Security

We're configuring the ClearPass and PaloAlto UserID-integration as described in http://www.arubanetworks.com/assets/pso/TechNote_ArubaAndPaloAltoNetworksIntegration.pdf. As stated on page 15-16 there are several options for the Username Transformation but neither of those suit our needs...

Non-domain clients use their e-mailaddress, which is the UPN (UserPrincipalName) which is in a longer firstname.lastname@externaldomain.com format, but for UserID to work, we need the internaldomain\shortusername format. Both "None" and "Prefix NetBIOS name" use the externaldomain as a prefix and "Use full username" retains the longer firstname.lastname part.

The information we want to pass on to PaloAlto is known by ClearPass:

Authentication:NetBIOS-Name
Authorization:[our AD auth source]:sAMAccountName.

I think we can put those two fields together in one field, the problem is I don't know how to pass on the right information from ClearPAss: how can we select this information in the ClearPass attributes to be used by the XML API?

I messed around with the information in http://www.arubanetworks.com/assets/pso/PSO_PANWandCPPM.pdf and using a Session-Check, Username = %{Authentication:NetBIOS-Name}\%{Authorization:[our AD auth source]:sAMAccountName} but that doesn't seem to have any effect on the data transferred using the XML API.

Any suggestions? Any similar experiences? Or is this impossible to accomplish?

Using the Session-Check, Username = %{Authentication:NetBIOS-Name}\%{Authorization:[our AD auth source]:sAMAccountName} seems to work to concatenate that data, but I don't know yet if this field is used as input for the PaloAlto.

On another note: I can add multiple PaloAlto Firewalls as Endpoint context servers, but how do update them both using Session-Notify? Server-IP only accepts one IP and I can't add a second Session-Notify:Server-IP

There are three options when it comes to passing the username to the Pala Alto Networks Firewall endpoint context server, available in the "Username Transformation" field: None, Prefix NETBIOS name or Use Full Username. But two questions arise:
1) do they all three use the same Username attribute and modify it accordingly? If this is the case: which Username attribute is used? There's Endpoint:Username, Radius:IETF:User-Name received from the client, Radius:IETF:User-Name sent back from CPPM, Authentication:Full-Username, Authentication:Username,...
2) do those three options refer to different username attributes? And which are they?

The document "PANW and CPPM Advanced Deployment use-case TechNote (V2-July 2014).pdf" (http://www.arubanetworks.com/assets/pso/PSO_PANWandCPPM.pdf, page 19) suggests Radius:IETF:User-Name is used, but I'm not sure this is correct as the document doens't cover CPPM 6.5, and it doesn't seem to work when I test it.

If I modify the Radius:IETF:User-Name to reflect the desired formatting of domain and sAMAccountname, I can see this in the RADIUS Response, but there is nothing published to Palo Alto anymore.

Am I really the only one with this problem? Or do I have to create a support case to get an answer?

Let's say UPN is 'first.last@domain.com' and sAMAccountName is 'flast' and domain is INTERNAL. The PaloAlto needs INTERNAL\flast to make user-based policies work, as described in the Tech Notes.

By using

(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))

Our users can both authenticate using INTERNAL\flast (used mostly by Windows workstations) or first.last@domain.com, mostly used by BYOD, smartphones etc. When using their first.last@domain.com, we have to do some tricks to make INTERNAL\flast appear in PaloAlto. The first steps I have already described above: we can get the NetBIOS Name and sAMAccountName from the Authentication- and Authorization-sources.

Next step: in ClearPass we can modify the Radius:IETF:User-Name to send the correct INTERNAL\flast in the RADIUS Reply, and ClearPass can also modify the Endpoint:Username.

Last step is to send the correct contents of these fields through the PaloAlto-integration... But that's what fails.

When a client uses first.last@domain.com to authenticate,I can find my modified output for Endpoint:Username and Radius:IETF:User-Name in the RADIUS Response (In the Request Details in the Access Tracker)

the ClearPass-PaloAlto-integration sends domain\first.last, or only first.last, so it must use one of these fields:

Radius:IETF:User-Name (from the RADIUS Request)
Authentication:Full-Username (from Computed Attributes)
Authentication:Username (from Computed Attributes)

Is there any way to modify these Authentication:(Full-)Username fields, and are these the fields used by the ClearPass-PaloAlto-integration?

Otherwise I'll have to conclude the ClearPass + Palo Alto integration is useless in our scenario, because it has no option to control what is used as the Username-data.

Yup, all the same problems here.  What should the Clearpass box be sending back to Palo Alto to get these names to show up.  I have been trying everything i can think of for weeks.

Check box "Strip Username Rules" and write user:@ in to the blank space. This configuration must be applied in the following path:

Configuration > Services > "ServiceName" > Authentication

Best regards.

Javier Martinez