Is anyone using the Aruba Clearpass device to identify user and machine name information?

cancel
Showing results for 
Search instead for 
Did you mean: 

Is anyone using the Aruba Clearpass device to identify user and machine name information?

L3 Networker

Apple userid is not getting sent from the PA UserID agent to the PA500.  Since the Aruba Clearpass device is seeing all of that info and more I found a doc that would allow the Clearpass to send that data to PA.  Has anyone out there used this method?

5 REPLIES 5

L3 Networker

Howto: Authenticate a Palo Alto Firewall via Clearpass and RADIUS

‎This was taken from an Aruba Airheads forum, which I am a member.  It was orignally posted by Mike Courtney, at Adaptive Communications


This how-to configures RADIUS authentication on a Palo Alto device running PANOS 5.x / 6.0 and integrating that with Clearpass. The Palo Alto device will be configured to receive a RADIUS VSA from Clearpass and provide super-user access for an AD specific user.

As before, I have a lab running Clearpass 6.2.x. I have a Windows 2012 server with defined users and groups and I've built the necessary role mappings under Configuration > Identity > Role Mappings in Clearpass. I've also created Clearpass / Tips roles that are mapped to my Windows 2012 groups.

Clearpass:

Enable the Palo Alto Dictionary in Clearpass:

1. Administration > Dictionaries > RADIUS
2. Filter > Vendor Name > Contains > "Palo"
3. Click on "PaloAlto" and then click "Enable"

Add the Device to Clearpass:

  1. 1. Configuration > Network > Devices
    2. Select "Add Devices"
    i. Name = <Name you'd like>
    ii. RADIUS Shared Secret = <Your shared secret>
    iii. Vendor Name = PaloAlto
    3. Select "Save"

    I use device groups for everything in Clearpass. This step can be optional, it's just my personal preference.

    1. Configuration > Network > Device groups
    2. Select "Add Device Group"
    3. Fill in the "Name" field. I'll be using "Palo Altos" in this example
    4. Select "List" under "Format"
    5. Under the "List", move the Palo Alto Device from the "Available Devices" to "Selected Devices"
    6. Click "Save"


Create a Palo Alto Enforcement Profile:

  1. 1. Configuration > Enforcement > Profiles
    2. Click "Add Enforcement Profile"
    3. Select "RADIUS based enforcement" as the Template
    4. Provide a name, "Palo Alto RADIUS Admin"
    5. Make sure that "Accept" is set under "Action"
    6. Under Attributes:
    i. Type - "Radius: PaloAlto"
    ii. Name - "PaloAlto-Admin-Role (1)",
    iii. Value - "superuser"
    7. Finally, click "Save"

    Create a Palo Alto Enforcement Policy:
  2. 1. Configuration > Enforcement > Policies
    2. Click "Add Enforcement Policy"
    3. Under "Enforcement", provide a name, "Palo Alto Login Enforcement Policy"
    4. Verify that RADIUS is the "Enforcement Type"
    5. Select "[Deny Access Profile] for the "Default Profile
    6. Select "Rules" and click "Add Rule"
    7. Mine looks like this:
    i. Type - Tips
    ii. Name - Role
    iii. Operator - EQUALS
    iv. PaloAlto-Admins
    8. Enforcement Profiles > "Profile Names" > "[RADIUS] Palo Alto RADIUS Admin"
    9. Click "Save"

    Create a Palo Alto Login Service:
  3. 1. Configuration > Services
  4. 2. Click "Add Service"
  5. 3. Select "Type" of "RADIUS Enforcement ( Generic )"
  6. 4. Provide a name for the service, "Palo Alto Firewall Logins"
  7. 5. Under "Service Rule" enter the following:

   i. Type - Connection
ii. Name - "NAD-IP-Address"
iii. Operator - "BELONGS_TO_GROUP"
iv. Value - "Palo Altos"

  1. 6. Under Authentication:

   i. Authentication Methods - PAP
ii. Authentication Sources - <your AD>

  1. 7. Under Roles select the "Role Mapping Policy" for your domain. Here's what mine looks like by clicking "Modify."

   i. Type - Authorization:Windows-2012
ii. Name - memberOf
iii. Operator - EQUALS
iv. Value - CN=PaloAlto-Admins,CN=Users,DC=top,DC=local
v. Actions > "Role Name" > "PaloAlto-Admins"
8. Under "Enforcement" > "Enforcement Policy" select the enforcement policy that we created > "Palo Alto Login Enforcement Policy"
9. Click "Save"

CONFIGURING THE PALO ALTO DEVICE:
The steps below will be done through the GUI.


1. Go to Device > Server Profiles > RADIUS > "+ Add" 

  1. i. Name = Clearpass  

Click "+ Add" in this menu:

   i. Name = FQDN of the Clearpass server

   ii. IP Address = <Clearpass IP address>
iii. Secret = Shared secret for the Palo Alto device in Clearpass
iv. Port = 1812

Click "Ok" in this menu

  1. 2. Go to Device > Authentication Profile > "+ Add"

   i. Name = PAN-Clearpass
ii. Authentication = RADIUS
iii. Server Profile = "Clearpass" (From step 1)

  1. 3. Go to Device > Authentication Sequence > "+ Add"

   i. Name = PAN-Auth-Sequence
ii. Click "+ Add"
iii. Select "PAN-Clearpass" (From step 2)

EDIT - 04/22/2014 - I had to take this additional setup on a Palo Alto device that had multiple Authentication profiles and RADIUS servers. It should be included as part of the steps to guarantee RADIUS authentication on a Palo Alto device.

  1. 4. Go to Device > Setup > Management Settings > Authentication Settings

   i. Click the Widget button in the corner

   ii. Select "PAN-Clearpass" under Authentication Profile"

   iii. Save this configuration

You should now be able to log into the GUI and the CLI on a Palo Alto device with Clearpass. You can verify this on the CLI by typing:

show admins

Also, the AD account will show up before the "@" symbol on a successful CLI connection:

mcourtney@PA-200>

This will show up in the GUI under:

Dashboard > Logged In Admins

You can verify that things are working by logging into a Palo Alto device and viewing the results in Access Tracker found under
Monitoring > Live Monitoring.

L1 Bithead

We are doing this.

Worked like a charm using PANOS6.0.X on our PA-200 following the Aruba/PAN technotes.

Setting up our PA-3020 with PANOS6.1.1 we are getting intermittent issues... ending up with a system not working.

We tried enabling UserID on external interface and we tried the mgmt interface... the PA deviceadminUser "aruba" logs in ok but no userinfo.

We are investigating at the moment. Will update when i know more

I got it working with some tweaks specific to our systems.  Now I see all.  :smileycool:

Care to share?

;-)

/Steinar

L3 Networker

Have either of you been able to use LDAP groups in rules when the members come from Clearpass and are not logged into the Domain?

Right now we can use Domain users and LDAP groups.  But if the users are populated via XML, they do not "match up" with the LDAP groups.  Therefore we cannot use LDAP groups when writing policies.

I will be opening a case, but was hoping to understand this better.

regards,

db

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!