Security

last person joined: 17 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass is not able to map the field "Authentication: Username" with the user received from Palo Alto

This thread has been viewed 7 times
  • 1.  Clearpass is not able to map the field "Authentication: Username" with the user received from Palo Alto

    Posted 13 days ago
      |   view attached
    Good morning,

    I have a problem with Palo Alto > Clearpass integration for incident response.

    Basically what I need is to move a user to quarantine when they receive a Palo Alto event type called "vulnerability" (Event: PANW-Threat: panw_subtype = vulnerability).

    Every RADIUS configuration with a Cisco switch is OK, the posture works correctly on machines with an onguard agent installed.

    In Palo Alto we configured Clearpass as an external Syslog, the attributes were mapped using the list "PANW.txt" attached.

    Clearpass already receives Syslog events, in the test when a user tries to access a website classified as medium risk (Eicar), Palo Alto sends the information to Clearpass.

    The problem is that Clearpass is not able to map the field "Authentication: Username" with the user received from Palo Alto through the attribute "Event: PANW-Threat: panw_srcuser = domain \ user".

    As I do not have the user information (Authentication: Username) it is not possible to link the active radius user and change the profile to quarantine.

    As highlighted in green in the image below, other fields are mapped normally.

    Has anyone experienced this problem? Any idea?


    Thanks!




    ------------------------------
    D�niel Cabral
    ------------------------------

    Attachment(s)

    txt
    PANW.txt   895 B 1 version


  • 2.  RE: Clearpass is not able to map the field "Authentication: Username" with the user received from Palo Alto

    Posted 13 days ago
    If my understanding is correct, the mapping of events to a session happens on the client IP address, not on the username. If the IP in the event matches the IP in accounting/access tracker, it should work.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------