Security

last person joined: 13 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass for VPN access

This thread has been viewed 29 times

  • 1.  Clearpass for VPN access

    Posted Mar 05, 2015 02:18 PM

    I have my firewall for VPN users setup to 802.1x auth (radius) to clearpass. I want to setup a second form of validation, example 802.1x AD auth and machine auth allows access/authorization for VPN user access. Point me in the right direction ??  



  • 2.  RE: Clearpass for VPN access

    EMPLOYEE
    Posted Mar 05, 2015 02:20 PM
    What type of VPN? This will all vary based on capabilities of your VPN
    solution.


  • 3.  RE: Clearpass for VPN access

    Posted Mar 05, 2015 02:24 PM
    Palo Alto and Cisco ASA. Radius auth preferred, but open to suggestions. I've seen PA integration with CPPM but that requires particular licensing and HIT etc, which I don't want to do. Prefer to keep it simple if possible.

    Jeremy Rouse
    Technical Specialist II, Bird Rock Systems, Inc.
    Phone: (858) 346-1384

    "We Build Rock Solid Solutions"
    www.birdrockusa.com


  • 4.  RE: Clearpass for VPN access

    Posted Mar 05, 2015 04:01 PM

    You don't need any particular licensing for Palo Alto to use ClearPass as a RADIUS server. 

     

    You can create a server profile in PA referencing the ClearPass servers and then create VPN / globalprotect profiles in PA that utilise this server group. The complex configuration is when you want to pass context data between the two systems for user / posture based firewall rules. This isn't necessary to implement basic VPN functionality. 

     

    Scott

     

     



  • 5.  RE: Clearpass for VPN access

    Posted Mar 06, 2015 10:35 AM

    I've already setup the basic radius profiles and that works. Now, for example, how do I configure clearpass to require both user and machine auth for the vpn users? 



  • 6.  RE: Clearpass for VPN access

    Posted Mar 06, 2015 12:03 PM

    my,

     

    I just want to ad, that for the basic level of integration between CPP & PANW no special licnesing is required.

     

    Follow my PANW/CPPM integration guide that covers the basic userid conig and you'll get username/domain/SRC IP@/device-type (generic).



  • 7.  RE: Clearpass for VPN access

    EMPLOYEE
    Posted Mar 06, 2015 12:27 PM

    Is your VPN client capable of doing machine authentication?

     

    If not, you'll have to use some logic in the Endpoints Repository to mimic this functionality.



  • 8.  RE: Clearpass for VPN access

    EMPLOYEE
    Posted Jun 11, 2019 12:55 PM

    Hi danny, 

     

    I already saw your PANW/CPPM Integration Guide and is great. 

    Do you maybe have some ASA/CPPM integration Guide for Onguard scenarios?

     

    I already check in the documentation option on Aruba Support webpage but cannot see any tech note related to it. 

     

    Will be very helpful.

     

    thanks in advance.