Security

Reply
Highlighted
Occasional Contributor II

Palo Alto and Clearpass Guest Mac Caching User-ID issue

Hi,

I have an issue with Palo Alto and Clearpass Guest Mac Caching integration.

In the first authentication (PAP – Captive Portal) everything works fine, the user is sent to Palo Alto.

The issue is in the MAC-Authentication Service, when the user returns and reauthenticates, Clearpass is sending the “mac-address” instead of "device username";

I read some integration documents (https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=14554), and I noticed that they suggest the use of “session-check / username =% {Endpoint: Username}” in the Palo Alto Enforcement Profile, as shown in the image below,

4.png

 

In the Access Tracker everything seems to be OK, follow the image below,

5.png

 

Palo Alto user-id log,

6.png

Does anyone have this scenario with this problem?

 

Thanks,

 

 

Network Engineer | ACMP | ACSP | ACEP | ACCX#1231

Accepted Solutions
Highlighted
Occasional Contributor II

Re: Palo Alto and Clearpass Guest Mac Caching User-ID issue

Hi Danny,

 

Talking to a friend yesterday (@phk) we concluded that the problem is in the User Transformation in Administration »External Servers» Endpoint Context Servers, when we use the default option “User Transformation :: Use Full Username”, Clearpass sends the MAC address to Palo Alto.

 

297.png

PALO ALTO USER-ID

300.png

 

PALO ALTO TRAFFIC LOGS

301.png

 

The solution was to change the user transformation parameter to “User Transformation :: None” (the NetBIOS name prefix also works).

 

298.png

Changing the user transformation to None my Palo Alto Update Enforcement Profile is the same in both services, User Authentication w / Mac Caching and Mac-Authentication.

 

296.png

 

PALO ALTO USER-ID

500.png

 

PALO ALTO TRAFFIC LOGS

501.png

___________________________________________________________________________________________________

 

Another way to solve the problem using “User Transformation :: Full Username” was to create two new “Palo Alto Context Server Actions” specific to MAC-AUTH.

 

1003.png

 

I just duplicated the Context Server Actions “Send Login Info” and “Send Logout Info”, and changed the attribute name = "% {user}" to name = "% {Endpoint: Username}"

 

SEND DEVICE LOGIN INFO (MAC-AUTH)

1007.png

 

1001.png

 

SEND DEVICE LOGOUT INFO (MAC-AUTH)

1006.png

 

1004.png

 

For the Enforcement Profile of the MAC-Authentication service we need to remove the original Login and Logout Context Server Actions and insert the new ones.

 

1007.png

___________________________________________________________________________________________________

 

I believe that the initial solution of changing User Transformation to “User Transformation :: None” is more recommended.

 

 

Thanks!

Network Engineer | ACMP | ACSP | ACEP | ACCX#1231

View solution in original post


All Replies
Highlighted
Moderator

Re: Palo Alto and Clearpass Guest Mac Caching User-ID issue

You need to follow the DOC I wrote several years back to get the USERID send to the PANW not the mac-address for the mac-auth session.


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Highlighted
Occasional Contributor II

Re: Palo Alto and Clearpass Guest Mac Caching User-ID issue

Hi Dannyjump,

 

Thanks for the quick response.

 

I read your document, it's a great guide and helped me with the integration, thanks.

 

In the document you explain exactly the problem I'm facing, and I understand that the solution is simple, and has two key points,

 

1. “Force the NAS device to send a username not a MAC address in the Interim Accounting Updates.”  Radius:IETF:Username = %{Endpoint:Username}

 

2. “The second is to use a new Session–Check attribute, as part of the PANW UserID XMLAPI update enforcement profile.” Session--‐Check::Username = %{Endpoint:Username}

 

Obs. One detail I noticed was the attribute Session--‐Check::IP--‐Addresss--‐Change--‐Notify, in version 6.8.5 this value no longer exists,

 

10.png

 

So I added the two attributes below,

100.png

_______________

 

Below are my Enforcement Profiles sent in the User Authentication and MAC-Authetication.

 

USER AUTH W/ MAC CACHING SERVICE

 

I send three key Enforcement Profiles, the first sends the Aruba-User-Role to the Aruba controller, the second updates the device attributes in the Endpoint Repository and finally sends updates to Palo Alto.

 

1. “Aruba-User-Role”

 

11.png

2. “Update Endpoint Repository”

12.png

 

3. “Send Palo Alto Update”

 

13.png

As I mentioned earlier, so far everything works fine, the user is sent to Palo Alto perfectly. Below is the information for the Mac Authentication service,

 

MAC-AUTH SERVICE

For the Mac-Authentication Service I send only two Enforcement Profiles, the first sends Aruba-User-Role to the Aruba controller and replace the default RADIUS-IETF Username (mac-address) with the Endpoint Username that was entered by the previous service, and last sends updates to Palo Alto.

 

1. “Aruba-User-Role + Change Radius:IETF::Username”

14.png

 

2. “Send Palo Alto Update”

15.png

 

In the Access Tracker on the Output tab, the result of this Enforcement Profile is the image below,

16.png

_____________________

 

I ran some tests this morning and we can see the Access Tracker and Palo Alto User-ID logs match, they are correct, but in the last logs the username should be presented instead of the mac-address.

 

ACCESS TRACKER

200.png

 

PALO ALTO USER-ID

201.png

 

Thanks,

 

 

Network Engineer | ACMP | ACSP | ACEP | ACCX#1231
Highlighted
Moderator

Re: Palo Alto and Clearpass Guest Mac Caching User-ID issue

So a couple of things.... first;y we have a new CONSOLIDATED UPDATED PANW GUIDE coming very soon that will combine the PANW Guide + Advanced Guide {that is very old as you point out :)} + GPVPN/ONGuard Guide.....

 

Now to the above, can you please expand on;

 

"I ran some tests this morning and we can see the Access Tracker and Palo Alto User-ID logs match, they are correct, but in the last logs the username should be presented instead of the mac-address"


Best Regards
-d

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Highlighted
Occasional Contributor II

Re: Palo Alto and Clearpass Guest Mac Caching User-ID issue

Great news about the advanced guide.

But about the configuration and the prints above, do you have any suggestions?


I just reinforced that in the first authentication the clearpass sent the user name as expected, however in the re-authentication it is sending the mac-address of the device.

 

In the first Clearpass log at 09:48:44 I used web login, so I used the User Authentication with MAC Caching service, the user was sent to Palo Alto at 09:49:08.

 

In the last Clearpass log at 10:14:07 I forced re-authentication, so I used the MAC Authentication service, the macaddress was sent to Palo Alto at 10:14:39.

 

ACCESS TRACKER

1.png

 

PALO ALTO USER-ID

2.png

 

 

Thanks,

 

 

Network Engineer | ACMP | ACSP | ACEP | ACCX#1231
Highlighted
Occasional Contributor II

Re: Palo Alto and Clearpass Guest Mac Caching User-ID issue

The quality of the images was not good. Was Solved.

Network Engineer | ACMP | ACSP | ACEP | ACCX#1231
Highlighted
Occasional Contributor II

Re: Palo Alto and Clearpass Guest Mac Caching User-ID issue

Hi Danny,

 

Talking to a friend yesterday (@phk) we concluded that the problem is in the User Transformation in Administration »External Servers» Endpoint Context Servers, when we use the default option “User Transformation :: Use Full Username”, Clearpass sends the MAC address to Palo Alto.

 

297.png

PALO ALTO USER-ID

300.png

 

PALO ALTO TRAFFIC LOGS

301.png

 

The solution was to change the user transformation parameter to “User Transformation :: None” (the NetBIOS name prefix also works).

 

298.png

Changing the user transformation to None my Palo Alto Update Enforcement Profile is the same in both services, User Authentication w / Mac Caching and Mac-Authentication.

 

296.png

 

PALO ALTO USER-ID

500.png

 

PALO ALTO TRAFFIC LOGS

501.png

___________________________________________________________________________________________________

 

Another way to solve the problem using “User Transformation :: Full Username” was to create two new “Palo Alto Context Server Actions” specific to MAC-AUTH.

 

1003.png

 

I just duplicated the Context Server Actions “Send Login Info” and “Send Logout Info”, and changed the attribute name = "% {user}" to name = "% {Endpoint: Username}"

 

SEND DEVICE LOGIN INFO (MAC-AUTH)

1007.png

 

1001.png

 

SEND DEVICE LOGOUT INFO (MAC-AUTH)

1006.png

 

1004.png

 

For the Enforcement Profile of the MAC-Authentication service we need to remove the original Login and Logout Context Server Actions and insert the new ones.

 

1007.png

___________________________________________________________________________________________________

 

I believe that the initial solution of changing User Transformation to “User Transformation :: None” is more recommended.

 

 

Thanks!

Network Engineer | ACMP | ACSP | ACEP | ACCX#1231

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: