Palo Alto and Aruba Clearpass integration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto and Aruba Clearpass integration

L0 Member

Can someone please point me in the direction of any documentation for integrating PA firewalls with Aruba Clearpass. Understand Clearpass has a direct path into the API without the need for any programming?

9 REPLIES 9

L3 Networker

Following link has the steps for integrating Aruba clear pass with Palo Alto Firewall. I hope this is helpful http://www.arubanetworks.com/wp-content/uploads/TechNote_ArubaAndPaloAltoNetworksIntegration.pdf

Thanks for your help. Unfortunately already have this document and its great for the Aruba piece (which we've configured) but I was wondering if there was a Palo specific document as not sure I understand how I tell the PA to accept the info coming from Clearpass

I see you asked your question a while back. Maybe you already got it working. If so, please share.

Otherwise, I have a little bit to share since I have gotten this partially working. Well, maybe only the tiniest bit working.

First thing is that the ClearPass server connects from its RADIUS IP rather from the Management IP. This is hard to figure out without a sniffer, if you have the https requests go to the Management port on the Palo Alto, which is what I first tried.

However, since most of our PAs are HA pairs, that would mean two management IP entries for each. Plus, no firewall logging to help debug the thing. So I made the trust interface an https management port, updated the ACL, then added a Security Policy to allow the RADIUS servers to talk ssl to the interface IP.

This seems to have worked. Sort of. I see the connections, but they come up as "incomplete" rather than "ssl" as I would expect. They're short too. 6 packets and 636 bytes each. I used a browser to connect and it worked fine, so it seems functional.

Also, I see only a a few IP entries added to the ip-user-mapping table. I should see hundreds. Here's what I think is the useful command: "show user ip-user-mapping all | match XMLAPI".

Another thing, which may or may not be an issue, is that for those few entries I do get, I see only the user name and not the domain. That's in contrast to what I see in the table from the User-ID Agent.

The documentation on this is shy of useful detail, especially on the Palo Alto config side. I'll keep poking at it, but I'm hoping a little activity here will draw out somebody who has this working.

More to share on this topic...

I got this working better than before. I'm not certain what I did to fix it, but those sessions I was getting before were not completing. I think I had an errant interface management policy. In any case, CPM is now updating. Three things of note:

First, CPM is only providing address change information, at least that's what I think is happening. Since a large proportion of the RADIUS registrations end up with the same address over and over, I think CPM remains silent about these. If so, it avoids a lot of chatter, but seems like it might be a long while before a complete database is built. Not sure about any of this.

Second -- and I am sure about this -- the CPM integration does not work at all in a system with multi-vsys enabled. This is because the xpath (which I see no way to modify in the ClearPass GUI) does not contain /vsys/entry@name='vsys1'. The result is nothing gets added to the ip-user-mapping table, since there is effectively a different table for each vsys.

Third, the AirHeads discussion forum has a note that says CPM 6.3 will have the ability to pass the domain along with the login. Right now, what I'm getting -- login only -- is all there is.

That file is no longer there.  Can someone post it?


@knarra1 wrote:

Following link has the steps for integrating Aruba clear pass with Palo Alto Firewall. I hope this is helpful http://www.arubanetworks.com/wp-content/uploads/TechNote_ArubaAndPaloAltoNetworksIntegration.pdf


 

L1 Bithead

There is a How-to documentation created by Palo Alto Networks:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS6CAK 

 

I hope this helps!


@AtulK wrote:

There is a How-to documentation created by Palo Alto Networks:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS6CAK 

 

I hope this helps!


While this thread is very old, I think your response doesn't address the actual point of the question.

 

 

Brandon_Wertz_0-1725462451806.png

 

To me this question is asking how to integrate the "known users" from Clearpass authentications to PAN-OS via API calls.  Your KB article is about using Clearpass as an authentication source to log into the firewall itself.

 

The API integration between the 2 products are described here:

https://www.arubanetworks.com/assets/pso/TechNote_ArubaAndPaloAltoNetworksIntegration.pdf

 

This documentation is old though and needs to be refreshed.  The documentation both from Palo and Aruba is lacking and the way Aruba Clearpass makes API calls it's entirely possible to overrun the stated support API call limit in PAN-OS which is only 5 API calls a second.  If configured incorrectly from Aruba Clearpass, Clearpass may trigger 20+ API calls a second which will crater Panorama / Strata appliances.  Requiring Clearpass the API integration to be turned off on CP in order to recover PAN/Strata.

  • 15621 Views
  • 9 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!