Security

Reply
Occasional Contributor I
Posts: 5
Registered: ‎06-14-2016

Modifying username passed on from ClearPass to PaloAlto by XML API

We're configuring the ClearPass and PaloAlto UserID-integration as described in http://www.arubanetworks.com/assets/pso/TechNote_ArubaAndPaloAltoNetworksIntegration.pdf. As stated on page 15-16 there are several options for the Username Transformation but neither of those suit our needs...

Non-domain clients use their e-mailaddress, which is the UPN (UserPrincipalName) which is in a longer firstname.lastname@externaldomain.com format, but for UserID to work, we need the internaldomain\shortusername format. Both "None" and "Prefix NetBIOS name" use the externaldomain as a prefix and "Use full username" retains the longer firstname.lastname part.

 

The information we want to pass on to PaloAlto is known by ClearPass:

Authentication:NetBIOS-Name
Authorization:[our AD auth source]:sAMAccountName.

 

I think we can put those two fields together in one field, the problem is I don't know how to pass on the right information from ClearPAss: how can we select this information in the ClearPass attributes to be used by the XML API?

 

 

I messed around with the information in http://www.arubanetworks.com/assets/pso/PSO_PANWandCPPM.pdf and using a Session-Check, Username = %{Authentication:NetBIOS-Name}\%{Authorization:[our AD auth source]:sAMAccountName} but that doesn't seem to have any effect on the data transferred using the XML API.

 

Any suggestions? Any similar experiences? Or is this impossible to accomplish?

Occasional Contributor I
Posts: 5
Registered: ‎06-14-2016

Re: Modifying username passed on from ClearPass to PaloAlto by XML API

Using the Session-Check, Username = %{Authentication:NetBIOS-Name}\%{Authorization:[our AD auth source]:sAMAccountName} seems to work to concatenate that data, but I don't know yet if this field is used as input for the PaloAlto.

 

On another note: I can add multiple PaloAlto Firewalls as Endpoint context servers, but how do update them both using Session-Notify? Server-IP only accepts one IP and I can't add a second Session-Notify:Server-IP

 

Occasional Contributor I
Posts: 5
Registered: ‎06-14-2016

Re: Modifying username passed on from ClearPass to PaloAlto by XML API

There are three options when it comes to passing the username to the Pala Alto Networks Firewall endpoint context server, available in the "Username Transformation" field: None, Prefix NETBIOS name or Use Full Username. But two questions arise:
1) do they all three use the same Username attribute and modify it accordingly? If this is the case: which Username attribute is used? There's Endpoint:Username, Radius:IETF:User-Name received from the client, Radius:IETF:User-Name sent back from CPPM, Authentication:Full-Username, Authentication:Username,...
2) do those three options refer to different username attributes? And which are they?

The document "PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014).pdf" (http://www.arubanetworks.com/assets/pso/PSO_PANWandCPPM.pdf, page 19) suggests Radius:IETF:User-Name is used, but I'm not sure this is correct as the document doens't cover CPPM 6.5, and it doesn't seem to work when I test it.

If I modify the Radius:IETF:User-Name to reflect the desired formatting of domain and sAMAccountname, I can see this in the RADIUS Response, but there is nothing published to Palo Alto anymore.

Occasional Contributor I
Posts: 5
Registered: ‎06-14-2016

Re: Modifying username passed on from ClearPass to PaloAlto by XML API

Am I really the only one with this problem? Or do I have to create a support case to get an answer?

 

Let's say UPN is 'first.last@domain.com' and sAMAccountName is 'flast' and domain is INTERNAL. The PaloAlto needs INTERNAL\flast to make user-based policies work, as described in the Tech Notes.

By using

(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

Our users can both authenticate using INTERNAL\flast (used mostly by Windows workstations) or first.last@domain.com, mostly used by BYOD, smartphones etc. When using their first.last@domain.com, we have to do some tricks to make INTERNAL\flast appear in PaloAlto. The first steps I have already described above: we can get the NetBIOS Name and sAMAccountName from the Authentication- and Authorization-sources.

Next step: in ClearPass we can modify the Radius:IETF:User-Name to send the correct INTERNAL\flast in the RADIUS Reply, and ClearPass can also modify the Endpoint:Username.

Last step is to send the correct contents of these fields through the PaloAlto-integration... But that's what fails.

 

When a client uses first.last@domain.com to authenticate,I can find my modified output for Endpoint:Username and Radius:IETF:User-Name in the RADIUS Response (In the Request Details in the Access Tracker)

the ClearPass-PaloAlto-integration sends domain\first.last, or only first.last, so it must use one of these fields:

Radius:IETF:User-Name (from the RADIUS Request)
Authentication:Full-Username (from Computed Attributes)
Authentication:Username (from Computed Attributes)

 

Is there any way to modify these Authentication:(Full-)Username fields, and are these the fields used by the ClearPass-PaloAlto-integration?

 

Otherwise I'll have to conclude the ClearPass + Palo Alto integration is useless in our scenario, because it has no option to control what is used as the Username-data.

Search Airheads
Showing results for 
Search instead for 
Did you mean: