Frequent Contributor I

Clearpass/Palo Alto Integration

Does the user account used to log into the firewall need to be a domain admin account?  I had this working fine until I removed domain admin rights from the service account used to log into the firewall.

Guru Elite

Re: Clearpass/Palo Alto Integration

No, you usually use a local admin user on the Palo.

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: Clearpass/Palo Alto Integration

I think I know whats going on.  It a RADIUS auth acct and I have domain admins attached to allow on the backend server.


Re: Clearpass/Palo Alto Integration

I show in my latest TechNote how to utilize the PAN inbuilt domain RBAC to minimize the account privileges required to this account. 


Can't understand why it would need domain admins rights, ubless you are have created some differing auth-profile/auth-sequence.... can U check your auth sequence stil lcheck the Local DB for your user? 

Best Regards

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Frequent Contributor I

Re: Clearpass/Palo Alto Integration

I have enabled RADIUS auth only into the FW's (admin mgmt into the fw's).  In NPS (Server 2012), you can only add an AD group (as far as I understand).  That group seems to only work if in domain admins.

Search Airheads
Showing results for 
Search instead for 
Did you mean: