About MemphisBrothers

Once they do please post ASAP.  ... View more

I got it working with some tweaks specific to our systems.  Now I see all.  :smileycool: ... View more

Howto: Authenticate a Palo Alto Firewall via Clearpass and RADIUS ‎This was taken from an Aruba Airheads forum, which I am a member.  It was orignally posted by Mike Courtney, at Adaptive Communications This how-to configures RADIUS authentication on a Palo Alto device running PANOS 5.x / 6.0 and integrating that with Clearpass. The Palo Alto device will be configured to receive a RADIUS VSA from Clearpass and provide super-user access for an AD specific user. As before, I have a lab running Clearpass 6.2.x. I have a Windows 2012 server with defined users and groups and I've built the necessary role mappings under Configuration > Identity > Role Mappings in Clearpass. I've also created Clearpass / Tips roles that are mapped to my Windows 2012 groups. Clearpass: Enable the Palo Alto Dictionary in Clearpass: 1. Administration > Dictionaries > RADIUS 2. Filter > Vendor Name > Contains > "Palo" 3. Click on "PaloAlto" and then click "Enable" Add the Device to Clearpass: 1. Configuration > Network > Devices 2. Select "Add Devices" i. Name = <Name you'd like> ii. RADIUS Shared Secret = <Your shared secret> iii. Vendor Name = PaloAlto 3. Select "Save" I use device groups for everything in Clearpass. This step can be optional, it's just my personal preference. 1. Configuration > Network > Device groups 2. Select "Add Device Group" 3. Fill in the "Name" field. I'll be using "Palo Altos" in this example 4. Select "List" under "Format" 5. Under the "List", move the Palo Alto Device from the "Available Devices" to "Selected Devices" 6. Click "Save" Create a Palo Alto Enforcement Profile: 1. Configuration > Enforcement > Profiles 2. Click "Add Enforcement Profile" 3. Select "RADIUS based enforcement" as the Template 4. Provide a name, "Palo Alto RADIUS Admin" 5. Make sure that "Accept" is set under "Action" 6. Under Attributes: i. Type - "Radius: PaloAlto" ii. Name - "PaloAlto-Admin-Role (1)", iii. Value - "superuser" 7. Finally, click "Save" Create a Palo Alto Enforcement Policy: 1. Configuration > Enforcement > Policies 2. Click "Add Enforcement Policy" 3. Under "Enforcement", provide a name, "Palo Alto Login Enforcement Policy" 4. Verify that RADIUS is the "Enforcement Type" 5. Select "[Deny Access Profile] for the "Default Profile 6. Select "Rules" and click "Add Rule" 7. Mine looks like this: i. Type - Tips ii. Name - Role iii. Operator - EQUALS iv. PaloAlto-Admins 8. Enforcement Profiles > "Profile Names" > "[RADIUS] Palo Alto RADIUS Admin" 9. Click "Save" Create a Palo Alto Login Service: 1. Configuration > Services 2. Click "Add Service" 3. Select "Type" of "RADIUS Enforcement ( Generic )" 4. Provide a name for the service, "Palo Alto Firewall Logins" 5. Under "Service Rule" enter the following:    i. Type - Connection ii. Name - "NAD-IP-Address" iii. Operator - "BELONGS_TO_GROUP" iv. Value - "Palo Altos" 6. Under Authentication:    i. Authentication Methods - PAP ii. Authentication Sources - <your AD> 7. Under Roles select the "Role Mapping Policy" for your domain. Here's what mine looks like by clicking "Modify."    i. Type - Authorization:Windows-2012 ii. Name - memberOf iii. Operator - EQUALS iv. Value - CN=PaloAlto-Admins,CN=Users,DC=top,DC=local v. Actions > "Role Name" > "PaloAlto-Admins" 8. Under "Enforcement" > "Enforcement Policy" select the enforcement policy that we created > "Palo Alto Login Enforcement Policy" 9. Click "Save" CONFIGURING THE PALO ALTO DEVICE: The steps below will be done through the GUI. 1. Go to Device > Server Profiles > RADIUS > "+ Add"  i. Name = Clearpass   Click "+ Add" in this menu:    i. Name = FQDN of the Clearpass server    ii. IP Address = <Clearpass IP address> iii. Secret = Shared secret for the Palo Alto device in Clearpass iv. Port = 1812 Click "Ok" in this menu 2. Go to Device > Authentication Profile > "+ Add"    i. Name = PAN-Clearpass ii. Authentication = RADIUS iii. Server Profile = "Clearpass" (From step 1) 3. Go to Device > Authentication Sequence > "+ Add"    i. Name = PAN-Auth-Sequence ii. Click "+ Add" iii. Select "PAN-Clearpass" (From step 2) EDIT - 04/22/2014 - I had to take this additional setup on a Palo Alto device that had multiple Authentication profiles and RADIUS servers. It should be included as part of the steps to guarantee RADIUS authentication on a Palo Alto device. 4. Go to Device > Setup > Management Settings > Authentication Settings    i. Click the Widget button in the corner    ii. Select "PAN-Clearpass" under Authentication Profile"    iii. Save this configuration You should now be able to log into the GUI and the CLI on a Palo Alto device with Clearpass. You can verify this on the CLI by typing: show admins Also, the AD account will show up before the "@" symbol on a successful CLI connection: mcourtney@PA-200> This will show up in the GUI under: Dashboard > Logged In Admins You can verify that things are working by logging into a Palo Alto device and viewing the results in Access Tracker found under Monitoring > Live Monitoring. ... View more

The frequency here is every hour ... View more

OK I got it.   Had to be in configure mode to use command.   Tailored it to my needs and found what I need.  Thanks ... View more

An addendum to this.  Turns out I only needed a rule for inbound traffic only.  ... View more

I am using a few different web sites to test speed, the same ones the ISP uses.  You know how they are, We can see the router and are sending 100 mgs so it must be on your end.Event they care not seeing 100 mgs which is what the fiber is supposed to be hitting.. I will test the commands you submitted.  After further measuring throughout today we are averaging 80-85.  Is it possible something has stabilize? ... View more

It looks like disabling the rule, committing, and enabling, committing did it.  Thanks everyone ... View more