DotW: How to Authenticate a Palo Alto Networks Firewall via Clearpass and RADIUS

DotW: How to Authenticate a Palo Alto Networks Firewall via Clearpass and RADIUS

39712
Created On 09/25/18 18:59 PM - Last Modified 06/08/23 09:44 AM


Resolution


This document was created from content posted at Is anyone using the Aruba Clearpass device to identify user and machine name information? in the Palo Alto Networks Live Community discussion forum.

 

This was taken from an Aruba Airheads forum, of which I am a member. It was orignally posted by Mike Courtney, at Adaptive Communications.

 

This how-to configures RADIUS authentication on a Palo Alto Networks device running PAN-OS 5.x / 6.0 and integrating that with Clearpass. The Palo Alto Networks device will be configured to receive a RADIUS VSA from Clearpass and provide superuser access for an AD-specific user.

As before, I have a lab running Clearpass 6.2.x. I have a Windows 2012 server with defined users and groups and I've built the necessary role mappings under Configuration > Identity > Role Mappings in Clearpass. I've also created Clearpass / Tips roles that are mapped to my Windows 2012 groups.

 

Setup on Clearpass

 

Enable the Palo Alto Networks Dictionary in Clearpass

1. Administration > Dictionaries > RADIUS
2. Filter > Vendor Name > Contains > Palo
3. Click on PaloAlto, then click Enable

  • Configuration > Network > Devices
  • Select Add Devices
    • Name = <Name you'd like>
    • RADIUS Shared Secret = <Your shared secret>
    • Vendor Name = PaloAlto
  • Select Save


Create a device group (optional)

 

It's advisable, but not required, to use device groups in Clearpass. This step is optional, just a preference.

1. Configuration > Network > Device groups
2. Select Add Device Group
3. Fill in the Name field. We'll use Palo Altos in this example
4. Select List under Format
5. Under the List, move the Palo Alto Device from Available Devices to Selected Devices
6. Click Save

  •  Configuration > Enforcement > Profiles
  • Click Add Enforcement Profile
  • Select RADIUS based enforcement as the Template
  • Provide a name, Palo Alto RADIUS Admin
  • Make sure that Accept is set under Action
  • Under Attributes:
    • Type - Radius: PaloAlto
    • Name - PaloAlto-Admin-Role (1)
    • Value - superuser
  • Click Save


Create a Palo Alto Networks Enforcement Policy

 

1. Configuration > Enforcement > Policies
2. Click Add Enforcement Policy
3. Under Enforcement, provide a name, Palo Alto Login Enforcement Policy
4. Verify that RADIUS is the Enforcement Type
5. Select Deny Access Profile for the Default Profile
6. Select Rules and click Add Rule
7. Mine looks like this:

  • Type - Tips
  • Name - Role
  • Operator - EQUALS
  • PaloAlto-Admins
  • Enforcement Profiles > Profile Names > [RADIUS] Palo Alto RADIUS Admin
  • Click Save


Create a Palo Alto Networks Login Service

 

1. Configuration > Services

2. Click Add Service

3. Select Type of RADIUS Enforcement (Generic)

4. Provide a name for the service, Palo Alto Firewall Logins

5. Under Service Rule, enter

  • Type - Connection
  • Name - NAD-IP-Address
  • Operator - BELONGS_TO_GROUP
  • Value - Palo Altos

6. Under Authentication:

  • Authentication Methods - PAP
  • Authentication Sources - <your AD>

7. Under Roles, select the Role Mapping Policy for your domain. Here's what mine looks like by clicking Modify

  • Type - Authorization:Windows-2012
  • Name - memberOf
  • Operator - EQUALS
  • Value - CN=PaloAlto-Admins,CN=Users,DC=top,DC=local
  • Actions > Role Name > PaloAlto-Admins

8. Under Enforcement > Enforcement Policy, select the enforcement policy that we created > Palo Alto Login Enforcement Policy

9. Click Save

10. Click Enable

 

 

Configuring the Palo Alto Networks Device

 

Perform the following steps through the GUI.


1. Go to Device > Server Profiles > RADIUS > + Add

  • Name = Clearpass  
  • Click + Add in this menu:
  • Name = FQDN of the Clearpass server
  • Protocol = PAP
  • IP Address = <Clearpass IP address>
  • Secret = Shared secret for the Palo Alto Networks device in Clearpass
  • Port = 1812 Click Ok in this menu

2. Go to Device > Authentication Profile > + Add

  • Name = PAN-Clearpass
  • Authentication = RADIUS
  • Server Profile = Clearpass (from step 1)

3. Go to Device > Authentication Sequence > + Add

  • Name = PAN-Auth-Sequence
  • Click + Add
  • Select PAN-Clearpass (from step 2)

 

Verifying RADIUS Authentication

 

This additional setup on a Palo Alto Networks device with multiple Authentication profiles and RADIUS servers may be required. It should be included as part of the steps to guarantee RADIUS authentication on a Palo Alto Networks device.

 

1. Go to Device > Setup > Management Settings > Authentication Settings

  • Click the Widget button in the corner
  • Select PAN-Clearpass under Authentication Profile
  • Save this configuration

You should now be able to log into the GUI and the CLI on a Palo Alto Networks device with Clearpass. You can verify this on the CLI by entering:

 

show admins

 

Also, the AD account will show up before the @ symbol on a successful CLI connection:

 

mcourtney@PA-200>

 

This will show up in the GUI under:

Dashboard > Logged In Admins

 

You can verify that things are working by logging into a Palo Alto Networks device and viewing the results in Access Tracker found under
Monitoring > Live Monitoring

 

Did you find this article helpful? Thumbs up? Please feel free to leave a question or comment below.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS6CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language