Security

Reply
Moderator

UPDATED TechNote V6: ClearPass and Palo Alto Networks Integration

ClearPass Team,

 

Please find updated information and details related to ClearPass and Palo Alto Networks Integration, this is our V6 of this Integration guide.

 

In this release, I have re-wrote and updated a large section of this document to remove a lot of the ‘old’ PAN-OS 5.x integration information, we have also migrated the document to the new TechNote template.

 

More interestingly I have added a new section covering the new functionality related to passing ClearPass ROLE context/labels and how to configure the PANW to use this context [Dynamic Access Groups/TAGS] to drive enforcement in the firewall. This has long been a request from customers since our initial CPPM/PANW integration over 4 years ago.

 

You can find the document on the support site located here https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=25444

 

  

 

Happy reading – go fill your boots..!!….. comments and feedback/suggestions graciously accepted. 

 


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Occasional Contributor II

Re: UPDATED TechNote V6: ClearPass and Palo Alto Networks Integration

HI Danny,

I implemented the integration between CPPM + PAN using  dot1x authentication and firewall policy using the roles. Fantastic !!

What about VPN client scenario implementation? If I undestand the lack of accounting, in this case, doesn't allow CPPM to generate XML API. Is it right?

Do you think it could be possible to use roles in firewall policy when client is connecing in VPN using global protect.

Thanks

Guru Elite

Re: UPDATED TechNote V6: ClearPass and Palo Alto Networks Integration

Unfortunately, this is not possible today. Please note that GlobalProtect will use its own user authentication information for user-id.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: UPDATED TechNote V6: ClearPass and Palo Alto Networks Integration

Ciao,

at the and I did it. I used Ingress Events to match the login and logout and I used an enforcement via HTTP Generic API.

1) I configured Paloalto to send via syslog just two event login and logout;

2) I configured Ingress Events to match and I extracted the user and IP address released by Global protect;

3) I created two Endpoint Context Server Actions to send XML API (Register and Unregister) Dynamic Address Group.

4) At the end I created the enforcememnt profile.

 

When the user login CPPM sends the enforcement DAG Register API (I attached either  to the user's RADIUS authenticartion Enforcement and to Ingress Event). The first one is more reactive than the second one. When the user logoff, the Ingress Event sends the UnRegister API.

 

Thanks to the Aruba Community and to ClearPass Product!

I'm going writing a document regarding the configuration.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: