Wednesday, February 22, 2023

RADIUS via Clearpass on Palo Altos

This was arguably harder than it should have been to figure out.  Hopefully this will help speed up your initial deployment of Clearpass with Palo Alto Networks NGFWs.

Initial Device Configuration in CPPM

First, set up your NGFWs within CPPM.

  • Configuration > Network > Devices
    • Add your devices!  Save your RADIUS password for later, you'll need to enter it into your NGFWs.
  • Configuration > Network > Device Groups
    • Create a group for your NGFWs and add the devices into it.  For this exercise, we're naming it "Palo Altos"

Certificates!

CPPM

  • Administration > Certificates > Certificate Store
    • Service & Client Certificates
      • Create Certificate Signing Request
        • CN = cppm.local (or whatever, but this CN is referenced later in this post)
  • Get this signed by an internal CA or your favorite external CA
  • You may need to enable the CA in your trust list to allow EAP usage
  • Import Certificate
    • CN = cppm.local should appear

NGFW

  • Device > Certificate Management > Certificates
    • Import your CA root certificate, we're calling it "CA" 
    • Import the certificate generated above for CPPM, we're calling it "cppm-eap".
  • Device > Certificate Management > Certificate Profile
    • Name: clearpass
    • CA Certificates
      • "CA"
    • Set anything else that is appropriate for your installation.

CPPM Service

Next, create a CPPM service for this.

  • Configuration > Services
    • RADIUS Enforcement ( Generic )
    • Service
      • Service Rule
        • Connection NAD-IP-ADDRESS BELONGS_TO_GROUP Palo Altos
    • Authentication
      • Authentication Methods
        • [EAP PEAP]
        • [EAP MSCHAPv2]
        • [MSCHAP]
      • Authentication Sources
        • For this exercise, we're using [Admin User Repository] [Local SQL DB] but you should use the authentication source you use.
      • Service Certificate: CN=cppm.local
    • Roles
      • Role Mappings
        • Palo Alto Admins
          • Policy
            • Name: Palo Alto Admins
            • Default Role: PaloAlto-Admins
          • Mapping Rules:
            • Authentication:Source EQUALS [Admin User Respository] Role Name: PaloAlto-Admins
    • Enforcement
      • Palo Alto Login Enforcement Policy
        • Enforcement
          • Default Profile: [Deny Access Profile]
        • Rules
          • Tips:Role EQUALS PaloAlto-Admins, Action: Palo Alto RADIUS Admin
Move the RADIUS Service to where you deem appropriate.

Enabling RADIUS on NGFW

  • Log into your NGFW using SSH
    • tail follow yes mp-log authd.log
  • Device > Server Profiles > RADIUS
    • Profile Name: "fw.lab - server profile"
    • Authentication Protocol: PEAP-MSCHAPv2
    • Uncheck "Make Outer Identity Anonymous"
    • Certificate Profile: "clearpass"
    • Add your Clearpass servers, including the secret you previously used in Clearpass when creating the device.
  • Device > Authentication Profile
    • Profile Name: "fw.lab" -- this will show up in your authentication logs on Clearpass, set appropriately so you're not confused later
    • Type: RADIUS
    • Server Profile: "fw.lab - server profile"
    • Advanced
      • Allow List: all
  • Commit
  • Test and confirm, it's easiest via SSH.
    • Note: on the SSH window you have tailing the authd.log, you should see "Done with RADIUS (Code: 2)." This indicates a successful authentication.  Code 3 indicates failure issued by the RADIUS server, such as an incorrect username or authentication method.

No comments:

Post a Comment

RADIUS via Clearpass on Palo Altos

This was arguably harder than it should have been to figure out.  Hopefully this will help speed up your initial deployment of Clearpass wit...