Security

Reply
New Contributor
Posts: 4
Registered: ‎10-15-2013

Passing AD Group information to Palo Alto via Clearpass - how?

Has anyone found a way around this issue below (or, is it possible and I'm simply doing something wrong?)

 

Summary of the issue - users connect using AD credentials via Clearpass, Clearpass sends information to Palo Alto Firewall, Palo Alto Firewall uses those credentials in firewall rules to control internet access.

 

The problem we have here is that when user information is sent from Clearpass to the Palo Alto, the user AD GROUP is not sent.

 

That is to say:

 

STUDENT\JBLOGGS

 

Gets passed to Palo Alto simply as:

 

JBLOGGS

 

Which makes it difficult to do the right user ID firewall rules on the Palo Alto.

 

So, is this possible and we're just doing something wrong, or is there a way around it? We considered a workaround of assigning the different groups of users to different VLANS but that just seemed far too messy and complicated.

 

Cheers!

Moderator
Posts: 472
Registered: ‎11-09-2012

Re: Passing AD Group information to Palo Alto via Clearpass - how?

I can advise you we will add the functionality to pass the NT domain in the data we send to the PANW in 6.3. It will be a option to send or not send the domain info.

Currently 6.3 is scheduled for release in December.

Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
New Contributor
Posts: 4
Registered: ‎10-15-2013

Re: Passing AD Group information to Palo Alto via Clearpass - how?

Appreciate the prompt response on that.

 

Thanks!!

New Contributor
Posts: 4
Registered: ‎10-15-2013

Re: Passing AD Group information to Palo Alto via Clearpass - how?

Hi,

 

I was wondering if this update did go through in 6.3?

 

Because I'm onsite with a customer doing a clearpass/palo alto integration and i'm not seeing the nt domain info coming up in the palo alto logs.

Moderator
Posts: 472
Registered: ‎11-09-2012

Re: Passing AD Group information to Palo Alto via Clearpass - how?

Hello,

 

Yes we absolutly added this functionality in to the 6.3.x release.

 

Did you select the additional box in the PANW context configuration to tell CPPM to pass the DOMAIN infomation?

 

What suppliant are you using....is the DOMAIN being entered as part of the Username or is it configured in the suppliacnt?

 

i.e. when the user signin they need to enter DOMAIN/USERNAME..... we won't extract it from NT and append it to the usename if they just use a usename when they signon.....makes sence?


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Moderator
Posts: 472
Registered: ‎11-09-2012

Re: Passing AD Group information to Palo Alto via Clearpass - how?

take a look at my updated PANW/CPPM TechNote for details which covers this....


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
New Contributor
Posts: 4
Registered: ‎10-15-2013

Re: Passing AD Group information to Palo Alto via Clearpass - how?

aaaah okay, so if say, a student logs in, and they log in as "STUDENTA" that will just go through as such.

 

They would have to make sure they login as "student\STUDENTA" and then it would go through as such.

 

Is that right?

Moderator
Posts: 472
Registered: ‎11-09-2012

Re: Passing AD Group information to Palo Alto via Clearpass - how?

Correct..!!


Please excuse my errors as sent using my small useless keyboard on my smartphone.

Regards
--d

Danny Jump | Technical Marketing Engineer - Networking Services | Aruba Networks
o: 408-513-8938<408-513-8938> (diverts to cell)
e: danny@arubanetworks.com

Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: