Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

This thread has been viewed 29 times
  • 1.  Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

    Posted Feb 14, 2014 01:04 AM

    This how-to configures RADIUS authentication on a Palo Alto device running PANOS 5.x / 6.0 and integrating that with Clearpass. The Palo Alto device will be configured to receive a RADIUS VSA from Clearpass and provide super-user access for an AD specific user.

    As before, I have a lab running Clearpass 6.2.x. I have a Windows 2012 server with defined users and groups and I've built the necessary role mappings under Configuration > Identity > Role Mappings in Clearpass. I've also created Clearpass / Tips roles that are mapped to my Windows 2012 groups.

    Clearpass:

    Enable the Palo Alto Dictionary in Clearpass:

    1. Administration > Dictionaries > RADIUS
    2. Filter > Vendor Name > Contains > "Palo"
    3. Click on "PaloAlto" and then click "Enable"

     

    Add the Device to Clearpass:

     

    1. Configuration > Network > Devices
    2. Select "Add Devices"
       i. Name = <Name you'd like>
       ii. RADIUS Shared Secret = <Your shared secret>
       iii. Vendor Name = PaloAlto
    3. Select "Save"

    I use device groups for everything in Clearpass. This step can be optional, it's just my personal preference.

    1. Configuration > Network > Device groups
    2. Select "Add Device Group"
    3. Fill in the "Name" field. I'll be using "Palo Altos" in this example
    4. Select "List" under "Format"
    5. Under the "List", move the Palo Alto Device from the "Available Devices" to "Selected Devices"
    6. Click "Save"

    Create a Palo Alto Enforcement Profile:

     

    1. Configuration > Enforcement > Profiles
    2. Click "Add Enforcement Profile"
    3. Select "RADIUS based enforcement" as the Template
    4. Provide a name, "Palo Alto RADIUS Admin"
    5. Make sure that "Accept" is set under "Action"
    6. Under Attributes:
       i. Type - "Radius: PaloAlto"
       ii. Name - "PaloAlto-Admin-Role (1)",
       iii. Value - "superuser"
    7. Finally, click "Save"

    Create a Palo Alto Enforcement Policy:

     

    1. Configuration > Enforcement > Policies
    2. Click "Add Enforcement Policy"
    3. Under "Enforcement", provide a name, "Palo Alto Login Enforcement Policy"
    4. Verify that RADIUS is the "Enforcement Type"
    5. Select "[Deny Access Profile] for the "Default Profile
    6. Select "Rules" and click "Add Rule"
    7. Mine looks like this:
       i. Type - Tips
       ii. Name - Role
       iii. Operator - EQUALS
       iv. PaloAlto-Admins
    8. Enforcement Profiles > "Profile Names" > "[RADIUS] Palo Alto RADIUS Admin"
    9. Click "Save"

    Create a Palo Alto Login Service:

     

    1. Configuration > Services

    2. Click "Add Service"

    3. Select "Type" of "RADIUS Enforcement ( Generic )"

    4. Provide a name for the service, "Palo Alto Firewall Logins"

    5. Under "Service Rule" enter the following:

       i. Type - Connection
       ii. Name - "NAD-IP-Address"
       iii. Operator - "BELONGS_TO_GROUP"
       iv. Value - "Palo Altos"

    6. Under Authentication:

       i. Authentication Methods - PAP
       ii. Authentication Sources - <your AD>

    7. Under Roles select the "Role Mapping Policy" for your domain. Here's what mine looks like by clicking "Modify."

       i. Type - Authorization:Windows-2012
       ii. Name - memberOf
       iii. Operator - EQUALS
       iv. Value - CN=PaloAlto-Admins,CN=Users,DC=top,DC=local
       v. Actions > "Role Name" > "PaloAlto-Admins"
    8. Under "Enforcement" > "Enforcement Policy" select the enforcement policy that we created > "Palo Alto Login Enforcement Policy"
    9. Click "Save"

    Configuration of the Palo Alto Device:

    The steps below will be done through the GUI.

    1. Go to Device > Server Profiles > RADIUS > "+ Add"

       

    i. Name = Clearpass

       

    Click "+ Add" in this menu:

       i. Name = FQDN of the Clearpass server

       ii. IP Address = <Clearpass IP address>
       iii. Secret = Shared secret for the Palo Alto device in Clearpass
       iv. Port = 1812

     

    Click "Ok" in this menu

     

    2. Go to Device > Authentication Profile > "+ Add"

       i. Name = PAN-Clearpass
       ii. Authentication = RADIUS
       iii. Server Profile = "Clearpass" (From step 1)

     

    3. Go to Device > Authentication Sequence > "+ Add"

       i. Name = PAN-Auth-Sequence
       ii. Click "+ Add"
       iii. Select "PAN-Clearpass" (From step 2)

     

    EDIT - 04/22/2014 - I had to take this additional setup on a Palo Alto device that had multiple Authentication profiles and RADIUS servers. It should be included as part of the steps to guarantee RADIUS authentication on a Palo Alto device.

     

    4. Go to Device > Setup > Management Settings > Authentication Settings

     

       i. Click the Widget button in the corner

       ii. Select "PAN-Clearpass" under Authentication Profile"

       iii. Save this configuration

     

    You should now be able to log into the GUI and the CLI on a Palo Alto device with Clearpass. You can verify this on the CLI by typing:

    show admins

     

    Also, the AD account will show up before the "@" symbol on a successful CLI connection:

    mcourtney@PA-200>

     

    This will show up in the GUI under:

     

    Dashboard > Logged In Admins

     

    You can verify that things are working by logging into a Palo Alto device and viewing the results in Access Tracker found under Monitoring > Live Monitoring.

    Let me know what you think and if it works out.

     

    -Mike



  • 2.  RE: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

    Posted May 14, 2014 03:37 PM

    I have a question about the CPPM to PAN authentication.  When you add the PAN ip address are you using the Management IP or the IP to the Trusted Ethernet port?  Since the management port is used to offload some actual work.  I tried the Trusted Ethernet port first and it is not working.  I switched it to the IP for the management port.  I am still not able to get the devices to talk.  I could really use some help.  Got a ticket open with TAC and we are getting no where fast



  • 3.  RE: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

    Posted May 14, 2014 04:05 PM

    Hi Memphis,

     

    I've set this up against the management port on a Palo. The configurations that I'm most familiar with are with the Palo in v-wire mode, so I haven't tried to authenticate against other IPs on the box. What version of PAN are you running? My lab box is currently running 6.0.2, the newest release. Last weekend I ran through the Clearpass / Palo Tech Note on this version and it all worked as expected.

     

    The first thing I would do is to SSH into the PAN device and see if you can ping the Clearpass box. This should establish some level of connectivity. Next, I would do the same thing from the CLI in Clearpass. On the cli, it should be something like the following:

     

    network ping <your PAN mgmt>

     

    Have you tried to use the monitor tab in the PAN UI to see if traffic is coming in from Clearpass?

     

    -Mike



  • 4.  RE: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

    Posted May 14, 2014 04:10 PM

    Memphis,

     

    Please take a look at my CPPM+PANW TechNote to see if this assit you through the integratioh process.

     

    Find it here..... then fire me any questions.... danny@arubanetworks.com.

     

    http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

     

     



  • 5.  RE: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

    Posted May 14, 2014 04:46 PM

    Thanks but I started with this doc a few months ago and continued as the software versions advanced.  I tried the process with Support and have an open ticket.  They have been remoted into my machine and downloaded logs and still can't figure out whu the 2 devices are not talking. 

    CPPM Version 6.3.2.63239

     

    Palo Alto 500 Version 3.06



  • 6.  RE: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

    Posted May 14, 2014 05:42 PM

    Memphis,

     

    I just wanted to check, you're running version 3.06? If so, anyway you can update that box?

     

    -Mike



  • 7.  RE: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

    Posted May 14, 2014 08:12 PM
    You need a minimum of PANOS 5.x


    Please excuse my errors as sent using my small useless keyboard on my smartphone.

    Regards
    --d

    Danny Jump | Technical Marketing Engineer - Networking Services | Aruba Networks
    o: 408-513-8938<408-513-8938> (diverts to cell)
    e: danny@arubanetworks.com


  • 8.  RE: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

    Posted May 15, 2014 09:52 AM

    Sorry the version was entered wrong.  I have the latest 6.0.1

     



  • 9.  RE: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

    Posted May 15, 2014 10:33 AM

    Hi Memphis,

     

    Are you seeing anything in Event Viewer? There could be an authentication issue between the two devices that may show up in there.

     

    -Mike



  • 10.  RE: Howto: Authenticate a Palo Alto firewall via Clearpass and RADIUS

    Posted May 15, 2014 12:07 PM

    The only traffic I am seeing in the PA Monitor is the traffic between the CPPM and Aruba Networks for the updates.