Security

Reply
New Contributor
Posts: 4
Registered: ‎11-01-2013

Palo Alto Networks integration and passing the domain name without clearpass

I've got an 802.1x network setup authenticating users against an active directory base radius server. Our users are connecting fine. Problem is when they only provide their username without the domain. Just their username is passed over to the Palo Alto firewall which then doesn't know that they are a domain user. This causes them to get a default restricted policy since it doesn't know Username is really DOMAIN\Username.

 

Is their anyway to require users to enter the domain/UPN or force the controller to pass the domain with the user DOMAIN\username all the time? Right now I'm having to manually have the users disconnect and reconnect their phones/tablets and reauthenticate with DOMAIN\Username.

 

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Palo Alto Networks integration and passing the domain name without clearpass

Are you using the controller integration with Palo or something else?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 70
Registered: ‎04-03-2007

Re: Palo Alto Networks integration and passing the domain name without clearpass

[ Edited ]

CGTECH, 

 

Depending on which version of PANOS you are running there is an option to create Syslog filters with User-ID to parse out the user information and match on that for the policy you want the user to be assigned. 

 

The version of PANOS I have worked with that this was available is 6.0. 

 

If you check out the 6.0 Admin guide on pages 303 & 318 to 323 there is information on how to configure User-ID to receive user mappings from a syslog sender. If you go to page 320 there is a note on addressing what you want the default domain prefix to be. 

 

I ran into this same problem on the Instant product line. We integrated with a Palo Alto firewall and via the XML API it was supposed to relay user to IP mapping information so we could leverage role based access to apply policies. This worked fine with Windows domain clients because their user information came across with the domain prefix domain\username. However, if it was a domain user on a non-domain device like a Chromebook or an iPad that domain prefix was missing and the user fell through the policies list and got a default policy because they did not match on the User-ID group we had set up. 

 

You should have an easier time of accomplishing this since I assume you are working with Aruba controllers. The controller is a single Syslog entity whereas the IAPs are all separate and was a challenge to get them all added to the firewall. 

 

Here is an example of a regex and a field identifier. We used the field identifier for our instance. 

 

Syslog must be set to “Notice” for this information to be sent for collection.

Sample line from the syslog:

User authenticated, mac-40:0e:85:20:d6:dd, username-testmonkey, IP-172.16.1.101, method-4, role-IAP-PAN

 

regex identifier information:

Event Regex: User authenticated

username regex: username-([a-zA-Z0-9\._-]+)

address regex: IP-([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})

 

field identifier

event string: User authenticated

username prefix: username-

delimiter: ,\s

address prefix: IP-

delimiter: ,\s

 

Here is an example of the server monitor we setup for the syslog filter and note at the bottom where we tell the monitor what the default domain prefix should be. 

 

PANOS-servermonitor.jpg

 

 

Michael McNamee
Sr. Network Engineer - SecurEdge Networks
ACMP / ACDX / AWMP

http://www.securedgenetworks.com/secure-edge-networks-blog/
New Contributor
Posts: 4
Registered: ‎11-01-2013

Re: Palo Alto Networks integration and passing the domain name without clearpass

[ Edited ]

Michael,

That describes my setup almost exactly. I'm controller based using the XML API integration and not the syslog as you described. I'm going to switch over to the syslog parsing and give that a shot tonight.

 

Thanks for the regex also that should save me a bit of time.

 

-Patrick

Moderator
Posts: 484
Registered: ‎11-09-2012

Re: Palo Alto Networks integration and passing the domain name without clearpass

Patrick,

 

I wanted to quickly ask if you have CPPM deployed in your environement?

 

If yes, then you can review my TWO  TechNotes for CPPM+PANW integration. Beyond the great info above from Michael we offer a lot of adiiotnal endpoint reference attributes in our XMPAPI/HIP integration thatyou may want to leverage.

 

You can find the docs here on the support site  http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Palo Alto Networks integration and passing the domain name without clearpass

What version of code are you running? AOS 6.4 has native Palo integration that does exactly what you're trying to do.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 70
Registered: ‎04-03-2007

Re: Palo Alto Networks integration and passing the domain name without clearpass

Tim, 

 

My integration was with InstantOS and while the XMP API integration worked the success was only for domain joined Windows machines. The domain joined Windows machines present a prefix with the domain notated in their user information field while non domain joined devices do not. 

 

Without the domain prefix the Palo Alto cannot define who belongs to what group and therefore cannot assign correct policies.

 

I went around and around with Aruba and Palo Alto TAC to get to a solution that could work. 

 

The solution I provided above allows for the default domain prefix to be prepended to the username regardless of whether it was a domain joined device or not. 

Michael McNamee
Sr. Network Engineer - SecurEdge Networks
ACMP / ACDX / AWMP

http://www.securedgenetworks.com/secure-edge-networks-blog/
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Palo Alto Networks integration and passing the domain name without clearpass

I was leaning towards the point that you wouldn't need to use the Palo/AD integration if you use either the Controller/Palo or ClearPass/Palo integration.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 4
Registered: ‎11-01-2013

Re: Palo Alto Networks integration and passing the domain name without clearpass

I'm running 6.4.0.3 which has the Palo XML_API integration.

 

The problem with that is it only passes the username that the end user gives it. In my case all my domain computers were passing the username DOMAIN\username properly. It was the ipads/phones ect that the users were just putting in username only. Aruba would pass just the username to Palo causing it to not match the username with their domain account.

 

Using the SYSLOG parsing method I'm able to tell the Palo box that any user authenticated from the aruba syslog is from our DOMAIN and the Palo box now is identifying everyone correctly as domain users.

New Contributor
Posts: 4
Registered: ‎11-01-2013

Re: Palo Alto Networks integration and passing the domain name without clearpass

Micheal's solution works great.

 

If you're using the controller based the syslog is a bit different format for the event string. Here's my settings:

 

PaloSyslog.jpg

 

Also if you're trying to troubleshoot the syslog on the palo cli -> "show user server-monitor state all" will show you if it's parsing correctly.

 

palodebug.jpg

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: