Aruba Networks PowerConnect W Clearpass 100 Software Manual
Palo alto networks user-id services technote
Hide thumbs
Also See for PowerConnect W Clearpass 100 Software:
- Deployment manual (518 pages) ,
- Manual (22 pages) ,
- Installation manual (12 pages)
Table of Contents
Advertisement
Quick Links
Advertisement
Table of Contents
Related Manuals for Aruba Networks PowerConnect W Clearpass 100 Software
Summary of Contents for Aruba Networks PowerConnect W Clearpass 100 Software
- Page 1 Palo Alto Networks User-ID Services Unified Visitor Management...
-
Page 2: Legal Notice
Copyright © 2011 Aruba Networks, Inc. Aruba Networks trademarks include Airwave, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, Green Island®. All rights reserved. -
Page 3: Table Of Contents
Table of Contents Introduction ........................... 4 Audience ............................ 4 Document Overview ........................4 Disclaimer ..........................4 About Palo Alto Networks User-ID Services ................5 Overview ............................ 5 Palo Alto Networks User-ID Services Architecture ..............6 Network Design ..........................7 Configuring Palo Alto Networks User-ID Services ..............8 Check Plugin Versions ....................... -
Page 4: Introduction
Introduction This technical note demonstrates how Palo Alto Networks customers can leverage Amigopod to provide User Identity tracking for both known corporate users (via Active Directory, eDirectory etc) and now Guest &/or Public Access users accessing the Internet through their Guest Access or Hotspot networks. Audience This document is intended for network administrators and system integrators deploying an Amigopod-based visitor management solution in conjunction with a Palo Alto Networks... -
Page 5: About Palo Alto Networks User-Id Services
About Palo Alto Networks User-ID Services Overview Palo Alto Networks have developed a range of Next Generation firewalls that redefine the best practice for controlling and securing today’s networks. Leveraging their core strengths of Application, User and Content Identification, Palo Alto Networks provides a unique approach to addressing the challenges surrounding Web 2.0 applications and peer to peer communications which dominate the concerns of IT Administrators. -
Page 6: Palo Alto Networks User-Id Services Architecture
Palo Alto Networks User-ID Services Architecture Amigopod is typically deployed in conjunction with a Wired or Wireless Access Controller to provide a clean branded user experience, user session management and many other innovative enhancements to a traditional Guest or Public Access solution. The additional of an upstream Palo Alto Networks firewall adds a wealth of security and traffic management features to these networks. -
Page 7: Network Design
Network Design The following diagram shows a sample network architecture where a typical Guest Access network is delivered by an Aruba Networks wireless solution. The Aruba controller that performs authentication and access control tasks for the wireless users has been complemented by the integration of both the Amigopod and Palo Alto Networks technology. -
Page 8: Configuring Palo Alto Networks User-Id Services
Configuring Palo Alto Networks User-ID Services Check Plugin Versions Pushing user identity information to a Palo Alto Networks firewall requires the following Amigopod plugin versions: • Amigopod Kernel 2.1.7 or later • RADIUS Services Plugin 2.1.7 or later • Guest Manager Plugin 2.1.6 or later •... -
Page 9: Configuring The Palo Alto Networks User-Id Service
Configuring the Palo Alto Networks User-ID Service To configure the Palo Alto Networks plugin: 1. Click on the Configuration option of the Palo Alto Networks Plugin shown in the Manage Plugins list. 2. To start the XML API service, click the Enable checkbox to enable the plugin. Amigopod leverages its advanced RADIUS authentication engine to allow the Palo Alto Networks XML API calls to be made every time there is a successful RADIUS login or logout. -
Page 10: Check Palo Alto Networks Version And Setup
• Username Suffix: The Palo Alto Networks plugin versions 0.7.0 and later allow you to optionally specify a suffix to add to usernames, e.g., #{$user.sponsor_name} 4. Click Save Configuration to save your settings. The configuration of the plugin is complete. Check Palo Alto Networks Version and Setup Palo Alto Networks firewalls and Agent Software are required to be running the following software releases in order to support the XML API for the User-ID integration:... -
Page 11: Configuring User-Id Agent Definition
Configuring User-ID Agent Definition From the Device > User Identification screen click Add under the User Identification Agent section shown below: From the resulting screen enter the IP Address details of the Windows Host you have installed the Palo Alto Networks User-ID Agent software. In our test environment the Windows host has an IP Address of 10.0.20.53. -
Page 12: Enable Zone Based User Identification
Enable Zone Based User Identification An additional step is required to enable the User Identification process on the Palo Alto Networks firewall is based on the configuration of the Zones that any interesting traffic with pass through. In our test environment all traffic is passing between the Trust and UnTrust zones so it is these zones whose configuration will need modification. - Page 13 Once installed, you can launch the Agent software from the Start > Program Files > Palo Alto Networks > User-ID Agent menu option. The following start up screen will be displayed: Click the Configure option in the left navigation pane to complete the configuration of the Agent software.
- Page 14 Additionally ensure that the User-ID API option has been checked. You will then see the option below Configure that allows further configuration of the User-ID API settings. From the User-ID API configuration screen, leave the default listening port as 5006 as this is what the Amigopod default setting is in the Palo Alto Networks User-ID Services plugin.
-
Page 15: Verify Integration
Verify Integration Create Test Account in Amigopod In order to test the integration between Amigopod and Palo Alto Networks we need to get a valid RADIUS authenticated session initiated on the Aruba wireless network. From the Amigopod Guest Manager > Create Guest menu option, enter the details for a new test account and click the Create Guest button to save the account to the Amigopod database. -
Page 16: Login Via Captive Portal Page
Login via Captive Portal page Assuming your Wired or Wireless Access controller is setup correctly when a web browser is opened on the test wireless laptop the browsing session should be automatically redirect to the Amigopod Web Login page. Login using the test account created in the previous step. Once you have been successfully authenticated you will be either redirected to a configured landing page or onto your original destination. -
Page 17: Monitor User-Id Agent
Monitor User-ID Agent Based on this successful RADIUS authentication transaction, the Amigopod Palo Alto Networks User-ID plugin will have executed an XML API call to the User-ID Agent software to inform the Palo Alto Networks of the new IP Address to User mapping. Returning to the main screen of the User-ID Agent we can see that the Amigopod has successfully sent an XML API update informing about the new IP Address to User identity mapping. -
Page 18: Verify User Identity Availability
Verify User Identity Availability The final test is to verify that the IP Address to User identity mapping has been successfully committed to the Palo Alto Networks firewall from the User-ID Agent. From the Palo Alto Networks user interface select the Monitor tab to display the most recent traffic analysis. -
Page 19: Logout And Verify User Mapping Removed
Logout and Verify User Mapping Removed Use the Access Controller’s logout procedure to successfully terminate the Guest Access session and hence initiate at RADIUS stop record being sent from the Access Controller to the Amigopod. This will trigger another API update from the Amigopod to the User-ID Agent running on the Windows host. -
Page 20: Summary
Summary The necessity for application and user level visibility is today compounded by the explosion in requests for on demand Internet access. Whether its corporate guest access, a coffee shop hotspot or free wireless at a sporting event, users want to connect as easily and quickly as possible from a range of devices.