Security

Reply
Regular Contributor I

Mac authentication with Palo Alto integration.

Hi guys!

i have an issue with palo alto integration and Mac address authentication.

when the client pass the first authentication (The MAC address is unknown) this information is sent to Palo Alto, so the user and ip are associated.
When the client have access to network the second time use the MAC authentication in this case no information are sent to Palto Alto appliance.

i have added the enforcement policy for the Palo Alto integration to the MAC authentication service.

but the situation is the same.

Can you help me?

thanks in advance
Andrea

Andrea
Guru Elite

Re: Mac authentication with Palo Alto integration.

Are you using ClearPass or controller integration?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Regular Contributor I

Re: Mac authentication with Palo Alto integration.

sorry, ClearPass

Andrea
Moderator

Re: Mac authentication with Palo Alto integration.

I have written two TechNotes on PAN + CPPM integration.... find them all here.... http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

 

 

 

The second one, 'Advanced Deployment User Cases' covers CPPM&PAN& MAC Cache, see if this helps.

 

PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014).pdf


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor I

Re: Mac authentication with Palo Alto integration.

Hi,
seems that all is correctly configured but the issue remains.

have other ideas?

 

Thanks in advance
Best regards

Andrea

Andrea
Moderator

Re: Mac authentication with Palo Alto integration.

OK. So you can confirm that on the initial auth the session details are sent to the PANW, is just on the re-auth (MAC Cache) nothing makes its way to the PAN. 

 

IF this is the case then we know your basic CPPM/PANW setup is good. What do you see in access-tracker for the re-auth (MAC Cache) in the way of the enforcement profile that were applied to the MAC Cache auth?

 

What version of CPPM R U using?


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor I

Re: Mac authentication with Palo Alto integration.

Hi,

in the access tracker i see that is apllied the mac-auth correctly.

 

now i use clearpass 6.3.5.66826.

 

thanks in advance

best regards

Andrea Acampa

 

Andrea
Regular Contributor I

Re: Mac authentication with Palo Alto integration.

Hi,

after upgrade Palo Alto to 6.0.7 I found Several Problems.

 

do you know if there is some problem with this Palo Alto version?

 

thanks in advance

 

best regars

Andrea Acampa

Andrea
Moderator

Re: Mac authentication with Palo Alto integration.

Andrea,

 

Can you expand of the issue you have please..... have you raised support cases with PANW?


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor I

Re: Mac authentication with Palo Alto integration.

I recently attempted integration of cppm 6.6 to PA firewalls.  Not sure of the PA firewall code though it should be farely recent code.  Also using Aruba controllers running 6.4.3.x

 

Doing MAC Auth only with Cppm, no 802.1x whatsoever. Having similiar issues with no user mapping on the PA firewall.  It definitely is communicating as I see user mapping entries for particular IPs, though it shows unknown, for source and mapping.  Do have the built-in username attribute mapped in endpoint repository for most devices, thus we are returning this username field to the Aruba controllers.

 

I have reviewed the most recent tech notes for the integration.  

 

Can anyone confirm or deny mac auth would work in such a setup stated above?   Is there a way to send this endpoint respository username field to the PA firewall manually.

 

 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: