Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Palo Alto and Clearpass Guest Mac Caching User-ID issue

This thread has been viewed 28 times

  • 1.  Palo Alto and Clearpass Guest Mac Caching User-ID issue

    Posted May 05, 2020 03:44 PM

    Hi,

    I have an issue with Palo Alto and Clearpass Guest Mac Caching integration.

    In the first authentication (PAP – Captive Portal) everything works fine, the user is sent to Palo Alto.

    The issue is in the MAC-Authentication Service, when the user returns and reauthenticates, Clearpass is sending the “mac-address” instead of "device username";

    I read some integration documents (https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=14554), and I noticed that they suggest the use of “session-check / username =% {Endpoint: Username}” in the Palo Alto Enforcement Profile, as shown in the image below,

    4.png

     

    In the Access Tracker everything seems to be OK, follow the image below,

    5.png

     

    Palo Alto user-id log,

    6.png

    Does anyone have this scenario with this problem?

     

    Thanks,

     

     



  • 2.  RE: Palo Alto and Clearpass Guest Mac Caching User-ID issue

    Posted May 05, 2020 10:58 PM

    You need to follow the DOC I wrote several years back to get the USERID send to the PANW not the mac-address for the mac-auth session.



  • 3.  RE: Palo Alto and Clearpass Guest Mac Caching User-ID issue

    Posted May 06, 2020 11:19 AM

    Hi Dannyjump,

     

    Thanks for the quick response.

     

    I read your document, it's a great guide and helped me with the integration, thanks.

     

    In the document you explain exactly the problem I'm facing, and I understand that the solution is simple, and has two key points,

     

    1. “Force the NAS device to send a username not a MAC address in the Interim Accounting Updates.”  Radius:IETF:Username = %{Endpoint:Username}

     

    2. “The second is to use a new Session–Check attribute, as part of the PANW UserID XMLAPI update enforcement profile.” Session--‐Check::Username = %{Endpoint:Username}

     

    Obs. One detail I noticed was the attribute Session--‐Check::IP--‐Addresss--‐Change--‐Notify, in version 6.8.5 this value no longer exists,

     

    10.png

     

    So I added the two attributes below,

    100.png

    _______________

     

    Below are my Enforcement Profiles sent in the User Authentication and MAC-Authetication.

     

    USER AUTH W/ MAC CACHING SERVICE

     

    I send three key Enforcement Profiles, the first sends the Aruba-User-Role to the Aruba controller, the second updates the device attributes in the Endpoint Repository and finally sends updates to Palo Alto.

     

    1. “Aruba-User-Role”

     

    11.png

    2. “Update Endpoint Repository”

    12.png

     

    3. “Send Palo Alto Update”

     

    13.png

    As I mentioned earlier, so far everything works fine, the user is sent to Palo Alto perfectly. Below is the information for the Mac Authentication service,

     

    MAC-AUTH SERVICE

    For the Mac-Authentication Service I send only two Enforcement Profiles, the first sends Aruba-User-Role to the Aruba controller and replace the default RADIUS-IETF Username (mac-address) with the Endpoint Username that was entered by the previous service, and last sends updates to Palo Alto.

     

    1. “Aruba-User-Role + Change Radius:IETF::Username”

    14.png

     

    2. “Send Palo Alto Update”

    15.png

     

    In the Access Tracker on the Output tab, the result of this Enforcement Profile is the image below,

    16.png

    _____________________

     

    I ran some tests this morning and we can see the Access Tracker and Palo Alto User-ID logs match, they are correct, but in the last logs the username should be presented instead of the mac-address.

     

    ACCESS TRACKER

    200.png

     

    PALO ALTO USER-ID

    201.png

     

    Thanks,

     

     



  • 4.  RE: Palo Alto and Clearpass Guest Mac Caching User-ID issue

    Posted May 07, 2020 12:39 PM

    So a couple of things.... first;y we have a new CONSOLIDATED UPDATED PANW GUIDE coming very soon that will combine the PANW Guide + Advanced Guide {that is very old as you point out :)} + GPVPN/ONGuard Guide.....

     

    Now to the above, can you please expand on;

     

    "I ran some tests this morning and we can see the Access Tracker and Palo Alto User-ID logs match, they are correct, but in the last logs the username should be presented instead of the mac-address"



  • 5.  RE: Palo Alto and Clearpass Guest Mac Caching User-ID issue

    Posted May 07, 2020 03:58 PM

    Great news about the advanced guide.

    But about the configuration and the prints above, do you have any suggestions?

    I just reinforced that in the first authentication the clearpass sent the user name as expected, however in the re-authentication it is sending the mac-address of the device.

     

    In the first Clearpass log at 09:48:44 I used web login, so I used the User Authentication with MAC Caching service, the user was sent to Palo Alto at 09:49:08.

     

    In the last Clearpass log at 10:14:07 I forced re-authentication, so I used the MAC Authentication service, the macaddress was sent to Palo Alto at 10:14:39.

     

    ACCESS TRACKER

    1.png

     

    PALO ALTO USER-ID

    2.png

     

     

    Thanks,

     

     



  • 6.  RE: Palo Alto and Clearpass Guest Mac Caching User-ID issue

    Posted May 07, 2020 08:52 PM

    The quality of the images was not good. Was Solved.



  • 7.  RE: Palo Alto and Clearpass Guest Mac Caching User-ID issue
    Best Answer

    Posted May 08, 2020 11:00 AM

    Hi Danny,

     

    Talking to a friend yesterday (@phk) we concluded that the problem is in the User Transformation in Administration »External Servers» Endpoint Context Servers, when we use the default option “User Transformation :: Use Full Username”, Clearpass sends the MAC address to Palo Alto.

     

    297.png

    PALO ALTO USER-ID

    300.png

     

    PALO ALTO TRAFFIC LOGS

    301.png

     

    The solution was to change the user transformation parameter to “User Transformation :: None” (the NetBIOS name prefix also works).

     

    298.png

    Changing the user transformation to None my Palo Alto Update Enforcement Profile is the same in both services, User Authentication w / Mac Caching and Mac-Authentication.

     

    296.png

     

    PALO ALTO USER-ID

    500.png

     

    PALO ALTO TRAFFIC LOGS

    501.png

    ___________________________________________________________________________________________________

     

    Another way to solve the problem using “User Transformation :: Full Username” was to create two new “Palo Alto Context Server Actions” specific to MAC-AUTH.

     

    1003.png

     

    I just duplicated the Context Server Actions “Send Login Info” and “Send Logout Info”, and changed the attribute name = "% {user}" to name = "% {Endpoint: Username}"

     

    SEND DEVICE LOGIN INFO (MAC-AUTH)

    1007.png

     

    1001.png

     

    SEND DEVICE LOGOUT INFO (MAC-AUTH)

    1006.png

     

    1004.png

     

    For the Enforcement Profile of the MAC-Authentication service we need to remove the original Login and Logout Context Server Actions and insert the new ones.

     

    1007.png

    ___________________________________________________________________________________________________

     

    I believe that the initial solution of changing User Transformation to “User Transformation :: None” is more recommended.

     

     

    Thanks!



  • 8.  RE: Palo Alto and Clearpass Guest Mac Caching User-ID issue

    Posted Nov 11, 2020 09:50 PM
    Hello Danny,

    Is there available the new guide? I'm struggling trying to configure Mac Authentication on a 6.8 CPPM and Panorama. I just see the sessions established but no mapping is seen. The configuration is fairly simple: just to see the Macs and permit specific rules for them according to the role-address group matching.

    Thanks in advance for your help.

    ------------------------------
    Jaime Pedraza
    ------------------------------

    Original Message


  • 9.  RE: Palo Alto and Clearpass Guest Mac Caching User-ID issue

    EMPLOYEE
    Posted Nov 12, 2020 09:00 AM
    Latest Palo Alto Integration document was dated June 2020 and posted last month to: https://www.arubanetworks.com/clearpassdocs

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
    ------------------------------

    Original Message