Security

Hi,

Within this environment we would like to  leverage the XMLAPI from Clearpass towards Palo-Alto for User-ID. For the mapping, User-ID needs the username and the corresponding IP address. Currently in this environment actually managed devices are authenticated (not users) towards the lan for example. Within Clearpass username information is available through the InTune extension and its attributes are viewable in access-tracker/end-point database. Ideally would like to have username information and not device information in the PA so i wonder how this can be achieved. I have read the CP-PA integration guide but maybe you can help with this question:

* Is it possible to share Clearpass InTune endpoint context with the Palo Alto? for example UPN or UDN?

My guess would be yes, as Intune attributes are collected during the Authorization, and the XMLAPI is post-authentication.

Just tested the concept and it seems to work. You could try to modify the context server action from:

<uid-message><version>1.0</version><type>update</type><payload><login><entry name="%{user}" ip="%{ip}"/></login></payload></uid-message>

To:

<uid-message><version>1.0</version><type>update</type><payload><login><entry name="%{Authorization:Intune-EndpointDB:Intune User Principal Name}" ip="%{ip}"/></login></payload></uid-message>

... where Authorization:Intune-EndpointDB:Intune User Principal Name is what you see in the Access Tracker containing the value that you want to send as username.

If that doesn't work, your Aruba partner or TAC can probably assist as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: May 22, 2023 04:44 AM
From: mbaars
Subject: Clearpass XMLAPI to Palo Alto and Intune attributes?

Hi,

Within this environment we would like to  leverage the XMLAPI from Clearpass towards Palo-Alto for User-ID. For the mapping, User-ID needs the username and the corresponding IP address. Currently in this environment actually managed devices are authenticated (not users) towards the lan for example. Within Clearpass username information is available through the InTune extension and its attributes are viewable in access-tracker/end-point database. Ideally would like to have username information and not device information in the PA so i wonder how this can be achieved. I have read the CP-PA integration guide but maybe you can help with this question:

* Is it possible to share Clearpass InTune endpoint context with the Palo Alto? for example UPN or UDN?