Security

 View Only

  • 1.  ClearPass Palo Alto Intergration

    Posted Feb 07, 2023 02:50 PM

    Hello, I am having issues integrating Palo Alto with the ClearPass Insight, our appliance is on 6.10.7 code. Each authentication record shows the Endpoint Context Server IPs. But we still do not see the XML information passing thru our Palo Alto Firewalls from Insight.  We fixed the token issue, and we can get a token string with the username and password in the url bar. We changed the password and tried a different username on the Palo Alto appliances for ClearPass but still cannot resolve the issue. We verified the network ports are open.

     

    TAC Troubleshooting steps: 

     We are able to fetch the token. Checked the logs and it was showing the same issue asked to change the password and try and we were getting invalid credential error while testing. 

    Not able to see the IP of Palo Alto in the authentication request so added the IP in the sent Login info and logout info in enforcement profile and checked the authentication. We are able to see the IP of Palo Alto in the request.
    We were not able to see the any request on the Palo Alto, checked the log but could not find anything.
    Started the async services and were able to see the auth request on the Palo Alto but not able to see the user id XML information.
    Thank you 

     

     



  • 2.  RE: ClearPass Palo Alto Intergration

    Posted Feb 08, 2023 04:28 AM
    As a prerequisite for the Endpoint Context server to work, can you double-check:
    - Insight is enabled on ClearPass
    - Insight Interim accounting is enabled on ClearPass
    - In access tracker, you see the Accounting Tab for the client (at least for the ones that you expect to be shared with the firewall), you see the client's IP address under Framed IP Address:
    If you don't see the IP address there, that needs to be resolved first.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: ClearPass Palo Alto Intergration

    Posted Feb 08, 2023 05:11 PM
    Edited by Greg_W Mar 23, 2023 12:34 PM
      |   view attached

    Hello, I have confirmed the following: 

    • Insight is enabled on ClearPass - Check Enabled
      - Insight Interim accounting is enabled on ClearPass - Check Enabled

    I do not see the Accounting Tab on a request details record as shown in your reply screenshot. Why would that be the case?

    Thank you 

    Best,

    -



  • 4.  RE: ClearPass Palo Alto Intergration

    Posted Feb 14, 2023 05:44 AM

    Do you have a wired switch? Or AP/controller?

    Regardless, have you on the switch/AP/controller:

    • do you see the client IP? May need client ip track, dhcp snooping or other features on wired? If the switch does not know the client IP, it cannot share that in the accounting information, which is what ClearPass uses to learn the client IP.
    • accounting configured (required to get start-stop session information)
    • interim accounting configured (required to get an update with the client IP as soon as the switch/AP/controller learns that


    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 5.  RE: ClearPass Palo Alto Intergration

    Posted Feb 15, 2023 12:52 PM

    Hi Herman, thank you for following this thread. I am on an Aruba Mobility campus. We have several controllers with a Master. 

    Best,


    Original Message


  • 6.  RE: ClearPass Palo Alto Intergration

    Posted Feb 17, 2023 05:28 AM
    • do you see the client IP on the controller? If the controller does not know the client IP, it cannot share that in the accounting information, which is what ClearPass uses to learn the client IP.
    • accounting configured (required to get start-stop session information)
    • interim accounting configured (required to get an update with the client IP as soon as the switch/AP/controller learns that


    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 7.  RE: ClearPass Palo Alto Intergration

    Posted Feb 24, 2023 12:17 AM

    Hello, thank you for your response:

    • do you see the client IP on the controller? If the controller does not know the client IP, it cannot share that in the accounting information, which is what ClearPass uses to learn the client IP.
      • Yes Client IP is on our controller and viewable in ClearPass
    • accounting configured (required to get start-stop session information)
      •  Log accounting Interim-update Packets is set to true
    • interim accounting configured (required to get an update with the client IP as soon as the switch/AP/controller learns that
      • Yes, a tac case enabled interim accounting on our controllers

    Original Message


  • 8.  RE: ClearPass Palo Alto Intergration
    Best Answer

    Posted Feb 27, 2023 06:42 AM

    Then the basic components are available, there probably is some configuration error somewhere. I would recommend that you have a look with your Aruba partner or Aruba support at the post-authentication logs to find why the request does not reach the Palo Alto properly. It can be that some attributes cannot be replaces, like the username or IP, during the post auth enforcement.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


Related Content