I’ve completed a fairly large re-write of the ClearPass 6.5 and Palo Alto Networks integration Guide. There is a large amount of new content and specifically covers 6.5 enforcement changes (Session Notification now NOT Session restriction), updates to TAGS/DAO’s, Updates to the real-time post-auth framework and a section on Posture/Health Integration.
You can find the document on the support site here..... https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=17560
Happy reading – go fill your boots..!!….. comments and feedback/suggestions graciously accepted.
Thank you for this guide, it was very straight forward in getting everything setup. I did run across a pain point that took me quite some time to figure out. It may seem silly, but the controllers need to be configured to use clearpass as their RADIUS acounting server, not just for authentication.
I have a fairly complex environment, which means there are approximately ~70 enforcement policy rules which could be applied (on just the wireless side.) Rather than add the enforcement profiles to each policy rule, is there an easier way I could apply this universally? Ideally we'd like every device that touches clearpass to end up in the Palo's purview.
As of today, it has to be applied to each enforcement rule.
There is an open feature request to have enforcement policy global enforcement profiles that apply to every rule.
I'm trying to integrate my CPPM v6.5 with a PA-3020 v7.0.1
I follow all steps in guide ClearPass and PANW Integration TechNote (V5 May 2015) but I can't see any logged user in PA with the command show user ip-user-mapping all
I have a service with 802.1x wired with an enforcement policy that do two things, a change of vlan and PAN-update-node. The authentiation is with an Active Directory. The change of vlan is working, and in access tracker i can see both enforcement profiles.... but no data is in firewall
What is the switch that users are connected to? Do you have RADIUS accounting and interim accounting turn on?
Finally, the problem was the PaloAlto version 7.0.1. This version has a bug with XML API and is resolve in 7.0.2. I update my firewall and now is working
Thanks to all participates, I hope this can help you
This V5 is still gospel and the latest ?
Yes - I've not updated the CPPM/PANW TechNote past the published V5.
I'm attempting to get this integration working with CPPM 220.127.116.11974 and PanOS 7.1.4h2.
I have gone through your guide however I'm still not seeing anything in the postauthctrl.log to indicate that it is trying to send data. I'm not sure what information anyone would need to help me track down the disconnect, please let me know.
a basic Q for U. Within access-tracker do your sessions show an Accounting TAB, i.e. the devices have an IP address?
Yes, I am seeing an Accounting tab. I have also matched up my session to verify that the IP is under the 'Framed IP Address' field.
Thanks for confirming that. So, next Q- within AT for an authN session, do you see the on the OUTPUT TAB session-notify for your PANW, something like the below?
I do not see that in the Output. When I attempted to create the 'Trigger' from the document I do not see 'IP-Address-Change-Notification' as an option in enforcement profiles 'Session Restrictions Enforcement' template.
R U using the latest version if the technote?
ClearPass 6.X and PANW Integration V5
On page19.... is where you need to be to get this sorted , I think.
Thank you. I am using the latest version of the document, I just don't have the IP-Address-Change-Notification as a drop down item for the step on page 20.
Cool - hopefully, you're on the right track now and will be sorted soon :)
Jump back on this thread if you have an issue going forward.
Any idea how to get 'IP-Address-Change-Notification' as an option to choose from?
you don't use that in 6.5 and later, use what's detailed in the technote.....
I am trying to intergrate clearpass with Palo alto using xlampi, all was going well however i struck a problem
In clearpass i have two types of users that are autheticating, domain joined machines (which authenticate using "compute authentication" and i also have byod users that authenticate using user based ad authetication.
so when a byod users authenticates with his ad credentials against clear pass and this is passed through to Palo alto all is good . Ihave a xlampi mapping of user and IP.
However when a user authenticates against Clearpass as a domain machine ,I now have a xmlapi mapping of ip and computer name . and considering my palo alto policies are user based policies user cant get internet.
I do have uia in play which works well for domain machines, but i have the problem when both are in play sometimes the xmlapi mapping from clearpass overides the uia mapping.
Hope that makes sense
My thought was to set a ignore list as all computers that get authenticated via xmlapi appear domain\computername$
show user ip-user-mapping all | match $
it returns 1026 results so using set vsys vsys1 user-id-collector ignore-user domain\*$ ?
however this brings all users back will ignore 1026
and thats were i am stuck.
We are running two PA firewalls in HA. Do we need to send CPPM updates to both firewalls, or will this be exchanged between the two HA partners?
I have CPPM 6.5
2050 @ pan6.1xx
3020 @ pan7.1.5
I am trying to utilize tags and dynamic address groups to filter on the basic profile fingerprint attributes I see without using GlobalProtect and hip.
I am just using my CPPM for guest network access and nothing else so I just need to determine if the user authenticated through the CPPM and nothing more to apply PAN filtering. I actually use another device from Intelligo to manage my secure network using a PAN syslog listener
My cppm is successfully passing domain\username to my two PANs and is being mapped correctly but when I further inspect my ip-user-mapping for a XMLAPI connection I only see the domain\username (email address) the guest user logged in as.
Under groups this user belongs to, it is empty. There is no additional profile info.
I've created my device name tags and my address groups on the PANs and have tired using '_' for spaces and without in the PAN Tag name field.
I've followed the directions for 6.5 using pdf v5. Everything looks right.
The fact I'm getting the same results on each of my PANs leads me to believe there is a missing step somewhere.
On CPPM 6.6.x, is HIP endpoint data supposed to be sent even when GlobalProtect Enabled is unchecked on the Endpoint Context Server PANW configuration? If yes, is there a way to stop this behavior? I have it unchecked and am getting HIP updates which are maxing out PANW DAO limits.
Danny thanks for the great guide, it has a lot of information. I've got it setup to the point that on CPPM I'm seeing in my output the updates being listed for each of my firewalls
I also have the same question as above about the HA firewalls, for now I've decided to send to both units in case the HA pair isn't syncing information given from the XML API
(I had a couple other problems and as of writing this update I realized my problem was my predecessor had put an ACL on the interface [on top of the security policies for the zone] and this was keeping my https connections from getting past 264 bytes, hopefully if anyone else goes through the setup and hits the same wall this might help them)
Trying to download the aforementioned Integration guide
But its metainformation is showing up on the documentation page as "Deleted Yes"
And cant download or email it
Is this still available ?
Many thanks, Jon
Much many thanks
I"ve just this week removed V5 with a V6 update. Let me know how my new guide goes for you and any feedback you have good or bad :)
Happy Reading :)
I had issues getting to the original link:
The following URL is to the same document:
However, it appears to be marked as deleted.
Hope that helps anyone who had the same issues that I did.
I followed this guide around a year ago and succesfully had everthing working well .
However a short while ago i upgraded both the PA 3060 firewall to 7.1.14
and my cluster of CPPM to 18.104.22.168814 and now for what ever reason the exchange of xmlapi data between cppm and Palo is not adding the domain prefix to the user , which causes Palo Alto to not recognise the user.
I have looked more than a few times at the username Transformation box and selected/deslect Prefix NETBIOS name
tried use Full username
however still CPPM is only passing the name without a prefix .
Any suggestions please.
Many thanks in advance.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.