Wireless Access

I've followed all of the steps to set up PAN integration, but don't see the Aruba controller logging into my Palo Alto firewall (or even trying).

I did the following:

1. created PAN server profile.

2. activated the profile

2. enabled 'PAN Firewall Integration' in my AAA profiles.

On the firewall side, I created a super user admin account.

Did I miss anything?  If not, are there any commands on the Aruba to troubleshoot what might be happening?  I don't see anything in the logs related to PAN except for the config commands from when I added the config.

Never mind.  Found it:

(hostname) # show pan ?
active-profile          Active PAN profile
debug                   Show PAN debug information
profile                 Palo Alto Networks Servers profile
state                   Show PAN Interface connection state
statistics              Show PAN Interface Statistics

So my PA firewalls show as down, but I can ping them just fine and traceroute in both directions shows the correct path.  I can also log into them via the broswer with the account I created.

Is there anywhere to get more details on why they show as 'down'?

Looking at a packet capture, on the SSL setup, the server eventually sends a 'fatal / handshake error' at the end of the negotiation - after the controller sends its cert, client key exchange, change cipher, and encrypted handshake message.

It was a server cert issue since I used the firewall's IP rather than hostname.  I changed it to hostname and now it's up - except all user-ID requests are 'skipped' still.

And I don't see any logins on my PA firewalls.

Hi mmartin

did you ever get this right? I have the same issue. Loaded certificates etc etc. but still no joy.

Could you help?

I never got it working that way and Aruba & Palo Alto support just ran me around in circles for weeks.  What we ended up doing was sending user events from our controllers (via syslog) to a server running the Palo Alto user agent.  On the Palo Alto user agent, we parsed the syslog messages to map the info to the correct fields, then the Palo Alto pulls the info from the agent.  We were already running the agent for AD logins, so it was a pretty simple solution.

See this KB.  It's actually based on Aruba logs, so you can follow it just about verbatim.

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Collect-the-User-IP-Mappings-from-a-Syslog-Sender-Using/ta-p/62085

Thanks. Just another question, What does your logging look like on the Aruba controller, I seem to get all logs except what I need.

Thanks again!

config > logging >

ip = x.x.x.x (where the agent is setup)

category = user

logging facilicity = localx

severity = all

Pretty simple actually.  On the agent side, we had to poke holes in the host-based firewall on the server(s).

Hi mmartin

That worked (last step was to change the "Logging Levels" > "User Logs" to "notifications", "warnings" only sends failed login logs.

I also managed to get our Instant AP's working perfectly in the same manner, but my PAN User-ID Agent needed different syntaxes like attached pic.

Also, i eventually managed to get the Pala Alto and Aruba Native integration working, also spend hours with Aruba TAC on line, with no outcome.

For someone out there this might help, but to tell you the truth, the syslog setup is EASY and you can specify the default domain in the PAN UID Agent, but on the native integration, if you dont specify your domain when authenticating to the Wi-Fi, Palo Alto  won't map you to a security group.

Follow this guide, I have some of the steps listed below aswell: http://www.arubanetworks.com/pdf/partners/SG_PaloAltoNetworks.pdf

• Create Admin account on your Palo Alto
• allow https (and user-id) on your Management Interface if thats what you are going to use.
• create dns record to point to your Palo Alto IP address. eg. pan.yourdomain.com
• now the trouble starts with the certificates. you should have a CA signed certificate.
• on your Palo Alto go to "Device" > "Setup" > "Management" > "General Settings" create a SSl/TLS Service Profile with your CA cert.
• Now you shold be able to access your Palo Alto via the DNS name on https://pan.yourdomain.com without getting a certificate error, This is KEY! if you get cert error, don't go any further, try and get this to work first. See attached PAN Certs picture, how our certs looks like.
• If your cert is signed by a default trusted CA like ours "GlobalSign_Root_CA". < This needs to be uploaded to your local controllers
• On your Palo Alto go to "Device" > "Certificates" > "Default Tusted Certificate Authorties", export the Certificate eg. in our case the "GlobalSign_Root_CA".
• This Certificate you import into Aruba controller (this is why most people in get the (Fatal, unknown CA) in a wireshark capture! I also uploaded my companies cert, the one attached in the pic to the Aruba controller, just in case.
• All you need now is to activate the PAN integration tick boxes and server setup as per the guide and your PAN state will now be up.

Like I said, syslog is easier and WAY faster to manage/setup. 

For anyone else that might run into this. Our PAN integration stopped working suddenly too. I had the (Fatal, Unknown CA) in the wireshark logs as well (note: the packet was from the Aruba Controller to the Palo, TLSv1.2). 

What fixed it for us was uploading a TrustedCA in PEM/x509 format with the entire chain of certificates for the Palo. Including the Palo certificate added to the bottom; However I'm not even sure if any certificate actually gets uploaded other than that top cert. This can be frustrating as I'm quite sure that certificate was already there (since it was working for years too), but at least support pointed me in the right direction and then we started throwing certs at it.

Remember that all local controllers need that same certificate as well uploaded individually too. On the Palo CLI you can run show user ip-user-mapping all and look for XMLAPI's to start filling in and no longer being mostly unknown. Also when troubleshooting with the certificates nothing needs to be saved or reloaded - just wait a bit and it should start working.