Upload
lamkhuong
View
229
Download
0
Embed Size (px)
Citation preview
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2
PAN 802.1x Connector Application
Installation Guide
Version 1.2
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 2
Contact Information
CodeCentrix
www.codecentrix.co.za/contact
Email: [email protected]
About this Guide
This installation guide takes you through the installation, activation and configuration of the PAN
802.1x Connector application. The installation guide details the necessary steps to activate the
software, perform an initial configuration, install and start the application service as well as verify
and test the configuration using the built in test functions. It also includes troubleshooting steps
should you have any issue during the testing of the configuration. An overview of the application’s
operation as well as a process flow chart can be found in appendix A. This guide does not cover
the configuration of any 802.1x capable infrastructure such as switches and/or wireless access
points. Please refer to the respective switch and/or wireless access point vendor’s configuration
manual for instructions on how to configure those network infrastructure devices and appliances
for 802.1x authentication. The majority of network devices such as mobile, printer, projector,
Microsoft and Apple devices and computers support 802.1x authentication. A prerequisite is that a
Microsoft Network Policy Server (NPS) is installed and running and accepting authentication
requests from network devices. For more information on how to deploy and run a Microsoft NPS
role, visit Microsoft’s website:
https://msdn.microsoft.com/en-us/library/cc732912.aspx
PAN 802.1x Connector tech notes and articles can be found at
www.codecentrix.co.za/knowledgebase
Email [email protected] if you have any technical questions, issues or feature requests.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 3
TABLE OF CONTENTS
Installing and configuring the PAN 802.1x Connector application ....................................... 5
Step 1 – Run “Setup.exe” ............................................................................................ 6
Step 2 – Activate the PAN 802.1x Connector application .............................................. 10
Step 3 – Configuring the PAN 802.1x Connector application ......................................... 13
Step 4 – Adding DHCP servers ................................................................................... 16
i. DHCP server type “Microsoft” .......................................................................... 18
ii. DHCP server type “Palo Alto Networkss” ........................................................... 20
iii. DHCP server type “Cisco” ................................................................................ 22
Step 5 - Installing and starting the PAN 802.1x Connector service ................................ 24
Install the service .................................................................................................. 24
Start the service .................................................................................................... 26
Verifying the PAN 802.1x Connector installation ............................................................. 27
Step 1 – Verify read access to the Microsoft security event logs ................................... 28
Step 2 – Test connectivity to the Palo Alto Networks firewall(s) .................................... 33
Step 3 – Test DHCP server functionality ..................................................................... 36
Step 4 – Verify that the PAN 802.1x Connector service is running ................................. 41
Step 5 – Check the Palo Alto Networks firewall for user mappings ................................ 42
Application and Service logs ......................................................................................... 43
Application licensing .................................................................................................... 45
Default action upon license expiry.............................................................................. 46
License renewal ....................................................................................................... 46
Upgrading to a high availability license ....................................................................... 46
Configuration tips and troubleshooting .......................................................................... 47
Minimum rights required to run the PAN 802.1x Connector service ............................... 47
Backup/Restore the PAN 802.1x Connector configuration ............................................. 48
Optimising Microsoft NPS session, DHCP and user-ID timeout values ............................ 48
Issues starting the PAN 802.1x Connector service ....................................................... 50
Appendix A – PAN 802.1x Connector application operations ............................................ 52
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 4
System Requirements
Supported Operating Systems: Microsoft Windows 2008
Microsoft Windows 2008 R2
Microsoft Windows 2012
Microsoft Windows 2012 R2
Prerequisites: - Microsoft .NET 4.0
- Microsoft Network Policy Server (NPS)
- 802.1x capable network infrastructure (switch or
wireless Access Point (AP)) configured to authenticate
to the Microsoft NPS
- A Microsoft DHCP server and/or Palo Alto Networks
firewall DHCP server and/or Cisco IOS DHCP server
- Palo Alto Networks firewall or firewalls (high availability
mode)
The PAN 802.1x Connector application will function without specifying any DHCP servers. No MAC
to IP mappings will be discoverable since the PAN 802.1x application uses the DHCP server’s
binding table (IP leases) to discover the IP address of the 802.1x authenticated network device.
More than 1 DHCP server may be configured. The PAN 802.1x Connector application will process
the configured DHCP servers in a top down sequence. Any combination of Microsoft, Palo Alto
Networks, and Cisco DHCP servers may be configured. See appendix A for more information on
the processing logic of the PAN 802.1x Connector application.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 5
INSTALLING AND CONFIGURING THE PAN 802.1X
CONNECTOR APPLICATION
The PAN 802.1x Connector application must be installed on a Microsoft server that is running a
Microsoft Network Policy Server (NPS). The PAN 802.1x Connector service depends on logs
generated by the Microsoft NPS server to extract user and user device related information. This
information will be processed and pushed to the Palo Alto Networks firewall(s) when processing
completed successfully. The PAN 802.1x Connector application can be installed on all Microsoft
servers running Microsoft Network Policy Server (NPS). This is ideal for environments where high
availability is essential. Various PAN 802.1x Connector applications can push mappings to a single
Palo Alto Networks’ firewall or firewalls when a high availability license is activated. Each
installation of the PAN 802.1x Connector application runs independently of each other and do not
require to be connected. Each of the installed PAN 802.1x Connector applications communicate
directly with the Palo Alto Networks firewall(s) when a Microsoft NPS log was processed
successfully. The same license key may be used for each of the installed PAN 802.1x Connector
applications. The application license key is bound to the Palo Alto Networks firewall(s) and not the
installation instances itself. Each of the installed applications will only communicate with the Palo
Alto Networks serials specified in the license key. See page 44 for more information on application
licensing.
The latest version of the PAN 802.1x Connector application may be downloaded from
www.codecentrix.co.za/download
The following section details the installation steps. Please ensure that you have administrative
rights to install the application.
The PAN 802.1x Connector application must be installed on a Microsoft server that
is running a Microsoft Network Policy Server (NPS). You may install the PAN 802.1x
Connector applications on all Microsoft NPS servers in your organisation or
environment.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 6
STEP 1 – RUN “SETUP.EXE”
Upon successful download of the application, right click on the “Setup.exe” installer and select
“Run as administrator”.
Click “Next” on the initial setup screen to start with the installation process.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 7
Select “I accept the license agreement” and click “Next”
Click “Next” to install the PAN 802.1x Connector with the Application menu group of “PAN 802.1X
Connector”.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 8
Optionally a shortcut can be created on the desktop. If required, tick next to “Create desktop
icon”.
Click “Install” to start installing the PAN 802.1x Connector application.
The PAN 802.1x Connector application may optionally be launched after successfully installing.
Please ensure that you have your application license key ready. The application requires a valid
license key before any configuration may be done. Untick the tick box next to “Launch PAN 802.1x
Connector” if you do not have your license key ready or if you want to perform the configuration
at a later stage. Click “Finish” to complete the installation.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 9
The installation directory for the PAN 802.1x Connector application is “C:\Program Files
(x86)\PAN 802.1x Connector”. It is a 32bit application.
A desktop shortcut will be placed on the desktop if this option was selected during the installation.
A start menu folder will be created with the name “PAN 802.1x Connector”.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 10
STEP 2 – ACTIVATE THE PAN 802.1X CONNECTOR APPLICATION
The application requires activation by means of a license key upon first run. Your license key
would have been emailed to the email address specified during the purchase process. Please check
your email spam folder if you did not receive an email containing your license key. If you are
evaluating the application, a 30 day evaluation license key would have been emailed to the
specified email address during checkout. Please check your email spam folder if you did not
receive your evaluation license key. Alternatively, you may request an evaluation license by
emailing [email protected].
An email containing your license key will look similar to the below screen output:
Email [email protected] if you have any issue with your license particulars such as Palo
Alto firewall serial number(s) associated with your license key. Verify all particulars of your license
entitlement.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 11
Select and copy the license key.
Launch the PAN 802.1x Connector application and paste the copied license key into the text box.
Click “Accept”.
The PAN 802.1x Connector application will open the configuration screen if the license key was
accepted. If not, an error message will be displayed.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 12
The first task after successfully activating the application is to navigate to the “Status” page and
verify your license entitlement. Verify that the particulars associated with your license are correct.
It is important to check and verify that the correct Palo Alto Networks’ firewall serial number(s) are
listed under the “Status” page, and that the correct license type is displayed.
The PAN 802.1x Connector service will not push any user to IP mappings to any
Palo Alto Networks firewall or firewalls which are not listed under the “Licensed Palo
Alto Networks firewall serial numbers”. The PAN 802.1x Connector software license
is linked to the supplied Palo Alto Networks firewall serial number or serial numbers
in HA deployments.
Proceed to the next step if your license details are verified and correct.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 13
STEP 3 – CONFIGURING THE PAN 802.1X CONNECTOR APPLICATION
Configuration settings can be found by expanding “User Identification” and then clicking on “PAN
802.1x Connector Setup”
The PAN 802.1x Connector service related configuration details, Palo Alto Networkss firewall(s)
configuration as well as the DHCP server configuration will be in the right hand pane. The PAN
802.1x Connector service configuration and Palo Alto firewall(s) will be setup first. For more
information on each setting, see table 1.
Settings for a secondary Palo Alto Networks firewall will only be available if you activated
your PAN 802.1x Connector software using a high availability license.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 14
Table 1: PAN 802.1x Connector Settings Explained
Setting Function Windows Service Logon Account Username
Specify a Microsoft Windows account with which the PAN 802.1x Connector service will be installed and started as a
service. Any Microsoft windows account belonging to the Microsoft AD group “Administrators” will work. For a more
restrictive windows service account, see page 46 for
minimum administrator rights required
Windows Service Logon Account
Password
Password for the specified Microsoft Windows account
Software License PAN 802.1x Connector software license
Primary Palo Alto Networks Firewall
IP
Primary Palo Alto Networks firewall IP to which the PAN
802.1x Connector service will be communicating. User to IP mappings will be pushed to this specified IP on port 443.
Ensure that the Palo Alto Networks firewall Web interface is accessible on this IP.
Primary Palo Alto Networks Firewall
API key
It Is necessary to generate an API key which the PAN
802.1x Connector service will use to authenticate with the Palo Alto Networks firewall. A Palo Alto Networks firewall
key can be generated by clicking the "Generate" button. Ensure that the Palo Alto Networks firewall is online and
reachable before clicking on the "Generate" button
You will be prompted to enter a username and password after clicking on "Generate". Fill in the Palo Alto Networks
firewall login credentials. The PAN 802.1x Connector application will use these credentials to generate a Palo
Alto Networks firewall API key.
User Identification timeout(min) This value is pushed with the user and IP mapping to the Palo Alto Networks firewall. The firewall uses this value as
the user cache timeout value - i.e. the user mapping will be
removed from the Palo Alto Networks firewall user database after the specified time is reached. The default is
90 minutes. Maximum is 44640.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 15
Secondary Palo Alto Networks Firewall IP
This setting is only available when a high availability PAN 802.1x Connector software license was purchased and
activated. The PAN 802.1x Connector service can push user to IP mappings to a secondary Palo Alto Networks firewall.
This ensures user to IP mappings are sent to both your
Palo Alto Networks HA primary and secondary firewalls
Secondary Palo Alto Networks
Firewall API key
An API key must be generated to allow the PAN 802.1x
Connector service to authenticate and communicate with
the secondary Palo Alto Networks firewall. Ensure that the secondary firewall is reachable and online. Click on the
button "Generate"
You will be prompted for a username and password after
clicking on "Generate". Fill in the Palo Alto Networks firewall login credentials. The PAN 802.1x Connector
application will use these credentials to generate a Palo Alto Networks firewall API key
User Identification timeout (min) This value is sent with the user and IP mapping to the
secondary Palo Alto Networks firewall. The firewall uses this value as the user cache timeout value - i.e. the user
mapping will be removed from the Palo Alto Networks
firewall user database after the specified time is reached. The default is 90 minutes. Maximum is 44640.
Click the button after completing the configuration. At this point the PAN 802.1x
Connector application related settings are configured. The next step is to add a DHCP server or
servers which the PAN 802.1x Connector service will use to perform MAC to IP address lookups.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 16
STEP 4 – ADDING DHCP SERVERS
The PAN 802.1x Connector application will perform MAC to IP address lookups using the specified
DHCP server(s). The PAN 802.1x Connector application supports 3 types of DHCP servers at
present. These are: Microsoft 2008, Microsoft 2008 R2, Microsoft 2012, Microsoft 2012 R2, Palo
Alto Networks’ and Cisco IOS based DHCP servers. The application will attempt to lookup the IP
address of a user’s device MAC address found in a successful authentication log generated by the
Microsoft Network Policy Server (NPS). The authenticated username will be combined with the
discovered IP address if an IP address lookup was successful. The application uses various
connection methods to connect to the respective DHCP servers. See table 2 for more information.
The order of process is top down. It is recommended to put the most widely used DHCP servers in
descending order of use – the most used DHCP servers first, least used last. The PAN 802.1x
Connector service will perform an IP address lookup on each of the DHCP server(s) in the list until
a match is found or the last DHCP server is processed. After that the PAN 802.1x Connector
service exits with “MAC not found on configured DHCP servers” in the logs.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 17
Table 2: DHCP Server Types Explained
DHCP Server Type
Connection Method Required Permissions
Microsoft DHCP
server (Microsoft Server 2008, 2008
R2, 2012, 2012 R2)
Local DHCP DLL libraries are called if
the DHCP server is local. RPC calls are used if the DHCP server is running on a
remote Microsoft DHCP server
The configured Microsoft Windows
service account must have permissions to read the local and/or remote
Microsoft DHCP server leases using RPC calls. See table 1. The configured
service account must be part of the
correct AD groups. See page 46 for more information.
Palo Alto Networks DHCP server
The Palo Alto Networks firewall is accessed on port 443 to retrieve the
DHCP client leases
The configured Palo Alto Networks firewall API username and password
must have permission to access the
Palo Alto Networks REST API (SSL port 443)
Cisco IOS DHCP
server
The DHCP client bindings is retrieved
via a SSH2 connection to the Cisco device
SSH2 must be configured and running
on the Cisco IOS device. A valid username and password must be
supplied to log into the Cisco IOS device. Only user EXEC mode is
required
The PAN 802.1x Connector service will perform a second lookup attempt for a given MAC
address if a match was found on the configured DHCP server(s). The delay between the
first and second lookup is 3 seconds. This is by design. This caters for DHCP servers that
can take up to 3 seconds to allocate a DHCP lease to a request DHCP client.
The configurable parameters for each DHCP server type are explained below. To add a DHCP
server, click on the “Add” button.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 18
i. DHCP server type “Microsoft”
Server Name Fill in a short descriptive name for the DHCP server
Domain The domain will be prepended to the authenticated user by the
PAN 802.1x service before being pushed to the configured Palo
Alto Networks firewall(s). The domain must be in NetBIOS
format and not in FQDN. If the fully qualified domain name for
a company’s Active Directory domain is acme.com and the
NetBIOS domain name is ACME, fill in ACME in the domain field.
Authenticated users will be pushed to the configured Palo Alto
Networks firewall(s) as “<NETBIOS>\<username>”. For
example, an authenticated user “John” will be mapped as
“ACME\John” when pushed to the firewalls. The firewall(s) will
accept <FQDN domain>\<username> as well. This may result
in users not matching security policies correctly on the
firewall(s). Always use the Microsoft NetBIOS domain name.
Server IP Fill in the Microsoft DHCP server IP. This can be the local server
IP or a remote Microsoft DHCP server IP. Do not use the local
host IP address if the DHCP server is local. (Do not use
127.0.0.1). Fill in the local network interface IP address on
which the DHCP server is running. Refer to your Microsoft
DHCP server configuration to verify on which network interface
the DHCP server is running
Server type Select “Microsoft”
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 19
Subnet Fill in the IP subnet for which the PAN 802.1x Connector must
do MAC to IP lookups. This will be the configured Microsoft
DHCP server scope subnet. Do not fill in the subnet mask, only
the subnet as configured in your Microsoft DHCP server. Below
is a screen snapshot of a Microsoft DHCP server scope. To open
the Microsoft DHCP server console, click “Start”, then navigate
to the “Administrative tools” menu and on click DHCP. The list
of available subnets will be displayed under the IPV4 section
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 20
ii. DHCP server type “Palo Alto Networks”
”
Server Name Fill in a short descriptive name for the DHCP server
Domain The domain will be prepended to the authenticated user by the
PAN 802.1x service before being pushed to the configured Palo
Alto Networks firewall(s). The domain must be in NetBIOS
format and not in FQDN. If the fully qualified domain name for
a company’s Active Directory domain is acme.com and the
NetBIOS domain name is ACME, fill in ACME in the domain field.
Authenticated users will be pushed to the configured Palo Alto
Networks firewall(s) as “<NETBIOS>\<username>”. For
example, an authenticated user “John” will be mapped as
“ACME\John” when pushed to the firewalls. The firewall(s) will
accept <FQDN domain>\<username> as well. This may result
in users not matching security policies correctly on the
firewall(s). Always use the Microsoft NetBIOS domain name.
Server IP Fill in the IP address of the Palo Alto Networks firewall running
the DHCP server. Please note that the API key configured in the
PAN 802.1x Connector application settings will be used for
accessing the Palo Alto Networks firewall(s) to retrieve DHCP
client leases. For more information regarding the API key, see
step 3 on page 13.
Server type Select “Palo Alto Networks”
Interface Fill in the Ethernet interface on which the DHCP server is
enabled on the Palo Alto Networks firewall. To find out on
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 21
which interface DHCP is running, log on to the Palo Alto
Networks firewall web interface and navigate to “DHCP”. The
“DHCP” settings can be found under the “Network” tab
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 22
iii. DHCP server type “Cisco”
”
Server Name Fill in a short descriptive name for the DHCP server
Server IP Fill in the IP address of the Cisco IOS device on which the
DHCP server is enabled and running. Ensure that SSH2 is
configured and enabled on the Cisco IOS device, and that the
device is accepting SSH2 logins. You may verify SSH2
connectivity to your Cisco IOS device by using an SSH2 capable
application such as “Putty” and connecting to your Cisco IOS
device from the Microsoft server running the PAN 802.1x
Connector service. You will be prompted for login credentials by
the Cisco device if SSH2 is enabled. You may be blocked or
SSH2 is not enabled on the Cisco IOS device if no login prompt
is displayed.
Server type Select “Cisco”
SSH2 username Fill in the SSH2 username with which the PAN 802.1x
application will connect to the Cisco device
SSH2 password Fill in the SSH2 password
Domain The domain will be prepended to the authenticated user by the
PAN 802.1x service before being pushed to the configured Palo
Alto Networks firewall(s). The domain must be in NetBIOS
format and not in FQDN. If the fully qualified domain name for
a company’s Active Directory domain is acme.com and the
NetBIOS domain name is ACME, fill in ACME in the domain field.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 23
Authenticated users will be pushed to the configured Palo Alto
Networks firewall(s) as “<NETBIOS>\<username>”. For
example, an authenticated user “John” will be mapped as
“ACME\John” when pushed to the firewalls. The firewall(s) will
accept <FQDN domain>\<username> as well. This may result
in users not matching security policies correctly on the
firewall(s). Always use the Microsoft NetBIOS domain name.
The Cisco DHCP server does not require then configuration of an IP subnet. The
PAN 802.1x Connector application will retrieve the complete DHCP binding table
from the Cisco device.
Configuration of the PAN 802.1x Connector application is now complete. In the next section
the PAN 802.1x Connector service will be installed and started as a Windows service. The
service will persist and automatically start after a reboot.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 24
STEP 5 - INSTALLING AND STARTING THE PAN 802.1X CONNECTOR
SERVICE
The PAN 802.1x Connector service is responsible for processing incoming Microsoft Network Policy
Server (NPS) security event logs, discovering IP addresses associated with an authenticated user
and pushing successfully mapped user to IP mappings to the Palo Alto Networks firewall(s). The
service is configured to automatically start with the Microsoft Windows server. The service can be
manually stopped if required from within the PAN 802.1x Connector application or by stopping the
service from the Windows services console. In the PAN 802.1x Connector application, click on the
“Service Setup” menu. The service can be installed, uninstalled, started or stopped from here.
Please ensure that step 3 is completed before proceeding.
i. Install the Service
The PAN 802.1x Connector application must be installed first before the service can be
started or stopped. The service only has to be installed once. The PAN 802.1x Connector
service can be installed by clicking on then “Install” button. This will install and register the
PAN 802.1x Connector application as a Windows service. The service can be uninstalled by
clicking on the “Uninstall” button on the same page.
Optionally, verify that the service is installed by launching the Microsoft Windows services
manager. The Microsoft Windows services manager may be launched by searching for and
running the command “services.msc” from the Microsoft Windows start bar.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 25
Look for a service named “PAN 802.1x Connector” within the Microsoft services manager.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 26
ii. Start the Service
The service may be started and stopped if it was successfully installed. Click on “Start” to
start the service. Click on “Stop” to stop the service.
The PAN 802.1x Connector service is now installed and running.
The PAN 802.1x Connector application and service is now fully configured, installed and
running as a Windows system service. The next section of the installation guide will go
through various steps to verify that your installation is working as expected. Read through
the “Configuration tips and troubleshooting” on page 50 if your service does not start, or if
you experienced any other issues. It is important that your service is running before
continuing on to the next section entitled “Verifying the PAN 802.1x Connector installation”.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 27
Verifying the PAN 802.1x Connector installation
This part of the installation guide will test the various components of the PAN 802.1x Connector
application and service. The correct functioning of the PAN 802.1x Connector service is dependent
on various components working as expected. There are 3 main components which will be tested.
The 3 components to be tested are:
Accessing and reading the local Microsoft Windows security event logs
Communicating with the configured Palo Alto Networks firewall(s)
IP address lookup using a MAC address
For more information see appendix A for an operational overview of the PAN 802.1x
Connector service as well as a workflow chart detailing the processing logic.
Each of the components must be functional before a successful user to IP mapping will be mapped
and pushed to the Palo Alto Networks firewall(s). Testing the PAN 802.1 x Connector
configurations will start by verifying read access to the Microsoft Windows local security event
logs.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 28
STEP 1 – VERIFY READ ACCESS OF THE MICROSOFT SECURITY EVENT
LOGS
The Microsoft security event logs may be viewed by launching the Microsoft Event log viewer. The
PAN 802.1x Connector application will read the same Microsoft Windows security event logs. The
PAN 802.1x Connector test function “Test Security Event Log” will attempt to retrieve the last 10
Microsoft security events with ID 6272. The Microsoft Network Policy Server (NPS) server
generates event ID 6272 security logs for each user who authenticates successfully.
The test functions can be found by navigating to the “Testing” section within the PAN 802.1x
Connector application.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 29
Navigate to “Test Security Event Log” by expanding the “Testing” menu. In the right hand pane
will be a button named “Retrieve”. Click on this button to attempt read access of the Microsoft
Windows security event logs.
The following output may be observed after clicking “Retrieve”:
Result: SUCCESS
Explanation of result: “SUCCESS” indicates that the PAN 802.1x Connector application
was able to successfully access the Microsoft security event
logs. The last 10 or less event logs will be displayed in the
results window. The output will contain the username and the
associated MAC address from which the user authenticated.
Resolution: It is possible to successfully access the Windows security event
logs yet no results in the output box. The two most common
reasons for this are:
1) There are no security event ID 6272 logs in the Windows
security logs. This can be manually verified by launching
the Windows Event viewer
(https://technet.microsoft.com/en-
us/library/cc766401.aspx) and searching for event ID 6272
logs in the Windows security logs. Verify that there are
event ID 6272 logs. You may generate an event 6272
event ID by performing a successful 802.1x authentication.
Refresh the Event viewer and recheck.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 30
2) Successful Microsoft NPS authentications may not be
logged. See the following document for more information
on how to check the current Microsoft NPS logging level
(https://technet.microsoft.com/en-
us/library/cc731085(v=ws.10).aspx). Ensure that
“Successful authentication requests” are checked, click
“Ok” and restart the Microsoft NPS service. Recheck the
Windows security event logs for event ID 6272 logs after
successfully performing an 802.1x authentication
The PAN 802.1x Connector service is dependent on Microsoft security event logs with ID 6272. No
user to IP mappings will be generated if there are no event ID 6272 logs generated by the
Microsoft NPS server. Check the Microsoft NPS documentation or Microsoft support forums if you
still do not see any security event ID 6272 event ID logs after trying the above suggestions.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 31
Result: FAILED – “Attempted to perform an unauthorized operation”
Explanation of result: Failure to read the security event logs may be the result of the
configured Windows service account not having enough
permission to access the Windows security event logs. The
service account must be part of the built-in Microsoft Active
Directory group “Event log readers” to be able to read the
Windows security event logs.
Resolution: There are a couple of tests that may be performed to verify if
the issue is related to the Windows service account. If you
configured a service account with limited rights, try using an
administrator account with full admin rights. See page 46 for
more information on the minimum service account permissions.
A simple command using Microsoft’s native command prompt
event viewer application may be used to test read access to the
Windows security event logs.
Use the following command to test:
“Wevtutil qe security /q:"*[System [(EventID=6272)]]" /u:<DOMAIN\username> /p:<password>
/r:<SERVER IP> /c:<count>”
The command will use the specified Windows service account to access and retrieve the last x
amount of security logs with event ID 6272 from the Microsoft Windows security logs. Replace
<domain\username>, <password>, <SERVER IP> and <count> with the appropriate values.
An example of how the command may be used is shown below. The output of the command is
also shown:
C:\Users\spock>Wevtutil qe security /q:"*[System [(EventID=6272)]]" /u:lab\servicetest
/p:12345678 /r:127.0.0.1 /c:1
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 32
The following command uses an incorrect password for the specified Windows service account.
The error output of the command is also shown. See page 46 for more information on what the
minimum permissions are for a restricted Windows service account.
C:\Users\spock>Wevtutil qe security /q:"*[System [(EventID=6272)]]" /u:lab\servicetest
/p:wrongpassword /r:127.0.0.1 /c:1
Troubleshoot and correct any “Access is denied” errors when using your specified
Windows service account.
You may continue to test the rest of the PAN 802.1x Connector application components regardless
of the result from testing the read access of the Microsoft security event logs. Each component of
the PAN 802.1x Connector application may be tested independently of each other. Note that the
PAN 802.1x Connector application is reliant on each component working correctly.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 33
STEP 2 – TEST CONNECTIVITY TO THE PALO ALTO NETWORKS
FIREWALL(S)
This test function will test connectivity to the Palo Alto firewall or firewalls when in high availability.
The PAN 802.1x Connector application will attempt to access the firewall(s) using the settings
specified on the PAN 802.1x Connector setup. Click on “Test Palo Alto Networks Firewall” under
the “Testing” sub menu. Click on the “Verify” button.
Result: Palo Alto Networks firewall 1: Successful
Palo Alto Networks firewall 2: Successful
Explanation of result: Communication with the configured Palo Alto Networks firewall
was successful. In case of high availability, communication with
both Palo Alto Networks firewalls will be tested.
Resolution: No further action required. Component functions as expected.
The Palo Alto Networks firewall(s) are reachable and that the
Palo Alto Networks API key is correct.
Result: Palo Alto Networks firewall 1: Failed
Palo Alto Networks firewall 2: Successful
Explanation of result: Communication with the primary Palo Alto Networks firewall
failed. Communication with the secondary Palo Alto Networks
firewall was successfully.
Resolution: This may be due to one of the following reasons:
1) The primary Palo Alto Networks firewall management
interface may not be accessible. Test connectivity to the
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 34
primary Palo Alto Networks firewall management interface
by launching a web browser and navigating to
HTTPS://<Firewall IP>. The Palo Alto Networks firewall
web interface page should be displayed.
If it is not displayed, it means connectivity from the PAN
802.1x Connector application to the Palo Alto Networks
firewall management interface is unreachable or
inaccessible. This may be due to network related issues
such as routing, or firewall policies blocking access from
the Microsoft server running PAN 802.1x Connector
application to the primary Palo Alto Networks firewall.
Verify that the routing is correct and that no security
appliances or routing devices are blocking access to the
primary Palo Alto Networks firewall’s IP and port 443 from
the Microsoft server’s IP.
2) Another possible cause may be access control lists applied
to the Palo Alto Networks firewall management interface.
Verify that the management interface allows access to the
IP address of the Microsoft server running the PAN 802.1x
Connector by navigating to “Device > Setup >
Management Interface Settings” on the Palo Alto Networks.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 35
Resolution: Verify that routing between the Microsoft server and the Palo
Alto Networks firewall is correct. Try and ping the Palo Alto
Networks’ management interface. Ensure that there are no
firewall rules blocking access to the Palo Alto Networks firewall
IP on TCP port 443. Also ensure that the Microsoft Server IP is
added to the Palo Alto Networks’ management interface access
list (“permitted IP”) if the access control list is being used.
Please consult the Palo Alto Networks’ administration guide for
more information on to configure this function. A failed result
may be observed on either the primary or secondary Palo Alto
Networks firewall. Follow the same troubleshooting procedure
as outlined for either primary or secondary failed results. Try
using a different Palo Alto Networks firewall API key if routing is
correct and the Palo Alto Networks web interface is accessible.
Generate a new API key in the PAN 802.1x Connector
application settings page using a different set of login
credentials and retest. See page 13 for information on
generating an API key.
Result: Palo Alto Networks firewall 1: Failed
Palo Alto Networks firewall 2: Failed
Explanation of result: The PAN 802.1x Connector application cannot connect to either
the primary or secondary Palo Alto Networks firewall.
Resolution: Follow the same diagnostic steps as outlined above.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 36
STEP 3 – TEST DHCP SERVER
This function tests the IP lookup component of the PAN 802.1x application. The function will
attempt to resolve a given MAC address to an IP address by querying the configured DHCP
server(s). A MAC address is required as input. You may use a MAC address from any device source
such as Android, Apple or Microsoft Windows systems.
Ensure that the mobile device, laptop or network devices received an IP address
from a DHCP server before running this test. You will not see an IP address
returned in the result output if the network device has not received an IP address
yet. You may see an IP address returned if the network device did receive an IP
address prior and the DHCP lease has not yet expired. Furthermore ensure that the
DHCP server is added to the DHCP server configuration of the PAN 802.1x
Connector application. For more information on how to add a DHCP servers, refer to
page 16.
Navigate to “Testing” and then click on “Test DHCP Servers”
Fill in the MAC address at location A. A DHCP server must be configured in the PAN 802.1x
Connector application settings page. Multiple DHCP servers may be configured. The test function
will query each one of the configured DHCP servers once until a match is found. The test function
will exit when a match is found or the last DHCP server was queried. The discovered IP address
will be displayed in the “Returned IP Address” output. The test function will exit with a “Not
found”.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 37
Below is an example of how to use the “Test DHCP server” test function:
Open a command prompt on a Microsoft Window host. Run the command “ipconfig /all”. This will
list all network adapter information including the MAC address for each network interface. Scroll
through the output until the interface with the IP address that you are interested in is found. In
this example the Wireless adapter’s MAC address will be used.
Fill in the MAC address
Click on the “Find” button after filling in the MAC address of the network interface. The PAN
802.1x Connector application will now query the configured DHCP server(s) by inspecting the
DHCP server client leases (“or bindings”). The PAN 802.1x Connector application will do a top
down processing sequence of the DHCP servers if more than one is configured. Be sure to test
MAC addresses from multiple hosts if more than one DHCP server and subnet is in use. This will
ensure that all IP subnets are verified and working within the PAN 802.1x Connector application.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 38
Result: SUCCESS Return IP Address <IP ADDRESS>
Explanation of result: An IP address was successfully retrieved from the configured
DHCP servers. The component works as expected.
Resolution: No further action is required. The DHCP function successfully
discovered the IP address associated with the MAC address
entered
Result: FAILED
Explanation of result: The PAN 802.1x Connector application was not able to discover
the IP address of the supplied MAC address on the configured
DHCP server(s). This may be due to routing issues, incorrect
configuration of the DHCP servers or the DHCP client lease is
not present on the DHCP servers.
Resolution: Ensure that you can ping the DHCP server(s) if possible. Also
verify that there is a valid DHCP lease on the configured DHCP
server. Consult the respective DHCP server documentation on
how to view current DHCP client leases. A brief overview of
viewing DHCP client leases on the different types of DHCP
servers are given in the following section. Also review your
DHCP server configuration within the PAN 802.1x Connector
application. Ensure that the correct interface is specified for
DHCP type Palo Alto, and that the correct subnet is configured
for DHCP type Microsoft.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 39
Verify that a valid DHCP client lease does exist on the configured DHCP server
DHCP type: Microsoft
Launch the “DHCP” console from the “Administrative tools” control panel on the Microsoft Windows
server running the DHCP service.
DHCP type: Cisco IOS
Connect to the Cisco IOS device using SSH. A free SSH2 application named “Putty” may be used to
connect to the Cisco IOS device. Once connected, run the command “show ip dhcp binding”.
The Cisco IOS may display the client ID instead of the actual MAC address of the
DHCP client. Typically the client ID is 14 characters long whereas a MAC address is
12 characters long. To determine the MAC address, use the 12 right most
characters. For example, a Client-ID of "0100.1346.8bbe.b2" may be displayed for a
DHCP client. Use only the right most 12 characters as the MAC. In this example, the
first 2 characters "01" must be omitted and only the last 12 characters used which
is "00.1346.8bbe.b2". This represents the MAC address (Hardware address) of the
DHCP client
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 40
DHCP type: Palo Alto
Log into the Palo Alto Networks web interface (HTTPS://<Palo Alto IP>). Navigate to “Network”
and then “DHCP”.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 41
STEP 4 – VERIFY THAT THE PAN 802.1X CONNECTOR SERVICE IS
RUNNING
The PAN 802.1x Connector service is responsible for mapping Microsoft NPS authenticated users to
IP addresses and pushing those to the Palo Alto Networks firewall(s). No user to IP mappings will
be pushed to the Palo Alto Networks firewalls if this service is not running. Verify the current
service status by clicking on “Status” in the PAN 802.1x Connector application.
Further verification may be done by launching the Microsoft Service manager console. This can be
done by clicking on “Services” from within the “Administrative tools” control panel on the Windows
server. Verify that the “PAN 802.1x Connector Service” is “Started”
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 42
STEP 5 – CHECK THE PALO ALTO NETWORKS FIREWALL(S) FOR USER
MAPPINGS
The final verification step requires checking the Palo Alto Networks firewall or firewalls (HA) for
XMLAPI user mappings. SSH to the primary Palo Alto Networks firewall IP. Run the command
“show user ip-user-mapping-mp all type XMLAPI”. This command will output user to IP mappings
received via the Palo Alto Networks firewall API. User mappings with type “XMLAPI” are mappings
pushed by the PAN 802.1x Connector service.
The installation, configuration and verification of the PAN 802.1x Connector application and service
are now complete. Please read through the “Configuration tips and troubleshooting” section on
page 47 if you experienced any issues while configuring or testing any component of the PAN
802.1x Connector application.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 43
Application and Service Logs
The application and service logs may be found under the “Monitoring” menu. Each of the logs
stores specific information related to component of the PAN 802.1x Connector application.
Each log represents the following component of the PAN 802.1x Connector software:
PAN 802.1x Connector Log: Contains log messages related to the application itself as well
as anything related to the application interface. Examples of log
messages are errors while configuring the application,
application crashes or any application interface related log
messages.
PAN Service Log: This log contains messages related to the operations of the PAN
802.1x Connector service. Examples of log messages are event
ID 6272 events triggered, IP lookups of authenticated 802.1x
users, user to IP mappings pushed to Palo Alto Networks
firewalls as well as PAN 802.1x Connector service start up and
service related error messages. Licensing related messages are
also logged to this container. It is a very useful for
troubleshooting purposes.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 44
The log files are stores within the installation directory of the PAN 802.1x Connector application.
This is normally “C:\%programdata%\PAN 802.1X Connector”. A total of 6 log files will be stored
for each log container. Each of the 6 log files will consume a maximum of 10Mb disc space. The
logs will be rotated – this ensures that the logs will never consume more than 120Mb of disc
space.
By default the log level is set to “Information”. The log level can be changed be selecting “File”
and then “Log Level”.
During normal operation it is not needed to set the log level to “Debug”. “Informational” is
sufficient enough. Be aware when setting the log level to “Debug”. The logging may generate too
much information and may impact performance. Always change the debug level back to
“Informational” after troubleshooting. “Informational” generates more logs than “Error” while
“Debug” generates the most log messages.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 45
Application Licensing
The application license is perpetual. Renewal is required yearly for production licenses. There is no
cost involved with renewing PAN 802.1x Connector version 1 licenses. There are 3 types of
licenses.
Trial license. Valid for 30 days from issuing. Allows for the pushing of user to IP mappings
to a single Palo Alto Networks firewall only
Production license (Single). Fully functional production license. This license allows for
pushing of user to IP mapping information to one Palo Alto Networks firewall only. Valid for 1
year from issuing
Production license (High Availability). Fully functional production license. This license
allows you to push user to IP mapping information to two Palo Alto Networks firewalls. This
type license is for environments where two Palo Alto Networks firewalls are configured in
high availability (HA).
The PAN 802.1x Connector application license is linked to the Palo Alto Networks
firewall serial number(s) specified during the licensing purchase. The PAN 802.1x
Connector service will not push user to IP mappings to any Palo Alto Networks
firewall for which the serial number is not within the license. You may view which
firewall serial number or numbers (HA) is allowed by clicking “Status” under the
“User Identification” menu item. For more information have a look at the service
logs under “Monitoring” when starting or restarting the service.
The license allows for the installation of the application on as many Microsoft Windows servers
needed. The license is linked to the Palo Alto Networks serial numbers and not how many
installations of the application. This allows the administrator to install the PAN 802.1x Connector
application on all Microsoft NPS servers for redundancy purposes.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 46
Default Action upon License Expiry
It is important to note that the PAN 802.1x Connector service will be stopped. The PAN 802.1x
Connector service will generate a log message indicating the reason. A log message will be
generated informing the user that the license has expired on the specific date. The license expiry
date may be found on the “Status” page under “User Identification”. Please be sure to renew your
application license at least 2 weeks in advance of the license expiry date.
License Renewal
Licenses are renewed through the www.codecentrix.co.za/purchase web page. The license
renewal is done in a similar manner to purchasing the software. Select “renewal” as the license
type. Fill in your firewall serial number or numbers. A confirmation email will be emailed to the
email address which was supplied during the purchase. Your renewed license key will be emailed
to you once approved. Copy and paste your new license into the PAN 802.1x Connector application
settings’ “Software license” field. Click the “Update” button and restart the application. Your new
license will now be active. Verify the license particulars by clicking on the “User Identification”
menu item and then “Status”. Next stop and start the PAN 802.1x Connector service by clicking on
“Service Setup”, then “Stop” and “Start” after the service was stopped.
Upgrading to a High Availability License
License upgrades can be done through the www.codecentrix.co.za/purchase web page. Select
“License upgrade” when prompted for a license type. A confirmation email will be sent to the email
address once the request has been processed. Copy and paste your new license into the PAN
802.1x Connector application settings page. Click the “Update” button and restart the application.
Your new license should now be active. Verify the license particulars by clicking on the “User
Identification” menu item and then “Status”. Next configure the secondary Palo Alto Networks
firewall settings. Click “Update” and then restart the service by going to the “Service Setup” sub
menu. First stop the running service by clicking on “Stop”. Click on “Start” after the service was
stopped. Check the PAN 802.1x Connector service logs to verify that the service was started
successfully.
For any licensing related questions or issues, please email [email protected]
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 47
CONFIGURATION TIPS AND TROUBLESHOOTING
Minimum rights required to run the PAN 802.1x Connector service
The PAN 802.1x Connector application must always be “Run as Administrator”. For security
reasons, the PAN 802.1x Connector service may be started with a more restrictive account. The
following are the minimum rights required by the service account:
1) “Log on as a service” rights. Add the service account to the “Log on as a service” local policy.
This can be done by editing the local security policy on the Microsoft server running the
Microsoft Network Policy Server (NPS). Please refer to the following document for more
information - https://technet.microsoft.com/en-us/library/cc739424%28v=ws.10%29.aspx
2) Add the service account to the following groups:
a. Server operators
b. Event log readers
c. Distributed COM users
d. DHCP users
This will allow the PAN 802.x Connector service to run with minimum rights on the Microsoft
server.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 48
Backup/Restore the PAN 802.1x Connector configuration
The PAN 802.1x Connector application configuration file is stored in the directory
“C:\%programdata%\PAN 802.1X Connector”. Copy the file “configfile.xml” and store it in a safe
place. To restore a configuration after a new installation, copy the backed up file “configfile.xml”
into the directory “C:\%programdata%\PAN 802.1X Connector”. This will restore the full
configuration including the software license. Please do not edit the configuration file manually.
The PAN 802.1x Connector application will reset the configuration to default!
Optimising Microsoft NPS session, DHCP and user-ID timeout values
It is important to ensure that your timeout values for each of these systems are configured in the
correct rations. This is to ensure that user to IP mappings do not expire before an 802.1x re-
authentication occurs.
It is recommended that the DHCP client lease be configured to expire at a minimum every 24
hours, the Microsoft Network Policy Server (NPS) client sessions every 60 minutes and the PAN
802.1x Connector application user-ID timeout every 270 minutes. This configuration will ensure
that a user’s 802.1x session is re-authenticated every 60 minutes. It is completely transparent to
the end user. They will not have to fill in their login credentials every 60 minutes. All devices will
cache the login credentials and use it to authenticate automatically and seamless in the
background. This will result in the PAN 802.1x Connector service pushing re-authenticated user
mappings to the configured Palo Alto Networks firewalls every 60 minutes. It ensures that the user
mapping is refreshed every 60 minutes on the firewall – long before the configured Palo Alto
Networks firewall user cache expiry time of 270 minutes.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 49
Configure the Microsoft Network Policy Server session timeout value:
For more information, reference the following Microsoft NPS document (see “session timeout”) -
https://technet.microsoft.com/en-us/library/cc772474(v=ws.10).aspx
Configure the PAN 802.1x Connector user identification timeout:
Do not configure the PAN 802.1x Connector application user-ID session timeout lower than
the Microsoft NPS client session timeout. This will result in the Palo Alto Networks firewall
caching out a user mapping before they are re-authenticated.
For large network user environments, consider setting the Microsoft NPS client session timeout
value to 3 hours, and the PAN 802.1x Connector user-ID timeout value to 600 minutes (10 hours)
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 50
Problem with starting the PAN 802.1x Connector service
There could be a couple of reasons why the service could not be started. Always consult the PAN
802.1x Connector service log first. Possible reasons why the service could not be started are:
1) The configured service account may not have “Log on as a service” rights. Please page 46
for more information. Try entering the username and password manually within the Windows
service manager console.
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 51
2) Microsoft Windows related issue such as the PAN 802.1x Connector service process is
unresponsive. It may be necessary to kill the service process and start it again. First find the
process ID of the PAN 802.1x Connector service by running the command “sc queryex
PANConnectorService”.
Now kill the PAN 802.1x Connector service by issuing the following command: “taskkill /f
/pid <PID>”. In the above example, the command would be as follows: “taskkill /f /pid
2004”. Restart the PAN 802.1x Connector service from within the PAN 802.1x Connector
application or Windows service manager console.
3) Attempt to start the service from within the Windows service properties window. Note down
any Windows error that you may receive. Consult Microsoft documentation on the error you
received. Have a look at the Windows event viewer for any errors related to the PAN 802.1x
Connector service – look for
"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 52
Appendix A – PAN 802.1x Connector application operations
The PAN 802.1x Connector service operation is shown in the below flow diagram. The PAN 802.1x
Connector service is trigged by the Microsoft service sub system when a security event 6272 log is
generated. The Microsoft Network Protection Server (NPS) handles incoming 802.1x authentication
requests via the Radius protocol, and the Microsoft NPS server is responsible for generating
security event ID 6272 logs for successfully authenticated users. The PAN 802.1x Connector
service processes each log event as follows:
User device connects and successfully
authenticates to an 802.1x enabled
network switch or wireless access point
Security event ID
6272 generated by
Microsoft NPS
server
PAN 802.1x
Connector service
processes event
6272
Username extracted
and stored in memory
PAN 802.1x
service extracts
user device MAC
address
Perform MAC lookup
on first DHCP servers
MAC not found on DHCP
server. Try next DHCP
server in the list. Continue
until last DHCP server
checked. MAC found?
MAC
Not
found
Found MAC
address on DHCP
server. Extract
associated IP
address
MAC found
Prepend domain name
from DHCP server
configuration to username.
Link username to IP
address
Push username to
IP address
mapping to
primary firewall
No more DHCP
servers. MAC not
found. Processing
complete and exit
No
Yes
Push username to IP
address mapping to
secondary firewall
(HA only)
Cannot access
primary firewall.
Processing
complete. Disable
firewall for 5
minutes if down 10
times in a row
Username to IP
mapping
successfully
pushed to firewall.
Processing
complete. Exit
Cannot access
primary firewall.
Processing
complete. Disable
firewall for 5
minutes if down 10
times in a row
Primary
firewall
offline
Secondary
firewall
offline
It is important to ensure that the Microsoft NPS server does log successful authentications. The
PAN 802.1x Connector application depends on a fully operation Microsoft NPS server with logging
enabled. Consult Microsoft documentation on how to install, operate and maintain a Microsoft NPS
server.