass box. This should establish some level of connectivity. Next, I would do the same thing from the CLI in Clearpass. On the cli, it should be something like the following:

 

network ping <your PAN mgmt>

 

Have you tried to use the monitor tab in the PAN UI to see if traffic is coming in from Clearpass?

 

-Mike

Moderator
Posts: 496
Registered: ‎11-09-2012

Re: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

Memphis,

 

Please take a look at my CPPM+PANW TechNote to see if this assit you through the integratioh process.

 

Find it here..... then fire me any questions.... danny@arubanetworks.com.

 

http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Contributor II
Posts: 44
Registered: ‎02-07-2013

Re: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

Using the PAN cli I can definitly ping the clearpass device.  I am using the PA management IP, however I see no traffic in the PAN from the clearpass.

Contributor II
Posts: 44
Registered: ‎02-07-2013

Re: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

Thanks but I started with this doc a few months ago and continued as the software versions advanced.  I tried the process with Support and have an open ticket.  They have been remoted into my machine and downloaded logs and still can't figure out whu the 2 devices are not talking. 

CPPM Version 6.3.2.63239

 

Palo Alto 500 Version 3.06

MVP
Posts: 371
Registered: ‎01-14-2010

Re: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

Memphis,

 

I just wanted to check, you're running version 3.06? If so, anyway you can update that box?

 

-Mike

Moderator
Posts: 496
Registered: ‎11-09-2012

Re: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

You need a minimum of PANOS 5.x


Please excuse my errors as sent using my small useless keyboard on my smartphone.

Regards
--d

Danny Jump | Technical Marketing Engineer - Networking Services | Aruba Networks
o: 408-513-8938<408-513-8938> (diverts to cell)
e: danny@arubanetworks.com

Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Contributor II
Posts: 44
Registered: ‎02-07-2013

Re: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

Sorry the version was entered wrong.  I have the latest 6.0.1

 

MVP
Posts: 371
Registered: ‎01-14-2010

Re: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

Hi Memphis,

 

Are you seeing anything in Event Viewer? There could be an authentication issue between the two devices that may show up in there.

 

-Mike

Search Airheads
Showing results for 
Search instead for 
Did you mean: