Security

last person joined: 17 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Palo Alto - Role not visible in PAFW

This thread has been viewed 84 times
  • 1.  Clearpass Palo Alto - Role not visible in PAFW

    Posted Nov 06, 2020 06:35 AM
    Hi,

    I'm working on a Clearpass - Palo Alto integration where the tips:role is used as dynamic address group in the Palo Alto Firewall. Both me and the Palo Alto engineer have followed the latest  Clearpass Palo Alto Networks Tech Note

    Customer is using a multi vsys setup which should be supported since 2017 according following link
    https://community.arubanetworks.com/blogs/esupport1/2017/03/23/how-to-send-userid-updates-to-a-particular-instance-of-palo-alto
     
    Up till now we are not able to see the Tips:Role being mapped to an IP address in the PAFW. PAFW show ip-user-mapping-all has no entries.

    As seen by my notes, changing the URL in the Endpoint Context Server url field stopped the authentication. So I changed the url in  context server action:
    C:\Users\EriK\Pictures\endpoint context action.jpgI tried default adding &vsys=vsys3, adding &cmd={cmd} and adding https://{server_ip} in front of the url to both the PAFW management interface and an interface in vsys 3 with no result. None of the documents I can find does specify what Ip address to use in the Endpoint Context configuration.

    Is there an option to collect the raw XML Clearpass sents? The Access Tracker Outpu just shows the enforcement profile being sent.
    What PAFW Ip address do I use in the Endpoint Context Server configuration in a multi vsys enfironment?

    Could someone provide me a link to PAN api syntax documentation?

    Clearpass 6.9.3, PAN 9.1.4.

    txs, Erik


    ------------------------------
    Erik Eckhardt
    ------------------------------


  • 2.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted Nov 06, 2020 11:33 AM

    The IP is the interface that has USER-ID enabled for that Zone on the PANFW.

    I'm not 100% sure of the endpoint URL in a multi-vsys environment. However you shouldn't have to modify the URL with the IP.



    ------------------------------
    ACCX #1239 || ACEP || ACSP || CWNA || CWSP
    ------------------------------



  • 3.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted Nov 06, 2020 07:49 PM

    I posted an updated version of the CPPM/PAN Guide a few weeks back....

     

    Find it here and the announcement of it here

     

    Best,

    -d

     

    DANNY JUMP,  PRODUCT MANAGER – CLEARPASS

    Aruba, a Hewlett Packard Enterprise company

    T: 650.236.9657  |  E: DJUMP@HPE.COM  | AIRHEADS @DANNYJUMP

    3333 SCOTT BVLD | SANTA CLARA, CA, USA, 95054

    FOLLOW US Twitter | LinkedIn

    VISIT AIRHEADS SOCIAL http://community.arubanetworks.com/






  • 4.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted Nov 06, 2020 11:59 PM

    Is a "few weeks back" a guestimate? The doc you linked to is dated to June.

    The announcement says the doc was updated in OCT. . were the doc dates not updated aswell ?

    Just looking for clarification, Danny.



    ------------------------------
    ACCX #1239 || ACEP || ACSP || CWNA || CWSP
    ------------------------------



  • 5.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted Nov 07, 2020 01:34 AM
    Correct, I completed and updated the DOC in June, I posted it on October 1st, as shown in the announcement. I release blocks of things quarterly, hence the title of the announcement 'Quarterly Updates', normally it would have made the previous quarter but the review process with PAN took longer than expected so didn't make the previous quarter.


    ------------------------------
    Danny Jump - Product Manager
    ClearPass Policy Manager
    ------------------------------



  • 6.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted Nov 07, 2020 02:09 AM
    To confirm, that's the version used to build the implementation. revision june 2020. vsys addon information came from the post from esupport.

    rgds, Erik

    ------------------------------
    Erik Eckhardt
    ------------------------------



  • 7.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted Nov 11, 2020 07:07 AM
    Fixed. https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=19317

    ArubaOS S does not add the ip address of the client into radius accounting even with interim accounting enabled. You have to enable dhcp-snooping to get this done.

    Rdgds, Erik


    ------------------------------
    Erik Eckhardt
    ------------------------------



  • 8.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted Nov 12, 2020 05:13 AM

    Correction; partly fixed. 

    If you use Per User Tunneled Node, the WLC does not add the Framed-IP-Address in radius-accounting. For a wireless client it does. Aruba WLC does not support DHCP Snooping

    I tried enabling Use IP address for calling station ID but this didn't resolve the issue. What other configuration options in the WLC do I have?

    thanks,

    Erik



    ------------------------------
    Erik Eckhardt
    ------------------------------



  • 9.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted Dec 17, 2020 04:36 AM

    Update on above. Kudos to Dik van Oeveren en Herman Robers for their input.

    IP Client Tracker on the ArubaOS switch will add the IP address to RADIUS Acccounting for UBT. Unfortunately that caused a lot of issues with traffic to the tunneled client. Time constraints did not allow me to troubleshoot why . Observations let met to believe that TCP traffic was not arriving to the client. 

    One example of the issue: I can ping a tunneled printer, I can print to a tunneled printer (page was printed) but I cannot open the internal webpage of the printer.  Lots of simular issues and the zero trust setup using Palo Alto for intervlan traffic, made us drop dynamic segmentation for this project since it did not add taht much in security. UBT use was more a convenience.

    rgds,



    ------------------------------
    Erik Eckhardt
    ------------------------------



  • 10.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted 22 days ago
    Another question on this subject. The Palo Alto Firewall is a HA setup. I have added both firewalls to the endpoint context servers and created 2 enforcement profiles for sending the role to both firewalls for use in Dynamic Address Groups.

    In the access tracker I only see the IP address of 1 of the firewalls. This is the IP address used in the 1st enforcement profile. For the second the IP address is empty. There is no 443 traffic logged from Clearpass to the 2nd firewall.

    The technote does not specify how to set up this integration in a HA setup and you can't add the 2nd firewall in the same enforcement profile. 2nd enforcement profile does not seem to work. The second IP address is shown as blank in the output tab.


    I'm aware that DAG information is replicated but how would the backup firewall receive the changed information in case a failover does take longer then expected without changing the Clearpass Policy? Anyone got this working  for the passive firewall in a HA setup?


    thanks,
    Erik

    ------------------------------
    Erik Eckhardt
    ACMX #1245, ACDX #968, ACCP, ACSP
    ------------------------------



  • 11.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted 13 days ago
    When I set this up (admittedly quite some time ago), I configured ClearPass to send the XML-API to a data interface on Palo Alto instead of the mgmt IP of the two firewalls. The data interface is shared in a HA cluster, so the data fra ClearPass will be received by the active firewall and the IP user mapping will be synced to the passive. Note that you have to enable user id on the PA data interface you chose (interface mgmt) and create a security policy for the traffic if the chosen data interface is in different zone from the ClearPass server.


  • 12.  RE: Clearpass Palo Alto - Role not visible in PAFW

    Posted 13 days ago
    Thanks AFK. I'll pass this on to the firewall engineer. It might be a bit difficult to get this arranged because it's not only HA but also multiple vsys and there was a specific reason why he used the management interface for this setup.

    I'll report back on this thread with the findings for future reference.

    rgds, Erik

    ------------------------------
    Erik Eckhardt
    ACMX #1245, ACDX #968, ACCP, ACSP
    ------------------------------