Security

 View Only
last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass is not able to map the field "Authentication: Username" with the user received from Palo Alto

This thread has been viewed 9 times

  • 1.  Clearpass is not able to map the field "Authentication: Username" with the user received from Palo Alto

    Posted Apr 08, 2021 09:55 AM
      |   view attached
    Good morning,

    I have a problem with Palo Alto > Clearpass integration for incident response.

    Basically what I need is to move a user to quarantine when they receive a Palo Alto event type called "vulnerability" (Event: PANW-Threat: panw_subtype = vulnerability).

    Every RADIUS configuration with a Cisco switch is OK, the posture works correctly on machines with an onguard agent installed.

    In Palo Alto we configured Clearpass as an external Syslog, the attributes were mapped using the list "PANW.txt" attached.

    Clearpass already receives Syslog events, in the test when a user tries to access a website classified as medium risk (Eicar), Palo Alto sends the information to Clearpass.

    The problem is that Clearpass is not able to map the field "Authentication: Username" with the user received from Palo Alto through the attribute "Event: PANW-Threat: panw_srcuser = domain \ user".

    As I do not have the user information (Authentication: Username) it is not possible to link the active radius user and change the profile to quarantine.

    As highlighted in green in the image below, other fields are mapped normally.

    Has anyone experienced this problem? Any idea?


    Thanks!




    ------------------------------
    D�niel Cabral
    ------------------------------

    Attachment(s)

    txt
    PANW.txt   895 B 1 version


  • 2.  RE: Clearpass is not able to map the field "Authentication: Username" with the user received from Palo Alto

    EMPLOYEE
    Posted Apr 08, 2021 10:31 AM
    If my understanding is correct, the mapping of events to a session happens on the client IP address, not on the username. If the IP in the event matches the IP in accounting/access tracker, it should work.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message