Security

Team CPPM,

 

 

Thanks Danny!  Appreciate all the hard work on this!  

I had no idea there was a tech notes section on the support site. Thanks for bringing this to my attention. Great info out there!

Its actually been here for ages, but we've never posted any material here really, certainly not in past 12-months since I joined. We have all these TechNotes that I've written that are available internally and it was decided we should 'share-the-love' and make them available to our partners/customers.

 

Hope you find some useful material/content in them. I will ensure as I create/update new docs they get posted here going forward.

Thanks for all your work on these Danny! Good stuff. Especially the certificates doc. 

 

One question in regards to your Palo Alto v4 integration. Must the account on the firewall/panorama need to be a SuperUser / Device-Administrator? Can this be locked down further? I have a very large global customer that wants to do this integration but is wary of creating that high level account. Palo Alto account roles can be very granular so if it can be locked down more that would be fantastic. 

Josh,

 

I'll need to do some additional testing......give me today to get through todays 'stuff' and I'll find time to get this tested and post back here for you.

 

OK?

thank you very much indeed, some of these have been mentioned before, good to have them public now.

Josh,

 

Sorted.

 

So basically what I've setup and tested is this.

 

On the PANW Under Device, Admin Roles, add a new role, say cppm-xml. Then click on the role to edit it, it gives you a pop-up windows with three tabs. Web UI, XML API & Command Line. Under Web UI I disabled everything, under XML API I disabled everything except 'User-ID agent'.

 

Then I created a new Administrator, say cppm-admin, provide a password but change the Role from Dynamic to 'Role Based', choose the Admin Profile previously created in the drop down, then obvioulsy use this new admin profile when configuring the context server on CPPM.

 

I've tested this with PAN-OS 6.01, the config under PAN-OS 5.x looks the same but I've NOT tested it.

 

Hope this help you out. I'll add this snippet to my next CPPM/PANW TechNote. :-)

 

 

Sounds good. Thanks Danny.

Thanks Danny. This is exactly the info I needed.

Team CPPM,

 

I've just posted an updated TechNote.....  CPPM Service Routing V3.

 

You can find it here along with all my other TechNotes.....  http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

 

 

Have a great Weekend.....happy reading...... and go "fill your boots"..!!

 

I give it 5 out of five chilis!

Team CPPM,

 

I’ve just published a NEW TechNote covering two Advanced Deployment use-cases for CPPM and PANW. I hope overtime to add more of these to this document……The two use cases scenarios are as follows….

 

Configuring the PANW firewall to ingest AD Group Information and then make policy enforcement based upon the AD username passed from CPPM to PANW via the UserID API. The user will obviously be a member of one of the AD groups ingested by the PANW firewall. In our documented use case, ‘carlos’ as a member of the PLM AD group is denied access to social-networking sites. :-)

 

Configuring the PANW firewall to make a policy enforcement based upon the HIP data sent from ClearPass. In out scenario we profile an endpoint and discover its an XP workstation, our use-case policy denies access for Windows XP due to MSFT no longer supporting this OS, we therefore deem this an unsafe OS to have in use in our enterprise.

 

Customer/partners can find the document on the support site http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

 

 

 

I also updated the 'Service Routing TechNote' to a V3..... found at the above URL and was posted last Friday.

danny - the download link for the new PANW appears broken...

I believe it was until about 11:00pst last night.... Have U tried today?


Please excuse my errors as sent using my small useless keyboard on my smartphone.

Regards
--d

Danny Jump | Technical Marketing Engineer - Networking Services | Aruba Networks
o: 408-513-8938<408-513-8938> (diverts to cell)
e: danny@arubanetworks.com<DANNY></DANNY>

Still get this error:

 

I raised this to our WEB posting team last night and got a respone back saying it had been fixed..... clearly not..... I'm sorry for this issue... but I'm on it.... bear with me.

Team CPPM,

 

The error related to access for the new CPPM + PANW Avanced Deployment TechNote I posted a couple of days back has been resolved. Sorry for the delay.... I hope the delay was worth it.

 

Send any feedback comments directly to me at danny@arubanetworks.com

 

Danny,

 

I noticed there's also a doc that you posted on March 18, 2014 called, ClearPass 6.X and PANW Integration V4 that's a read-me-first.  Both of these should help answer a few questions I have.

 

Definition of HIP Objects being one thing...

 

Thanks for working on these,

Trent

Hi, I need to configure Clearpass/Palo Alto integration for UserID integration but I meet some issues. I have follow this Tech Note: ClearPass Palo Alto Networks Integ ration with CPPM but this does not seem to work correctly My release version is : · Clearpass Release 6.6.5 · Palo Alto PANOS 7.1.6 Indeed, when a machine authenticates itself for the first time, the clearpass transmits/updates informations to the palo alto, but when the palo alto timeout has elapsed, the clearpass information is not retransmitted/updated. On the first authentication, I can see in the show user mappin g the user information From “XML API” and username but w hen Palo Alto User identification timeout is elapsed the user From and username goes in “unknown” I also need to retrieve the user role from Clearpass, this feature seems to be available in Clearpass 6.5.5 release Can you help me to find what poses problem ? Thank you in advance, Olivier

 In versions earlier than PAN-OS 7.1.5, when you did not specify a timeout value via XML API (which is the case with ClearPass), the timeout value was treated as 0, which meant that the firewall would not expire the IP address and username mapping. 

• In PAN-OS 7.1.5 and 7.1.6, to ensure that the mapping did not expire, we must explicitly set the timeout value to 0 in the XML API Call. If you do not explicitly specify a timeout value in the API request, the firewall inherits the User-ID timeout value configured on the firewall. The configuration on the firewall is controlled by two fields under Device > User Identification > User Mapping > Cache: (i) Enable User Identification Timeout (ii) User Identification Timeout  

o    If the checkbox “Enable User Identification timeout” is unchecked, a default timeout of 60 min is applied.

o    If the checkbox is checked, then the timeout value specified in User Identification Timeout would be used. This can go to a maximum of 3600 minutes.

 

We are planning to fix this on our end to include a timeout of 0 in a future release.

 

In respect of the request about roles, you refer to 6.6.5 & 6.5.5... can you clarify please?

 

But to add, I'm currently updating the CPPM/PANW TechNote... hoping to get this posted by the end of this week. It will include how to send/use CPPM roles in PANW and covers the timeout issue.

 

Hi Danny,

 

Thank you for your reply. 

 

Therefor what is your recommandation ? I think is not a good idea to set timeout at 0. All users will be always authenticated and my PANW user database can reach the limit.

 

Concerning roles, Clearpass release note 6.6.4, 6.6.5 it's written 

 

Enhanced Support for third parties

• ClearPass now sends the user’s ClearPass role information to Palo Alto Networks firewalls during login. The role is unregistered from the firewall when the user logs out. For customers with lower end firewalls, it is recommended that they wait to update ClearPass as we’ll be making a further enhancement in a later release to make this a configurable option.“

In CP 6.6.5,  Administration -> External Servers, Endpoint Context Servers -> Edit Server I see : Clearpass role : Enable Sending of applicable role information

 

My purpose is to recover the user role assigned by CP and use it in my policy rule as a user group.

 

Thank you

Team,

 

I’ve just UPDATED the Advanced Deployment TechNote for CPPM + Palo Alto.

  

I’ve added to this TechNote the scenario how we manipulate the username we pass to the PANW for a Guest/MAC cache deployment. A typical use-case for a user who is a Guest or for any scenario where we might MAC cache a user the issue was that we would send their MAC address to the PANW in place of their username when they re-authenticated. This new section documents how to overcome this issue. 

 

You can find the TechNote in the usual location on the support site here:- http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

Team CPPM,

 

I’ve posted a new TechNote written by two of our engineering team.

 

This document provides the use cases, motivation, the list of components, requirements, the mechanics of the control and data flow and the configuration steps required to implement a solution which integrates Aruba ClearPass Access Management System (“ClearPass”), IBM Security Access Manager for Web (“ISAM for Web”), IBM Security Access Manager for Mobile (“ISAM for Mobile”), a typical Mobile Device Management (MDM) solution such as Fiberlink MaaS360 and an Aruba Wireless Controller (acting as a Network Access Server and L2 switch). The key element of the integration is an External Authentication Interface (EAI) component provided as a plugin to, and using an API supported by, ISAM for Web (“EAI Application Plugin”).

 

The  approach  taken  is  to  use  the  SAML  standard,  modified  by  a  patent-°©‐pending  idea  invented  by  Aruba  Networks  (see  references)  and  leveraging  recent  feature  additions  in  ClearPass v6.3 and Aruba’s wireless controller software AOS v6.4 to provide two key benefits: (1) network level (i.e. L2 level) Single Sign-°©‐On (SSO) functionality to a web resource protected by ISAM for Web; and (2) to enable ISAM for Mobile to use MDM attributes collected by ClearPass (via the integration with an MDM solution)     ClearPass v6.3 and Aruba’s wireless controller software AOS v6.4 to provide two key benefits: (1) network level (i.e. L2 level) Single Sign-°©‐On (SSO) functionality to a web resource protected by ISAM for Web; and (2) to enable ISAM for Mobile to use MDM attributes collected by ClearPass (via the integration with an MDM solution)

You can find the document in the usual place on the support site:- http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

Go fill your boots…!!

 

 

 

Team CPPM,

 

I’ve completed the ClearPass 6.5 and Checkpoint Integration Guide. It covers two methods of integration, the first using our RESTful Framework using ClearPass Exchange, the second uses our new Proxy RADIUS Accounting.

 

 

You can find the document on the support site  http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

 

Specifically here CPPM TechNote - 3rd Party Enforcement Points (CheckPoint) v1

 

 

Happy reading – go fill your boots..!!….. comments and feedback/suggestions graciously accepted.

 

Teams ClearPass,

 

I’ve updated the ClearPass 6.5 and Checkpoint & Fortinet Integration TechNotes’s. The MAJOR update covers the ability to dynamically calculate the user’s role via Role Mapping before we send this to the enforcement points. Normally an easy process, but I was unable to perform this previously due to a minor UI bug, but the TechNote now covers the process. I’ve also added some minor adjustments from the feedback I received from Fortinet and CheckPoint directly.

 

You can find the document on the support site  http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

 

Specifically here CPPM TechNote - 3rd Party Enforcement Points (Fortinet) V1.1  and here  CPPM TechNote - 3rd Party Enforcement Points (CheckPoint) v1.1

 

 

 

Happy reading – go fill your boots..!!….. comments and feedback/suggestions graciously accepted.

Teams,

I’ve completed a fairly large re-write of the ClearPass 6.5 and Palo Alto Networks integration Guide. There is a large amount of new content and specifically covers 6.5 enforcement changes (Session Notification now NOT Session restriction), updates to TAGS/DAO’s, Updates to the real-time post-auth framework and a section on Posture/Health Integration.

 

You can find the document on the support site here..... https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=17560

 

Happy reading – go fill your boots..!!….. comments and feedback/suggestions graciously accepted.

 I’ve written a NEW TechNote covering some of the integration possible between CPPM and the HP Provision switches (commonly refereed to as ProCurve). The TechNote at this juncture is not as complete as we’d like but due other commitments we wanted to share with you what we have, its not as polished as normal but like I said we wanted to share what we had sooner rather than later. I expect this doc will go through multiple revisions over then next couple of months as we add new content, update what we know, correct what we have.  

 

Team CPPM,

 

Teams, I’ve UPDATED the Profiling TechNote adding in details of the features from the CPPM 6.5 release, such as TCP Fingerprinting, On-demand SUBNET scan, SNMP Updates and the framework we developed to allow administrator’s to perform custom device classification of unknown devices. Basically we allow admin’s to create custom rules for an endpoint using profiled attributes.

 

You can find the document on the support site located here ClearPass Profiling TechNote V1.2.pdf

 

 

Happy reading – go fill your boots..!!….. comments and feedback/suggestions graciously accepted.

Teams,

I’ve published an UPDATED integration TechNote covering ClearPass 6.5.3 and CheckPoint. Whats important to note is that we have added the ability to share additional context meta-data about endpoints. This is generically available to any vendor but I’ve been working specifically with CheckPoint to have them incorporate this into the API framework, so beyond us being able to send the data to CheckPoint they can ingest and use this context in their policy enforcement, the two new exposed attributes are %device_family & %device_type.

You can find the document on the support site located here https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=18814

 

Team ClearPass,

 

As most of you will hopefully know come November the 1st 2015 there is a change in the way the CA's will/will-not issue Public Certificates. I've capture these changes and updated the Certificate 101 TechNote. You can find the guidance and details about that change in a 2-page section I've added.

 

The technote is available in the usual location on the support site here:- CPPM - Certificates 101 TechNote V1.2.pdf

Team CPPM,

 

• 802.1X
• MAC Authentication
• Guest Captive Portal

Team CPPM,

 

TEAM CPPM,

 

I just wanted to bring this back to your INBOX to make sure everyone is aware of the material I have posted to the support site recently. We wlll continue to post new documents as we release them internally here for external consumption.

 

Please feel free to email me with any feedback so this can be incorported into future documenation releases.

Danny,

 

I've seen several versions of parts of these documents in the Arubapedia, but these are complete and as such - awsome! 

 

Tho - I now have wee bit many sources to look to find information. I'm now already using Airheads, Arubapedia and the Knowledge Base - which are all indexed and searchable within their realm, and through some degree - Google.. These documents aren't :(

 

Could it be a future option to update ie. Arubapedia with the complete text and pdf as an attachment?

John,

 

Thanks for your input - very valuable. Just to add, we had initially planned to post all my TechNotes to the AFP site, but customers don't get access, as its partner restricted. So posting to the support site 'shares the love' for ALL.

 

 

So, I'm just the idiot that writes the material......let me go speak to our Web/Marcom team and understand what needs to happen to fulfil your request. Bear with me.

Team CPPM,

 

Today we have added a new TechNote to the list of published documents. SAML Configuration TechNote.

 

This document describes several SAML deployment options for ClearPass Policy Manager as both a SAML Service Provider (SP) and SAML Identity Provider (IdP). Using these SAML capabilities enables integration with numerous 3rd-­‐party SAML SPs and IdPs such as Shibboleth, simpleSAMLphp, and Google Apps.

 

In addition, when used in conjunction with Aruba controllers running AOS 6.4, the SAML IdP capability of ClearPass enables Aruba Automatic Sign On (ASO). Using ASO, a wireless LAN user can use their 802.1X authentication to provide Single Sign On to SAML-­‐enabled applications.

Team CPPM,

 

 

Today we have added a new TechNote to the list of published documents: - ADCS with ClearPass Onboard v1.1

 

This document explains the use of Microsoft Active Directory Certificate Services (ADCS) to sign Onboard device TLS certificates, versus using the ClearPass Onboard Certificate Authority (CA) to do the signing.

 

The use of ADCS provides for centralized management of TLS certificates including expiration, revocation, and deletion through ADCS. This feature has been designed to provide an easy integration of ClearPass Onboard into an existing Public Key Infrastructure (PKI) deployment based on Active Directory Certificate Services.

 

 

You can find the doc here with all our other TechNotes. Happy reading - Fill your Boots..!!

 http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

 

 

 

I like the new "Using ADCS with ClearPass Onboard" Tech Note posted today (4/16). Need to learn more regarding PKI's and certificates. The workflow for signing iOS is great.