Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Anyone using ClearPass to PaloAlto ID mapping for wired clients?

This thread has been viewed 3 times

  • 1.  Anyone using ClearPass to PaloAlto ID mapping for wired clients?

    Posted Jan 12, 2015 10:03 AM

    We have ClearPass 6.4 and a PaloAlto firewall running their v6 OS.  We set up the integration with PaloAlto which gives us a post-authentication trigger to use in policies so that the PaloAlto will receive user ID to IP address mappings.  We have used this trigger for wireless client policies, and the PaloAlto receives mapping information for them successfully.

     

    We also use ClearPass to perform 802.1X and MAB authentication for wired Cisco switches, so we have two services to handle these requests. We have the PaloAlto post-authentication trigger invoked for these, but it looks like ClearPass does not know or have the IP address of the client that is being authenticated by the Cisco switch. In the ClearPass postauthctrl.log, we see entries such as:

     

    2015-01-06 10:36:20,049 DEBUG root pactrlmonitprofile Sending UID mapping to Palo Alto device
    2015-01-06 10:36:20,049 WARNING root pactrlmonitprofile Not sending userid object for padevice=10.X.X.X as the data or auth_token is empty

     

    However, there are a scant few entries where there is client data shown in XML and a "success" response coming back from the PaloAlto call, so it doesn't look like it is without info for each and every wired client:

     

    2015-01-10 12:03:37,447 DEBUG root pactrlmonitprofile Sending UID mapping to Palo Alto device
    2015-01-10 12:03:37,447 DEBUG root pactrlmonitprofile Sending userid object for padevice=10.20.70.195
    2015-01-10 12:03:37,764 DEBUG root pactrlmonitprofile Read response={<response status="success"><result><uid-response>...

     

    Anyone out there using ClearPass this way?  If so, what does the device setup look like for your Cisco switches in ClearPass?  Thanks!

     

     



  • 2.  RE: Anyone using ClearPass to PaloAlto ID mapping for wired clients?

    EMPLOYEE
    Posted Jan 12, 2015 10:06 AM
    Do you get the error for both 802.1X and MAC-auth or just MAC-auth?


  • 3.  RE: Anyone using ClearPass to PaloAlto ID mapping for wired clients?

    Posted Jan 15, 2015 02:01 PM
      |   view attached

    So we did some deeper investigation in our lab.  Looks like 802.1X wired logins are the ones that fail to update the PA.  We see MAC auth ones succeed, but we may have the user mapping timeout on the PA set shorter than how often a device has to reauth, so we sometimes see a mapping in the PA but it is eventually removed, likely because of the timeout value in the PA for ID associations (if that makes sense).

     

    I have attached a snippet of ClearPass logs for an 802.1X authentication that fails to update against the PA.  Thanks much!

     

    Attachment(s)

    txt
    8021x.txt   9 KB 1 version


  • 4.  RE: Anyone using ClearPass to PaloAlto ID mapping for wired clients?

    Posted Nov 20, 2015 11:20 AM

     

    I am implementing clearpass and palo alto userid integration and encounter the same problem on mac auth devices. Looks like clearpass is not sending any userid to palo alto. Is this due to the fact that in mac auth username is mac address. 

     

    Need help. 



  • 5.  RE: Anyone using ClearPass to PaloAlto ID mapping for wired clients?

    Posted Nov 20, 2015 11:29 AM

    I documented in the below guide how to deal with this issue... look in the section starting on Page18.

     

    PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014).pdf

     

    HTH