Howto: Authenticate a Palo Alto Firewall via Clearpass and RADIUS
This was taken from an Aruba Airheads forum, which I am a member. It was orignally posted by Mike Courtney, at Adaptive Communications
This how-to configures RADIUS authentication on a Palo Alto device running PANOS 5.x / 6.0 and integrating that with Clearpass. The Palo Alto device will be configured to receive a RADIUS VSA from Clearpass and provide super-user access for an AD specific user.
As before, I have a lab running Clearpass 6.2.x. I have a Windows 2012 server with defined users and groups and I've built the necessary role mappings under Configuration > Identity > Role Mappings in Clearpass. I've also created Clearpass / Tips roles that are mapped to my Windows 2012 groups.
Enable the Palo Alto Dictionary in Clearpass:
1. Administration > Dictionaries > RADIUS
2. Filter > Vendor Name > Contains > "Palo"
3. Click on "PaloAlto" and then click "Enable"
Add the Device to Clearpass:
Create a Palo Alto Enforcement Profile:
i. Type - Connection
ii. Name - "NAD-IP-Address"
iii. Operator - "BELONGS_TO_GROUP"
iv. Value - "Palo Altos"
i. Authentication Methods - PAP
ii. Authentication Sources - <your AD>
i. Type - Authorization:Windows-2012
ii. Name - memberOf
iii. Operator - EQUALS
iv. Value - CN=PaloAlto-Admins,CN=Users,DC=top,DC=local
v. Actions > "Role Name" > "PaloAlto-Admins"
8. Under "Enforcement" > "Enforcement Policy" select the enforcement policy that we created > "Palo Alto Login Enforcement Policy"
9. Click "Save"
CONFIGURING THE PALO ALTO DEVICE:
The steps below will be done through the GUI.
1. Go to Device > Server Profiles > RADIUS > "+ Add"
Click "+ Add" in this menu:
i. Name = FQDN of the Clearpass server
ii. IP Address = <Clearpass IP address>
iii. Secret = Shared secret for the Palo Alto device in Clearpass
iv. Port = 1812
Click "Ok" in this menu
i. Name = PAN-Clearpass
ii. Authentication = RADIUS
iii. Server Profile = "Clearpass" (From step 1)
i. Name = PAN-Auth-Sequence
ii. Click "+ Add"
iii. Select "PAN-Clearpass" (From step 2)
EDIT - 04/22/2014 - I had to take this additional setup on a Palo Alto device that had multiple Authentication profiles and RADIUS servers. It should be included as part of the steps to guarantee RADIUS authentication on a Palo Alto device.
i. Click the Widget button in the corner
ii. Select "PAN-Clearpass" under Authentication Profile"
iii. Save this configuration
You should now be able to log into the GUI and the CLI on a Palo Alto device with Clearpass. You can verify this on the CLI by typing:
Also, the AD account will show up before the "@" symbol on a successful CLI connection:
This will show up in the GUI under:
Dashboard > Logged In Admins
You can verify that things are working by logging into a Palo Alto device and viewing the results in Access Tracker found under
Monitoring > Live Monitoring.
We are doing this.
Worked like a charm using PANOS6.0.X on our PA-200 following the Aruba/PAN technotes.
Setting up our PA-3020 with PANOS6.1.1 we are getting intermittent issues... ending up with a system not working.
We tried enabling UserID on external interface and we tried the mgmt interface... the PA deviceadminUser "aruba" logs in ok but no userinfo.
We are investigating at the moment. Will update when i know more
Have either of you been able to use LDAP groups in rules when the members come from Clearpass and are not logged into the Domain?
Right now we can use Domain users and LDAP groups. But if the users are populated via XML, they do not "match up" with the LDAP groups. Therefore we cannot use LDAP groups when writing policies.
I will be opening a case, but was hoping to understand this better.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!