Security

Hi,

Within this environment we would like to  leverage the XMLAPI from Clearpass towards Palo-Alto for User-ID. For the mapping, User-ID needs the username and the corresponding IP address. Currently in this environment actually managed devices are authenticated (not users) towards the lan for example. Within Clearpass username information is available through the InTune extension and its attributes are viewable in access-tracker/end-point database. Ideally would like to have username information and not device information in the PA so i wonder how this can be achieved. I have read the CP-PA integration guide but maybe you can help with this question:

* Is it possible to share Clearpass InTune endpoint context with the Palo Alto? for example UPN or UDN?

My guess would be yes, as Intune attributes are collected during the Authorization, and the XMLAPI is post-authentication.

Just tested the concept and it seems to work. You could try to modify the context server action from:

<uid-message><version>1.0</version><type>update</type><payload><login><entry name="%{user}" ip="%{ip}"/></login></payload></uid-message>

To:

<uid-message><version>1.0</version><type>update</type><payload><login><entry name="%{Authorization:Intune-EndpointDB:Intune User Principal Name}" ip="%{ip}"/></login></payload></uid-message>

... where Authorization:Intune-EndpointDB:Intune User Principal Name is what you see in the Access Tracker containing the value that you want to send as username.

If that doesn't work, your Aruba partner or TAC can probably assist as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: May 22, 2023 04:44 AM
From: mbaars
Subject: Clearpass XMLAPI to Palo Alto and Intune attributes?

Hi,

Within this environment we would like to  leverage the XMLAPI from Clearpass towards Palo-Alto for User-ID. For the mapping, User-ID needs the username and the corresponding IP address. Currently in this environment actually managed devices are authenticated (not users) towards the lan for example. Within Clearpass username information is available through the InTune extension and its attributes are viewable in access-tracker/end-point database. Ideally would like to have username information and not device information in the PA so i wonder how this can be achieved. I have read the CP-PA integration guide but maybe you can help with this question:

* Is it possible to share Clearpass InTune endpoint context with the Palo Alto? for example UPN or UDN?

Hello, Yes, it is possible to share Clearpass InTune endpoint context with Palo Alto firewalls for User-ID mapping. Clearpass can extract user attributes from the InTune extension and pass them to Palo Alto firewalls using XMLAPI for User-ID mapping. To achieve this, you need to configure Clearpass to extract the desired user attributes from the InTune extension and make them available for the Palo Alto integration. Here are the steps you can follow: Configure the InTune extension in Clearpass: Set up the necessary integration between Clearpass and Microsoft InTune to retrieve user attributes. This typically involves configuring the InTune API integration and specifying the attributes you want to extract (e.g., UPN or UDN). Configure the Palo Alto integration in Clearpass: Set up the integration between Clearpass and Palo Alto firewalls using XML API. This involves defining the Palo Alto XML API server and credentials in Clearpass. Define the Clearpass enforcement policy: Create an enforcement policy in Clearpass to retrieve the user attributes from the InTune extension and send them to Palo Alto firewalls. Within the policy, you can extract the desired attributes (e.g., UPN or UDN) from the InTune extension and set them as Clearpass attributes. Map Clearpass attributes to Palo Alto attributes: In the enforcement policy, map the Clearpass attributes containing the user information (e.g., username, UPN, or UDN) to the appropriate Palo Alto User-ID attributes (e.g., user or user-ID). Apply the enforcement policy: Apply the enforcement policy to the appropriate authentication or authorization rules in Clearpass. This ensures that when a device authenticates, the user attributes from the InTune extension are extracted and sent to Palo Alto firewalls for User-ID mapping.

Original Message:
Sent: May 22, 2023 04:44 AM
From: mbaars
Subject: Clearpass XMLAPI to Palo Alto and Intune attributes?

Hi,

Within this environment we would like to  leverage the XMLAPI from Clearpass towards Palo-Alto for User-ID. For the mapping, User-ID needs the username and the corresponding IP address. Currently in this environment actually managed devices are authenticated (not users) towards the lan for example. Within Clearpass username information is available through the InTune extension and its attributes are viewable in access-tracker/end-point database. Ideally would like to have username information and not device information in the PA so i wonder how this can be achieved. I have read the CP-PA integration guide but maybe you can help with this question:

* Is it possible to share Clearpass InTune endpoint context with the Palo Alto? for example UPN or UDN?