Security

Hello,

I had an interesting request crop up from a customer.. They would like to use ClearPass and Palo Alto Panorama to centralize their security policy enforcements. They are using Palo Alto firewalls for their layer 3 boundaries / VLAN termination at all sites globally.

Currently, we're passing CPPM enforcements and Aruba roles on the wireless side to manage security and VLAN enforcements for wired. The theory is that all this could be done in PA.

From what I can tell from the integration guide, CPPM will natively pass user roles but not enforcement "roles" or groups. I'm wondering if there might be a way to sort users into custom groups as part of policy enforcements using PA's XML API to achieve the desired goals? This seems like it should be possible.. Something along the lines of manually passing certain pre-defined tags should work just not the automated role mappings.

Does anyone have any suggestions on this? May open a TAC case but thought I'd reach out to the community first. Role mappings are helpful but don't 'get to 100% when we leverage additional logic in CPPM enforcements. Also, I think this would be a great feature request!

Thanks in advance!

@dannyjump, can you offer any insight on this?

Just giving this another nudge :)

REgan,

I am a little confused here with this statement :

From what I can tell from the integration guide, CPPM will natively pass user roles but not enforcement "roles" or groups.

Using the integration we can pass or send Roles from ClearPass that are mapped to DAGs/Tags on Palo Alto. Could you probably give an example of what change are you specifically looking for and why?

- Arpit

I actually reached out to the Aruba product engineering team on this directly. - I didn't know if there were any custom attributes that could be passed at the time of enforcement to capture CPPM's enforcement logic and not just the role mappings.

It also seems that there's no way to change or add a role at the time of enforcement so according to the official integration guide, I'm liminted to the and/or logic in Palo Alto's address groups.

Curious if you ever found a way to enforce a user role/user group on PaloAlto with attributes sent back by ClearPass. I reached out to Palo Alto about this and they didn't have any ideas on attributes that could do this. I am looking at this document trying to decypher hyroglifics but maybe someone with more know how could figure it out.

Palo Alto Networks Knowledgebase: How to Configure User-Group Based VPN Authentication Using Secure RSA

My situation is that GlobalProtect is configured with RADIUS authentication. It either allows or disallows which is fine for now. However if I would like to give contractors or regular users VPN access, I would like to cordon off some sections of the network just in case. It looks like Palo will take LDAP strings/groups  and then you can configure your policy around the LDAP strings. There is a setting in Palo to import RADIUS groups but that is as close as I got to it. Thanks if anyone can figure it out.