Another question on this subject. The Palo Alto Firewall is a HA setup. I have added both firewalls to the endpoint context servers and created 2 enforcement profiles for sending the role to both firewalls for use in Dynamic Address Groups.
In the access tracker I only see the IP address of 1 of the firewalls. This is the IP address used in the 1st enforcement profile. For the second the IP address is empty. There is no 443 traffic logged from Clearpass to the 2nd firewall.
The technote does not specify how to set up this integration in a HA setup and you can't add the 2nd firewall in the same enforcement profile. 2nd enforcement profile does not seem to work. The second IP address is shown as blank in the output tab.
I'm aware that DAG information is replicated but how would the backup firewall receive the changed information in case a failover does take longer then expected without changing the Clearpass Policy? Anyone got this working for the passive firewall in a HA setup?
thanks,
Erik
------------------------------
Erik Eckhardt
ACMX #1245, ACDX #968, ACCP, ACSP
------------------------------
Original Message:
Sent: Dec 17, 2020 04:35 AM
From: Erik Eckhardt
Subject: Clearpass Palo Alto - Role not visible in PAFW
Update on above. Kudos to Dik van Oeveren en Herman Robers for their input.
IP Client Tracker on the ArubaOS switch will add the IP address to RADIUS Acccounting for UBT. Unfortunately that caused a lot of issues with traffic to the tunneled client. Time constraints did not allow me to troubleshoot why . Observations let met to believe that TCP traffic was not arriving to the client.
One example of the issue: I can ping a tunneled printer, I can print to a tunneled printer (page was printed) but I cannot open the internal webpage of the printer. Lots of simular issues and the zero trust setup using Palo Alto for intervlan traffic, made us drop dynamic segmentation for this project since it did not add taht much in security. UBT use was more a convenience.
rgds,
------------------------------
Erik Eckhardt
Original Message:
Sent: Nov 12, 2020 05:12 AM
From: Erik Eckhardt
Subject: Clearpass Palo Alto - Role not visible in PAFW
Correction; partly fixed.
If you use Per User Tunneled Node, the WLC does not add the Framed-IP-Address in radius-accounting. For a wireless client it does. Aruba WLC does not support DHCP Snooping
I tried enabling Use IP address for calling station ID but this didn't resolve the issue. What other configuration options in the WLC do I have?
thanks,
Erik
------------------------------
Erik Eckhardt
Original Message:
Sent: Nov 11, 2020 07:07 AM
From: Erik Eckhardt
Subject: Clearpass Palo Alto - Role not visible in PAFW
Fixed. https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=19317
ArubaOS S does not add the ip address of the client into radius accounting even with interim accounting enabled. You have to enable dhcp-snooping to get this done.
Rdgds, Erik
------------------------------
Erik Eckhardt
Original Message:
Sent: Nov 07, 2020 02:09 AM
From: Erik Eckhardt
Subject: Clearpass Palo Alto - Role not visible in PAFW
To confirm, that's the version used to build the implementation. revision june 2020. vsys addon information came from the post from esupport.
rgds, Erik
------------------------------
Erik Eckhardt
Original Message:
Sent: Nov 07, 2020 01:34 AM
From: Danny Jump
Subject: Clearpass Palo Alto - Role not visible in PAFW
Correct, I completed and updated the DOC in June, I posted it on October 1st, as shown in the announcement. I release blocks of things quarterly, hence the title of the announcement 'Quarterly Updates', normally it would have made the previous quarter but the review process with PAN took longer than expected so didn't make the previous quarter.
------------------------------
Danny Jump - Product Manager
ClearPass Policy Manager
Original Message:
Sent: Nov 06, 2020 11:59 PM
From: Zak Emerick
Subject: Clearpass Palo Alto - Role not visible in PAFW
Is a "few weeks back" a guestimate? The doc you linked to is dated to June.
The announcement says the doc was updated in OCT. . were the doc dates not updated aswell ?
Just looking for clarification, Danny.
------------------------------
ACCX #1239 || ACEP || ACSP || CWNA || CWSP
Original Message:
Sent: Nov 06, 2020 07:48 PM
From: Danny Jump
Subject: Clearpass Palo Alto - Role not visible in PAFW
I posted an updated version of the CPPM/PAN Guide a few weeks back....
Find it here and the announcement of it here
Best,
-d
DANNY JUMP, PRODUCT MANAGER – CLEARPASS
Aruba, a Hewlett Packard Enterprise company
T: 650.236.9657 | E: DJUMP@HPE.COM | AIRHEADS @DANNYJUMP
3333 SCOTT BVLD | SANTA CLARA, CA, USA, 95054
FOLLOW US | Twitter | LinkedIn
VISIT AIRHEADS SOCIAL http://community.arubanetworks.com/
Original Message:
Sent: 11/6/2020 11:33:00 AM
From: zemerick1
Subject: RE: Clearpass Palo Alto - Role not visible in PAFW
The IP is the interface that has USER-ID enabled for that Zone on the PANFW.
I'm not 100% sure of the endpoint URL in a multi-vsys environment. However you shouldn't have to modify the URL with the IP.
------------------------------
ACCX #1239 || ACEP || ACSP || CWNA || CWSP
Original Message:
Sent: Nov 06, 2020 06:35 AM
From: Erik Eckhardt
Subject: Clearpass Palo Alto - Role not visible in PAFW
Hi,
I'm working on a Clearpass - Palo Alto integration where the tips:role is used as dynamic address group in the Palo Alto Firewall. Both me and the Palo Alto engineer have followed the latest Clearpass Palo Alto Networks Tech Note
Customer is using a multi vsys setup which should be supported since 2017 according following link
https://community.arubanetworks.com/blogs/esupport1/2017/03/23/how-to-send-userid-updates-to-a-particular-instance-of-palo-alto
Up till now we are not able to see the Tips:Role being mapped to an IP address in the PAFW. PAFW show ip-user-mapping-all has no entries.
As seen by my notes, changing the URL in the Endpoint Context Server url field stopped the authentication. So I changed the url in context server action:
------------------------------
Erik Eckhardt
------------------------------