Hello,
I had an interesting request crop up from a customer.. They would like to use ClearPass and Palo Alto Panorama to centralize their security policy enforcements. They are using Palo Alto firewalls for their layer 3 boundaries / VLAN termination at all sites globally.
Currently, we're passing CPPM enforcements and Aruba roles on the wireless side to manage security and VLAN enforcements for wired. The theory is that all this could be done in PA.
From what I can tell from the integration guide, CPPM will natively pass user roles but not enforcement "roles" or groups. I'm wondering if there might be a way to sort users into custom groups as part of policy enforcements using PA's XML API to achieve the desired goals? This seems like it should be possible.. Something along the lines of manually passing certain pre-defined tags should work just not the automated role mappings.
Does anyone have any suggestions on this? May open a TAC case but thought I'd reach out to the community first. Role mappings are helpful but don't 'get to 100% when we leverage additional logic in CPPM enforcements. Also, I think this would be a great feature request!
Thanks in advance!