Security

Hi guys!

i have an issue with palo alto integration and Mac address authentication.

when the client pass the first authentication (The MAC address is unknown) this information is sent to Palo Alto, so the user and ip are associated.
When the client have access to network the second time use the MAC authentication in this case no information are sent to Palto Alto appliance.

i have added the enforcement policy for the Palo Alto integration to the MAC authentication service.

but the situation is the same.

Can you help me?

thanks in advance
Andrea

Are you using ClearPass or controller integration?

sorry, ClearPass

I have written two TechNotes on PAN + CPPM integration.... find them all here.... http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

The second one, 'Advanced Deployment User Cases' covers CPPM&PAN& MAC Cache, see if this helps.

PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014).pdf

Hi,
seems that all is correctly configured but the issue remains.

have other ideas?

Thanks in advance
Best regards

Andrea

OK. So you can confirm that on the initial auth the session details are sent to the PANW, is just on the re-auth (MAC Cache) nothing makes its way to the PAN. 

IF this is the case then we know your basic CPPM/PANW setup is good. What do you see in access-tracker for the re-auth (MAC Cache) in the way of the enforcement profile that were applied to the MAC Cache auth?

What version of CPPM R U using?

Hi,

in the access tracker i see that is apllied the mac-auth correctly.

now i use clearpass 6.3.5.66826.

thanks in advance

best regards

Andrea Acampa

Hi,

after upgrade Palo Alto to 6.0.7 I found Several Problems.

do you know if there is some problem with this Palo Alto version?

thanks in advance

best regars

Andrea Acampa

Andrea,

Can you expand of the issue you have please..... have you raised support cases with PANW?

I recently attempted integration of cppm 6.6 to PA firewalls.  Not sure of the PA firewall code though it should be farely recent code.  Also using Aruba controllers running 6.4.3.x

Doing MAC Auth only with Cppm, no 802.1x whatsoever. Having similiar issues with no user mapping on the PA firewall.  It definitely is communicating as I see user mapping entries for particular IPs, though it shows unknown, for source and mapping.  Do have the built-in username attribute mapped in endpoint repository for most devices, thus we are returning this username field to the Aruba controllers.

I have reviewed the most recent tech notes for the integration.  

Can anyone confirm or deny mac auth would work in such a setup stated above?   Is there a way to send this endpoint respository username field to the PA firewall manually.

in reading: http://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.5.4/Content/PriorNew/OldNew_MDM.htm

it says "Session-Check Username" , can be used in conjuction with "%{Endpoint:Username}" for Guest MAC Caching.  I imagine that extends to more than just guest mac caching?  Will test this.

---

@sabretigers2 wrote:

in reading: http://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.5.4/Content/PriorNew/OldNew_MDM.htm

 

it says "Session-Check Username" , can be used in conjuction with "%{Endpoint:Username}" for Guest MAC Caching.  I imagine that extends to more than just guest mac caching?  Will test this.

 

---

HI, we tried also this, but seems that it change username only in the access tracker, but not into the information sent to Palo Alto.

Seems that this integration doesn't works with MAC Caching.

We are trying to integrate ClearPass with splunk, but olso with splunk there are some trouble.

I hope that Aruba will solve this issue and will do something to improve this integration and the logs management.

Andrea,

Did TAC manage to get PAN intergration working when Mac caching? I'm having the same issues at the moment.

Cheers,

Jack