Security

Reply
Moderator
Posts: 455
Registered: ‎11-09-2012

UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

Teams,

I’ve completed a fairly large re-write of the ClearPass 6.5 and Palo Alto Networks integration Guide. There is a large amount of new content and specifically covers 6.5 enforcement changes (Session Notification now NOT Session restriction), updates to TAGS/DAO’s, Updates to the real-time post-auth framework and a section on Posture/Health Integration.

 

You can find the document on the support site here..... https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=17560

 

Happy reading – go fill your boots..!!….. comments and feedback/suggestions graciously accepted.

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor I
Posts: 5
Registered: ‎09-16-2014

Re: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

Danny,

 

Thank you for this guide, it was very straight forward in getting everything setup. I did run across a pain point that took me quite some time to figure out. It may seem silly, but the controllers need to be configured to use clearpass as their RADIUS acounting server, not just for authentication.

 

I have a fairly complex environment, which means there are approximately ~70 enforcement policy rules which could be applied (on just the wireless side.) Rather than add the enforcement profiles to each policy rule, is there an easier way I could apply this universally? Ideally we'd like every device that touches clearpass to end up in the Palo's purview.

 

Sean

Guru Elite
Posts: 7,836
Registered: ‎09-08-2010

Re: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

As of today, it has to be applied to each enforcement rule.

 

There is an open feature request to have enforcement policy global enforcement profiles that apply to every rule.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 12
Registered: ‎12-29-2015

Re: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

Hello!!

 

I'm trying to integrate my CPPM v6.5 with a PA-3020 v7.0.1

I follow all steps in guide ClearPass and PANW Integration TechNote (V5 May 2015) but I can't see any logged user in PA with the command show user ip-user-mapping all

I have a service with 802.1x wired with an enforcement policy that do two things, a change of vlan and PAN-update-node. The authentiation is with an Active Directory. The change of vlan is working, and in access tracker i can see both enforcement profiles.... but no data is in firewall

Any idea???

 

Thanks!

Regards

Miguel

 

 

 

 

Occasional Contributor I
Posts: 5
Registered: ‎09-16-2014

Re: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

What is the switch that users are connected to? Do you have RADIUS accounting and interim accounting turn on?

Occasional Contributor II
Posts: 12
Registered: ‎12-29-2015

Re: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

Hello

 

Finally, the problem was the PaloAlto version 7.0.1. This version has a bug with XML API and is resolve in 7.0.2. I update my firewall and now is working

Thanks to all participates, I hope this can help you

Regards

Miguel

Frequent Contributor I
Posts: 76
Registered: ‎03-09-2015

Re: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

This V5 is still gospel and the latest ?

Moderator
Posts: 455
Registered: ‎11-09-2012

Re: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

Yes - I've not updated the CPPM/PANW TechNote past the published V5.


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor I
Posts: 5
Registered: ‎09-12-2016

Re: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

I'm attempting to get this integration working with CPPM 6.5.5.78974 and PanOS 7.1.4h2. 

 

I have gone through your guide however I'm still not seeing anything in the postauthctrl.log to indicate that it is trying to send data. I'm not sure what information anyone would need to help me track down the disconnect, please let me know.

 

Thank you,

Jim

Moderator
Posts: 455
Registered: ‎11-09-2012

Re: UPDATED - ClearPass 6.5 and Palo-Alto Networks Integration TechNote V5

a basic Q for U. Within access-tracker do your sessions show an Accounting TAB, i.e. the devices have an IP address?


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: