Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Passing AD Group information to Palo Alto via Clearpass - how?

This thread has been viewed 0 times

  • 1.  Passing AD Group information to Palo Alto via Clearpass - how?

    Posted Oct 20, 2013 06:11 PM

    Has anyone found a way around this issue below (or, is it possible and I'm simply doing something wrong?)

     

    Summary of the issue - users connect using AD credentials via Clearpass, Clearpass sends information to Palo Alto Firewall, Palo Alto Firewall uses those credentials in firewall rules to control internet access.

     

    The problem we have here is that when user information is sent from Clearpass to the Palo Alto, the user AD GROUP is not sent.

     

    That is to say:

     

    STUDENT\JBLOGGS

     

    Gets passed to Palo Alto simply as:

     

    JBLOGGS

     

    Which makes it difficult to do the right user ID firewall rules on the Palo Alto.

     

    So, is this possible and we're just doing something wrong, or is there a way around it? We considered a workaround of assigning the different groups of users to different VLANS but that just seemed far too messy and complicated.

     

    Cheers!



  • 2.  RE: Passing AD Group information to Palo Alto via Clearpass - how?

    Posted Oct 20, 2013 10:33 PM
    I can advise you we will add the functionality to pass the NT domain in the data we send to the PANW in 6.3. It will be a option to send or not send the domain info.

    Currently 6.3 is scheduled for release in December.


  • 3.  RE: Passing AD Group information to Palo Alto via Clearpass - how?

    Posted Oct 21, 2013 12:08 AM

    Appreciate the prompt response on that.

     

    Thanks!!



  • 4.  RE: Passing AD Group information to Palo Alto via Clearpass - how?

    Posted Apr 22, 2014 12:31 AM

    Hi,

     

    I was wondering if this update did go through in 6.3?

     

    Because I'm onsite with a customer doing a clearpass/palo alto integration and i'm not seeing the nt domain info coming up in the palo alto logs.



  • 5.  RE: Passing AD Group information to Palo Alto via Clearpass - how?

    Posted Apr 22, 2014 01:23 AM

    Hello,

     

    Yes we absolutly added this functionality in to the 6.3.x release.

     

    Did you select the additional box in the PANW context configuration to tell CPPM to pass the DOMAIN infomation?

     

    What suppliant are you using....is the DOMAIN being entered as part of the Username or is it configured in the suppliacnt?

     

    i.e. when the user signin they need to enter DOMAIN/USERNAME..... we won't extract it from NT and append it to the usename if they just use a usename when they signon.....makes sence?



  • 6.  RE: Passing AD Group information to Palo Alto via Clearpass - how?

    Posted Apr 22, 2014 01:24 AM

    take a look at my updated PANW/CPPM TechNote for details which covers this....



  • 7.  RE: Passing AD Group information to Palo Alto via Clearpass - how?

    Posted Apr 22, 2014 01:55 AM

    aaaah okay, so if say, a student logs in, and they log in as "STUDENTA" that will just go through as such.

     

    They would have to make sure they login as "student\STUDENTA" and then it would go through as such.

     

    Is that right?



  • 8.  RE: Passing AD Group information to Palo Alto via Clearpass - how?

    Posted Apr 22, 2014 01:59 AM
    Correct..!!


    Please excuse my errors as sent using my small useless keyboard on my smartphone.

    Regards
    --d

    Danny Jump | Technical Marketing Engineer - Networking Services | Aruba Networks
    o: 408-513-8938<408-513-8938> (diverts to cell)
    e: danny@arubanetworks.com<DANNY></DANNY>