topic Re: Palo Alto and Aruba Clearpass integration in General Topics

Palo Alto and Aruba Clearpass integration

jlucking — Mon, 05 Aug 2013 14:57:42 GMT

Can someone please point me in the direction of any documentation for integrating PA firewalls with Aruba Clearpass. Understand Clearpass has a direct path into the API without the need for any programming?

Re: Palo Alto and Aruba Clearpass integration

knarra1 — Mon, 05 Aug 2013 17:11:47 GMT

Following link has the steps for integrating Aruba clear pass with Palo Alto Firewall. I hope this is helpful http://www.arubanetworks.com/wp-content/uploads/TechNote_ArubaAndPaloAltoNetworksIntegration.pdf

Re: Palo Alto and Aruba Clearpass integration

jlucking — Tue, 06 Aug 2013 16:21:14 GMT

Thanks for your help. Unfortunately already have this document and its great for the Aruba piece (which we've configured) but I was wondering if there was a Palo specific document as not sure I understand how I tell the PA to accept the info coming from Clearpass

Re: Palo Alto and Aruba Clearpass integration

gmparis — Fri, 08 Nov 2013 21:44:54 GMT

I see you asked your question a while back. Maybe you already got it working. If so, please share.

Otherwise, I have a little bit to share since I have gotten this partially working. Well, maybe only the tiniest bit working.

First thing is that the ClearPass server connects from its RADIUS IP rather from the Management IP. This is hard to figure out without a sniffer, if you have the https requests go to the Management port on the Palo Alto, which is what I first tried.

However, since most of our PAs are HA pairs, that would mean two management IP entries for each. Plus, no firewall logging to help debug the thing. So I made the trust interface an https management port, updated the ACL, then added a Security Policy to allow the RADIUS servers to talk ssl to the interface IP.

This seems to have worked. Sort of. I see the connections, but they come up as "incomplete" rather than "ssl" as I would expect. They're short too. 6 packets and 636 bytes each. I used a browser to connect and it worked fine, so it seems functional.

Also, I see only a a few IP entries added to the ip-user-mapping table. I should see hundreds. Here's what I think is the useful command: "show user ip-user-mapping all | match XMLAPI".

Another thing, which may or may not be an issue, is that for those few entries I do get, I see only the user name and not the domain. That's in contrast to what I see in the table from the User-ID Agent.

The documentation on this is shy of useful detail, especially on the Palo Alto config side. I'll keep poking at it, but I'm hoping a little activity here will draw out somebody who has this working.

Re: Palo Alto and Aruba Clearpass integration

gmparis — Sun, 10 Nov 2013 19:21:02 GMT

Re: Palo Alto and Aruba Clearpass integration

hmcginnis — Tue, 08 Sep 2015 13:30:06 GMT

That file is no longer there. Can someone post it?

@knarra1 wrote:
Following link has the steps for integrating Aruba clear pass with Palo Alto Firewall. I hope this is helpful http://www.arubanetworks.com/wp-content/uploads/TechNote_ArubaAndPaloAltoNetworksIntegration.pdf

Re: Palo Alto and Aruba Clearpass integration

LCMember1959 — Wed, 09 Sep 2015 12:59:48 GMT

Here is the link for PA integration with ClearPass 6.x:

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=17560

Re: Palo Alto and Aruba Clearpass integration

cpainchaud — Mon, 14 Dec 2015 11:51:31 GMT

doc moved here:

http://www.arubanetworks.com/assets/pso/PSO_PANWandCPPM.pdf

Re: Palo Alto and Aruba Clearpass integration

AtulK — Tue, 03 Sep 2024 11:32:00 GMT

There is a How-to documentation created by Palo Alto Networks:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS6CAK

I hope this helps!

Re: Palo Alto and Aruba Clearpass integration

Brandon_Wertz — Wed, 04 Sep 2024 15:15:37 GMT

@AtulK wrote:

There is a How-to documentation created by Palo Alto Networks:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS6CAK

I hope this helps!

While this thread is very old, I think your response doesn't address the actual point of the question.

To me this question is asking how to integrate the "known users" from Clearpass authentications to PAN-OS via API calls. Your KB article is about using Clearpass as an authentication source to log into the firewall itself.

The API integration between the 2 products are described here:

https://www.arubanetworks.com/assets/pso/TechNote_ArubaAndPaloAltoNetworksIntegration.pdf

This documentation is old though and needs to be refreshed. The documentation both from Palo and Aruba is lacking and the way Aruba Clearpass makes API calls it's entirely possible to overrun the stated support API call limit in PAN-OS which is only 5 API calls a second. If configured incorrectly from Aruba Clearpass, Clearpass may trigger 20+ API calls a second which will crater Panorama / Strata appliances. Requiring Clearpass the API integration to be turned off on CP in order to recover PAN/Strata.