Wireless Access

Reply
Frequent Contributor I

Troubleshoot PAN Integration

I've followed all of the steps to set up PAN integration, but don't see the Aruba controller logging into my Palo Alto firewall (or even trying).

 

I did the following:

 

1. created PAN server profile.

2. activated the profile

2. enabled 'PAN Firewall Integration' in my AAA profiles.

 

On the firewall side, I created a super user admin account.

 

Did I miss anything?  If not, are there any commands on the Aruba to troubleshoot what might be happening?  I don't see anything in the logs related to PAN except for the config commands from when I added the config.

Frequent Contributor I

Re: Troubleshoot PAN Integration

Never mind.  Found it:

 

(hostname) # show pan ?
active-profile          Active PAN profile
debug                   Show PAN debug information
profile                 Palo Alto Networks Servers profile
state                   Show PAN Interface connection state
statistics              Show PAN Interface Statistics

Frequent Contributor I

Re: Troubleshoot PAN Integration

So my PA firewalls show as down, but I can ping them just fine and traceroute in both directions shows the correct path.  I can also log into them via the broswer with the account I created.

 

Is there anywhere to get more details on why they show as 'down'?

Frequent Contributor I

Re: Troubleshoot PAN Integration

Looking at a packet capture, on the SSL setup, the server eventually sends a 'fatal / handshake error' at the end of the negotiation - after the controller sends its cert, client key exchange, change cipher, and encrypted handshake message.

Frequent Contributor I

Re: Troubleshoot PAN Integration

It was a server cert issue since I used the firewall's IP rather than hostname.  I changed it to hostname and now it's up - except all user-ID requests are 'skipped' still.

 

And I don't see any logins on my PA firewalls.

Occasional Contributor I

Re: Troubleshoot PAN Integration

Hi mmartin

 

did you ever get this right? I have the same issue. Loaded certificates etc etc. but still no joy.

Could you help?

Frequent Contributor I

Re: Troubleshoot PAN Integration

I never got it working that way and Aruba & Palo Alto support just ran me around in circles for weeks.  What we ended up doing was sending user events from our controllers (via syslog) to a server running the Palo Alto user agent.  On the Palo Alto user agent, we parsed the syslog messages to map the info to the correct fields, then the Palo Alto pulls the info from the agent.  We were already running the agent for AD logins, so it was a pretty simple solution.

 

See this KB.  It's actually based on Aruba logs, so you can follow it just about verbatim.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Collect-the-User-IP-Mappings-from-a-Syslog-Sender-Using/ta-p/62085

Occasional Contributor I

Re: Troubleshoot PAN Integration

Thanks. Just another question, What does your logging look like on the Aruba controller, I seem to get all logs except what I need.

 

Thanks again!

Frequent Contributor I

Re: Troubleshoot PAN Integration

config > logging >

 

ip = x.x.x.x (where the agent is setup)

category = user

logging facilicity = localx

severity = all

 

Pretty simple actually.  On the agent side, we had to poke holes in the host-based firewall on the server(s).

Occasional Contributor I

Re: Troubleshoot PAN Integration

Hi mmartin

 

That worked (last step was to change the "Logging Levels" > "User Logs" to "notifications", "warnings" only sends failed login logs.

 

I also managed to get our Instant AP's working perfectly in the same manner, but my PAN User-ID Agent needed different syntaxes like attached pic.

 

Also, i eventually managed to get the Pala Alto and Aruba Native integration working, also spend hours with Aruba TAC on line, with no outcome.

 

For someone out there this might help, but to tell you the truth, the syslog setup is EASY and you can specify the default domain in the PAN UID Agent, but on the native integration, if you dont specify your domain when authenticating to the Wi-Fi, Palo Alto  won't map you to a security group.

 

Follow this guide, I have some of the steps listed below aswell: http://www.arubanetworks.com/pdf/partners/SG_PaloAltoNetworks.pdf

 

  • Create Admin account on your Palo Alto
  • allow https (and user-id) on your Management Interface if thats what you are going to use.
  • create dns record to point to your Palo Alto IP address. eg. pan.yourdomain.com
  • now the trouble starts with the certificates. you should have a CA signed certificate.
  • on your Palo Alto go to "Device" > "Setup" > "Management" > "General Settings" create a SSl/TLS Service Profile with your CA cert.
  • Now you shold be able to access your Palo Alto via the DNS name on https://pan.yourdomain.com without getting a certificate error, This is KEY! if you get cert error, don't go any further, try and get this to work first. See attached PAN Certs picture, how our certs looks like.
  • If your cert is signed by a default trusted CA like ours "GlobalSign_Root_CA". < This needs to be uploaded to your local controllers
  • On your Palo Alto go to "Device" > "Certificates" > "Default Tusted Certificate Authorties", export the Certificate eg. in our case the "GlobalSign_Root_CA".
  • This Certificate you import into Aruba controller (this is why most people in get the (Fatal, unknown CA) in a wireshark capture! I also uploaded my companies cert, the one attached in the pic to the Aruba controller, just in case.
  • All you need now is to activate the PAN integration tick boxes and server setup as per the guide and your PAN state will now be up.

 

Like I said, syslog is easier and WAY faster to manage/setup. 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: