Security

 View Only
last person joined: 2 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass XMLAPI to Palo Alto and Intune attributes?

This thread has been viewed 18 times
  • 1.  Clearpass XMLAPI to Palo Alto and Intune attributes?

    Posted May 22, 2023 04:44 AM

    Hi,

    Within this environment we would like to  leverage the XMLAPI from Clearpass towards Palo-Alto for User-ID. For the mapping, User-ID needs the username and the corresponding IP address. Currently in this environment actually managed devices are authenticated (not users) towards the lan for example. Within Clearpass username information is available through the InTune extension and its attributes are viewable in access-tracker/end-point database. Ideally would like to have username information and not device information in the PA so i wonder how this can be achieved. I have read the CP-PA integration guide but maybe you can help with this question:

    * Is it possible to share Clearpass InTune endpoint context with the Palo Alto? for example UPN or UDN?




  • 2.  RE: Clearpass XMLAPI to Palo Alto and Intune attributes?

    EMPLOYEE
    Posted May 26, 2023 11:08 AM

    My guess would be yes, as Intune attributes are collected during the Authorization, and the XMLAPI is post-authentication.

    Just tested the concept and it seems to work. You could try to modify the context server action from:

    <uid-message><version>1.0</version><type>update</type><payload><login><entry name="%{user}" ip="%{ip}"/></login></payload></uid-message>

    To:

    <uid-message><version>1.0</version><type>update</type><payload><login><entry name="%{Authorization:Intune-EndpointDB:Intune User Principal Name}" ip="%{ip}"/></login></payload></uid-message>

    ... where Authorization:Intune-EndpointDB:Intune User Principal Name is what you see in the Access Tracker containing the value that you want to send as username.

    If that doesn't work, your Aruba partner or TAC can probably assist as well.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------