Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Palo Alto integration - ClearPass vs controller

This thread has been viewed 3 times

  • 1.  Palo Alto integration - ClearPass vs controller

    Posted Nov 02, 2017 09:44 AM

    For the past couple of years we have tried to get the PA-ClearPass integration to work, but it has never proved to be a reliable solution for us.The current problem is missing user-id timeout from ClearPass which is scheduled to be fixed in version 6.7. So I have started to look at other solutions. I see there is a PAN Firewall Integration choice on the controllers. Is this working for those of you who are using it? Would there be any interesting side effects if we enabled both ClearPass and controller based integration?



  • 2.  RE: Palo Alto integration - ClearPass vs controller

    Posted Nov 02, 2017 05:03 PM

    I want to address the issue you refer to about user-id timeout.

     

    Back in PAN-OS 7.1.5 PAN made a change to the underlying API we used, there was an implicit setting for a time-out that they made optional 7.1.5., prior to 7.1.5 when we set the user details the implicit timeout was 0 i.e. Never time-out.

     

    This change caused CPPM when sending user details to be controlled by the PANW on-box setting [Default was 60 minutes], there was though no way to make the user never-time-out. 

     

    So, we fixed this and changed our API and we added the now required setting in CPPM 6.6.7 patch to override the default value. We now send a never-time-out setting.

     

    In a future release, we will expose the ability for you to set your own timeout value.

     



  • 3.  RE: Palo Alto integration - ClearPass vs controller

    Posted Nov 03, 2017 02:10 AM

    HI Danny.

     

    We are running ClearPass v 6.6.7, and it does NOT send the timeout value in our case. I have just been through a TAC case, and they say that it will be fixed in v 6.7. The engineering ticket number is 42300 if you want to look into it.

     

    As I said we have been trying for two years to get this to work, had several several TAC cases and I have started to lose faith in this solution. So hence my question about controller integration as a replacement or supplement to ClearPass.

     



  • 4.  RE: Palo Alto integration - ClearPass vs controller

    Posted Nov 03, 2017 11:20 AM

    I just reviewed the bug ID, I see DEV has commented that a bug was found affecting your environment. Yes, it will be fixed in 6.7, I will review with DEV/QA and see if I can get it included in the next 6.6.x patch.

     



  • 5.  RE: Palo Alto integration - ClearPass vs controller

    Posted Nov 06, 2017 02:50 AM

    Thanks Danny. To come back to my earlier question: would there be any problems if we enabled PA integration from the controllers as well as from ClearPass?



  • 6.  RE: Palo Alto integration - ClearPass vs controller

    Posted Nov 06, 2017 10:20 AM

    That might be a solution for you, I wouldn't have Ctrl and CPPM sending info to the firewall though, only one source. Also its very important that you understand, the context available from the firewall falls short of what CPPM is able to send. What context are you looking for?



  • 7.  RE: Palo Alto integration - ClearPass vs controller

    Posted Nov 07, 2017 06:00 AM

    We only need enough info to be able to create IP-user-mappings for all clients on the firewall so we can use AD groups in our security policies.