Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Palo Alto - Role not visible in PAFW

  • 1.  Clearpass Palo Alto - Role not visible in PAFW

    Posted 22 days ago
    Hi,

    I'm working on a Clearpass - Palo Alto integration where the tips:role is used as dynamic address group in the Palo Alto Firewall. Both me and the Palo Alto engineer have followed the latest  Clearpass Palo Alto Networks Tech Note

    Customer is using a multi vsys setup which should be supported since 2017 according following link
    https://community.arubanetworks.com/blogs/esupport1/2017/03/23/how-to-send-userid-updates-to-a-particular-instance-of-palo-alto
     
    Up till now we are not able to see the Tips:Role being mapped to an IP address in the PAFW. PAFW show ip-user-mapping-all has no entries.

    As seen by my notes, changing the URL in the Endpoint Context Server url field stopped the authentication. So I changed the url in  context server action:
    C:\Users\EriK\Pictures\endpoint context action.jpgI tried default adding &vsys=vsys3, adding &cmd={cmd} and adding https://{server_ip} in front of the url to both the PAFW management interface and an interface in vsys 3 with no result. None of the documents I can find does specify what Ip address to use in the Endpoint Context configuration.

    Is there an option to collect the raw XML Clearpass sents? The Access Tracker Outpu just shows the enforcement profile being sent.
    What PAFW Ip address do I use in the Endpoint Context Server configuration in a multi vsys enfironment?

    Could someone provide me a link to PAN api syntax documentation?

    Clearpass 6.9.3, PAN 9.1.4.

    txs, Erik


    ------------------------------
    Erik Eckhardt
    ------------------------------


  • 2.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted 22 days ago

    The IP is the interface that has USER-ID enabled for that Zone on the PANFW.

    I'm not 100% sure of the endpoint URL in a multi-vsys environment. However you shouldn't have to modify the URL with the IP.



    ------------------------------
    ACCX #1239 || ACEP || ACSP || CWNA || CWSP
    ------------------------------



  • 3.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted 21 days ago

    I posted an updated version of the CPPM/PAN Guide a few weeks back....

     

    Find it here and the announcement of it here

     

    Best,

    -d

     

    DANNY JUMP,  PRODUCT MANAGER – CLEARPASS

    Aruba, a Hewlett Packard Enterprise company

    T: 650.236.9657  |  E: DJUMP@HPE.COM  | AIRHEADS @DANNYJUMP

    3333 SCOTT BVLD | SANTA CLARA, CA, USA, 95054

    FOLLOW US Twitter | LinkedIn

    VISIT AIRHEADS SOCIAL http://community.arubanetworks.com/






  • 4.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted 21 days ago

    Is a "few weeks back" a guestimate? The doc you linked to is dated to June.

    The announcement says the doc was updated in OCT. . were the doc dates not updated aswell ?

    Just looking for clarification, Danny.



    ------------------------------
    ACCX #1239 || ACEP || ACSP || CWNA || CWSP
    ------------------------------



  • 5.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted 21 days ago
    Correct, I completed and updated the DOC in June, I posted it on October 1st, as shown in the announcement. I release blocks of things quarterly, hence the title of the announcement 'Quarterly Updates', normally it would have made the previous quarter but the review process with PAN took longer than expected so didn't make the previous quarter.


    ------------------------------
    Danny Jump - Product Manager
    ClearPass Policy Manager
    ------------------------------



  • 6.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted 21 days ago
    To confirm, that's the version used to build the implementation. revision june 2020. vsys addon information came from the post from esupport.

    rgds, Erik

    ------------------------------
    Erik Eckhardt
    ------------------------------



  • 7.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted 17 days ago
    Fixed. https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=19317

    ArubaOS S does not add the ip address of the client into radius accounting even with interim accounting enabled. You have to enable dhcp-snooping to get this done.

    Rdgds, Erik


    ------------------------------
    Erik Eckhardt
    ------------------------------



  • 8.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted 16 days ago

    Correction; partly fixed. 

    If you use Per User Tunneled Node, the WLC does not add the Framed-IP-Address in radius-accounting. For a wireless client it does. Aruba WLC does not support DHCP Snooping

    I tried enabling Use IP address for calling station ID but this didn't resolve the issue. What other configuration options in the WLC do I have?

    thanks,

    Erik



    ------------------------------
    Erik Eckhardt
    ------------------------------