Controllerless Networks

G'day everyone,

I'm having a few issues with a wireless deployment, basically have a Palo Alto Firewall, Aruba IAP-215's and I've configured multiple SSID's. One of the SSID's uses 802.1x authentication for staff to access using their domain credentials.

Every user that authenticates with 802.1x on that SSID is then further presented the palo alto captive portal page to again sign in with their user credentials.

Now I've been reading a bit about the Network Integration capability with PANOS and the ability to pass user-id to the firewall. Documentation is a bit vague on whether this will resolve my issue as I simply want users to be able to authenticate once and have the credentials passed to the PAN therefore preventing them having to authenticate a second time.

Can anyone please lend some assistance or provide some documentation if this is possible?

Have you already seen this documentation?  http://www.arubanetworks.com/techdocs/ArubaOS_65x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/PAN Firewall Integration/PAN Firewall Integration.htm%3FTocPath%3DArubaOS%2520User%2520Guide%2520Topics%7CPAN%2520Firewall%2520Integration%7C_____0

http://www.arubanetworks.com/pdf/partners/SG_PaloAltoNetworks.pdf

Hey Colin,

Thanks for your reply. This gives a lot of good info: http://www.arubanetworks.com/pdf/partners/SG_PaloAltoNetworks.pdf

Thanks for that.

I've now got it configured, however I'm seeing some errors in the logs.

Errors below:

Jan 25 13:49:18  awc[3596]: awc_init_connection: 2129: connecting to xxx.xxx.xxx.xxx:443

Jan 25 13:49:18  awc[3596]: tcp_connect: 167: recv timeout set to 5

Jan 25 13:49:18  awc[3596]: tcp_connect: 174: send timeout set to 5

Jan 25 13:49:18  awc[3596]: awc_init_connection: 2170: connected to xxx.xxx.xxx.xxx:443

Jan 25 13:49:18  awc[3596]: awc_init_connection: 2306: Connected

Jan 25 13:49:18  awc[3596]: Message over SSL from xxx.xxx.xxx.xxx, SSL_read() returned 640, errstr=Success, Message is "HTTP/1.1 200 OK^M Server: ^M Date: Wed, 25 Jan 2017 04:19:18 GMT^M Content-Type: application/xml; charset=UTF-8^M Content-Length: 123^M Connection: close^M ETag: "2474e-12b-57054661"^M Pragma: no-cache^M Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0^M Access-Control-Allow-Origin: ^M Expires: Thu, 19 Nov 1981 08:52:00 GMT^M X-FRAME-OPTIONS: SAMEORIGIN^M Status
: 403 Type [user-id] not authorized for user role.^M Set-Cookie: PHPSESSID=5093a2c15d0f83e31efce9560ac932e9; path=/; secure; HttpOnly^M ^M <response status = 'error' code = '403'><result><msg>Type [user-id] not authorized for user role.</msg></result></response>", AWC response: (null)

Jan 25 13:49:18  awc[3596]: Message over SSL from xxx.xxx.xxx.xxx, SSL_read() returned 0, errstr=Success, Message is "", AWC response: HTTP/1.1 200 OK^M Server: ^M Date: Wed, 25 Jan 2017 04:19:18 GMT^M Content-Type: application/xml; charset=UTF-8^M Content-Length: 123^M Connection: close^M ETag: "2474e-12b-57054661"^M Pragma: no-cache^M Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0^M Access-Control-Allow-Origin: ^M Expires: Thu, 19 Nov 1981 08:52:00 GMT^M X-FRAME-OPTIONS: SAME
ORIGIN^M Status: 403 Type [user-id] not authorized for user role.^M Set-Cookie: PHPSESSID=5093a2c15d0f83e31efce9560ac932e9; path=/; secure; HttpOnly^M ^M <response status = 'error' code = '403'><result><msg>Type [user-id] not authorized for user role.</msg></result></response>

Jan 25 13:49:18  awc[3596]: parse_awc_header: 864: ssl_read from xxx.xxx.xxx.xxx failure 0 error_count 1