Security

ClearPass Team,

 

Please find updated information and details related to ClearPass and Palo Alto Networks Integration, this is our V6 of this Integration guide.

 

In this release, I have re-wrote and updated a large section of this document to remove a lot of the ‘old’ PAN-OS 5.x integration information, we have also migrated the document to the new TechNote template.

 

More interestingly I have added a new section covering the new functionality related to passing ClearPass ROLE context/labels and how to configure the PANW to use this context [Dynamic Access Groups/TAGS] to drive enforcement in the firewall. This has long been a request from customers since our initial CPPM/PANW integration over 4 years ago.

 

You can find the document on the support site located here https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=25444

 

  

 

Happy reading – go fill your boots..!!….. comments and feedback/suggestions graciously accepted. 

 

HI Danny,

I implemented the integration between CPPM + PAN using  dot1x authentication and firewall policy using the roles. Fantastic !!

What about VPN client scenario implementation? If I undestand the lack of accounting, in this case, doesn't allow CPPM to generate XML API. Is it right?

Do you think it could be possible to use roles in firewall policy when client is connecing in VPN using global protect.

Thanks

Unfortunately, this is not possible today. Please note that GlobalProtect will use its own user authentication information for user-id.

Ciao,

at the and I did it. I used Ingress Events to match the login and logout and I used an enforcement via HTTP Generic API.

1) I configured Paloalto to send via syslog just two event login and logout;

2) I configured Ingress Events to match and I extracted the user and IP address released by Global protect;

3) I created two Endpoint Context Server Actions to send XML API (Register and Unregister) Dynamic Address Group.

4) At the end I created the enforcememnt profile.

 

When the user login CPPM sends the enforcement DAG Register API (I attached either  to the user's RADIUS authenticartion Enforcement and to Ingress Event). The first one is more reactive than the second one. When the user logoff, the Ingress Event sends the UnRegister API.

 

Thanks to the Aruba Community and to ClearPass Product!

I'm going writing a document regarding the configuration.

 

Hi ipagliani,

 

I'm wondering if you could shed more light on how you set up the ingress event matching? We're running into the same issue with GlobalProtect not sending RADIUS accounting data.

 

We've configured the syslog exports on Palo Alto on log-in / log-out events for VPN users but we can't seem to get the dictionary correct in CP to be able to match off Username / IP address.

 

Any insight you can provide would be appreciated!

 

Thanks!

I just found this and it looks like you'll be solving a few of my integration issues.

One question, is there an (another) update in the works?

CPPM 6.7 has some divergence from the version in your examples - starting on page 10 where there isn't a line reading "Enable Profile" for example.

The link does not work for me, as I get the following message, despite having an active support contract:

 

"This login is for users who have registered with Aruba Networks for online web services as an ArubaCare customer or channel partner. This is your gateway to accessing Online Case Mangement and Software Download. All other services including documentation do not require a login."

 

Is this guide available anywhere else?  Or an updated version?