PAN 802.1x Connector installation guide - CodeCentrix 802 1x Connector installation... · This installation guide takes you through the installation, ... Microsoft Network Policy

"Copyright CodeCentrix. All rights reserved 2015. Version 1.2

PAN 802.1x Connector Application

Installation Guide

Version 1.2

"Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page | 2

Contact Information

CodeCentrix

www.codecentrix.co.za/contact

Email: [email protected]

About this Guide

This installation guide takes you through the installation, activation and configuration of the PAN

802.1x Connector application. The installation guide details the necessary steps to activate the

software, perform an initial configuration, install and start the application service as well as verify

and test the configuration using the built in test functions. It also includes troubleshooting steps

should you have any issue during the testing of the configuration. An overview of the application’s

operation as well as a process flow chart can be found in appendix A. This guide does not cover

the configuration of any 802.1x capable infrastructure such as switches and/or wireless access

points. Please refer to the respective switch and/or wireless access point vendor’s configuration

manual for instructions on how to configure those network infrastructure devices and appliances

for 802.1x authentication. The majority of network devices such as mobile, printer, projector,

Microsoft and Apple devices and computers support 802.1x authentication. A prerequisite is that a

Microsoft Network Policy Server (NPS) is installed and running and accepting authentication

requests from network devices. For more information on how to deploy and run a Microsoft NPS

role, visit Microsoft’s website:

https://msdn.microsoft.com/en-us/library/cc732912.aspx

PAN 802.1x Connector tech notes and articles can be found at

www.codecentrix.co.za/knowledgebase

Email [email protected] if you have any technical questions, issues or feature requests.

http://www.codecentrix.co.za/

https://msdn.microsoft.com/en-us/library/cc732912.aspx

http://www.codecentrix.co.za/knowledgebase

mailto:[email protected]


TABLE OF CONTENTS

Installing and configuring the PAN 802.1x Connector application ....................................... 5

Step 1 – Run “Setup.exe” ............................................................................................ 6

Step 2 – Activate the PAN 802.1x Connector application .............................................. 10

Step 3 – Configuring the PAN 802.1x Connector application ......................................... 13

Step 4 – Adding DHCP servers ................................................................................... 16

i. DHCP server type “Microsoft” .......................................................................... 18

ii. DHCP server type “Palo Alto Networkss” ........................................................... 20

iii. DHCP server type “Cisco” ................................................................................ 22

Step 5 - Installing and starting the PAN 802.1x Connector service ................................ 24

Install the service .................................................................................................. 24

Start the service .................................................................................................... 26

Verifying the PAN 802.1x Connector installation ............................................................. 27

Step 1 – Verify read access to the Microsoft security event logs ................................... 28

Step 2 – Test connectivity to the Palo Alto Networks firewall(s) .................................... 33

Step 3 – Test DHCP server functionality ..................................................................... 36

Step 4 – Verify that the PAN 802.1x Connector service is running ................................. 41

Step 5 – Check the Palo Alto Networks firewall for user mappings ................................ 42

Application and Service logs ......................................................................................... 43

Application licensing .................................................................................................... 45

Default action upon license expiry.............................................................................. 46

License renewal ....................................................................................................... 46

Upgrading to a high availability license ....................................................................... 46

Configuration tips and troubleshooting .......................................................................... 47

Minimum rights required to run the PAN 802.1x Connector service ............................... 47

Backup/Restore the PAN 802.1x Connector configuration ............................................. 48

Optimising Microsoft NPS session, DHCP and user-ID timeout values ............................ 48

Issues starting the PAN 802.1x Connector service ....................................................... 50

Appendix A – PAN 802.1x Connector application operations ............................................ 52


System Requirements

Supported Operating Systems: Microsoft Windows 2008

Microsoft Windows 2008 R2

Microsoft Windows 2012

Microsoft Windows 2012 R2

Prerequisites: - Microsoft .NET 4.0

- Microsoft Network Policy Server (NPS)

- 802.1x capable network infrastructure (switch or

wireless Access Point (AP)) configured to authenticate

to the Microsoft NPS

- A Microsoft DHCP server and/or Palo Alto Networks

firewall DHCP server and/or Cisco IOS DHCP server

- Palo Alto Networks firewall or firewalls (high availability

mode)

The PAN 802.1x Connector application will function without specifying any DHCP servers. No MAC

to IP mappings will be discoverable since the PAN 802.1x application uses the DHCP server’s

binding table (IP leases) to discover the IP address of the 802.1x authenticated network device.

More than 1 DHCP server may be configured. The PAN 802.1x Connector application will process

the configured DHCP servers in a top down sequence. Any combination of Microsoft, Palo Alto

Networks, and Cisco DHCP servers may be configured. See appendix A for more information on

the processing logic of the PAN 802.1x Connector application.


INSTALLING AND CONFIGURING THE PAN 802.1X

CONNECTOR APPLICATION

The PAN 802.1x Connector application must be installed on a Microsoft server that is running a

Microsoft Network Policy Server (NPS). The PAN 802.1x Connector service depends on logs

generated by the Microsoft NPS server to extract user and user device related information. This

information will be processed and pushed to the Palo Alto Networks firewall(s) when processing

completed successfully. The PAN 802.1x Connector application can be installed on all Microsoft

servers running Microsoft Network Policy Server (NPS). This is ideal for environments where high

availability is essential. Various PAN 802.1x Connector applications can push mappings to a single

Palo Alto Networks’ firewall or firewalls when a high availability license is activated. Each

installation of the PAN 802.1x Connector application runs independently of each other and do not

require to be connected. Each of the installed PAN 802.1x Connector applications communicate

directly with the Palo Alto Networks firewall(s) when a Microsoft NPS log was processed

successfully. The same license key may be used for each of the installed PAN 802.1x Connector

applications. The application license key is bound to the Palo Alto Networks firewall(s) and not the

installation instances itself. Each of the installed applications will only communicate with the Palo

Alto Networks serials specified in the license key. See page 44 for more information on application

licensing.

The latest version of the PAN 802.1x Connector application may be downloaded from

www.codecentrix.co.za/download

The following section details the installation steps. Please ensure that you have administrative

rights to install the application.

The PAN 802.1x Connector application must be installed on a Microsoft server that

is running a Microsoft Network Policy Server (NPS). You may install the PAN 802.1x

Connector applications on all Microsoft NPS servers in your organisation or

environment.

http://www.codecentrix.co.za/download


STEP 1 – RUN “SETUP.EXE”

Upon successful download of the application, right click on the “Setup.exe” installer and select

“Run as administrator”.

Click “Next” on the initial setup screen to start with the installation process.


Select “I accept the license agreement” and click “Next”

Click “Next” to install the PAN 802.1x Connector with the Application menu group of “PAN 802.1X

Connector”.


Optionally a shortcut can be created on the desktop. If required, tick next to “Create desktop

icon”.

Click “Install” to start installing the PAN 802.1x Connector application.

The PAN 802.1x Connector application may optionally be launched after successfully installing.

Please ensure that you have your application license key ready. The application requires a valid

license key before any configuration may be done. Untick the tick box next to “Launch PAN 802.1x

Connector” if you do not have your license key ready or if you want to perform the configuration

at a later stage. Click “Finish” to complete the installation.


The installation directory for the PAN 802.1x Connector application is “C:\Program Files

(x86)\PAN 802.1x Connector”. It is a 32bit application.

A desktop shortcut will be placed on the desktop if this option was selected during the installation.

A start menu folder will be created with the name “PAN 802.1x Connector”.


STEP 2 – ACTIVATE THE PAN 802.1X CONNECTOR APPLICATION

The application requires activation by means of a license key upon first run. Your license key

would have been emailed to the email address specified during the purchase process. Please check

your email spam folder if you did not receive an email containing your license key. If you are

evaluating the application, a 30 day evaluation license key would have been emailed to the

specified email address during checkout. Please check your email spam folder if you did not

receive your evaluation license key. Alternatively, you may request an evaluation license by

emailing [email protected].

An email containing your license key will look similar to the below screen output:

Email [email protected] if you have any issue with your license particulars such as Palo

Alto firewall serial number(s) associated with your license key. Verify all particulars of your license

entitlement.



Select and copy the license key.

Launch the PAN 802.1x Connector application and paste the copied license key into the text box.

Click “Accept”.

The PAN 802.1x Connector application will open the configuration screen if the license key was

accepted. If not, an error message will be displayed.


The first task after successfully activating the application is to navigate to the “Status” page and

verify your license entitlement. Verify that the particulars associated with your license are correct.

It is important to check and verify that the correct Palo Alto Networks’ firewall serial number(s) are

listed under the “Status” page, and that the correct license type is displayed.

The PAN 802.1x Connector service will not push any user to IP mappings to any

Palo Alto Networks firewall or firewalls which are not listed under the “Licensed Palo

Alto Networks firewall serial numbers”. The PAN 802.1x Connector software license

is linked to the supplied Palo Alto Networks firewall serial number or serial numbers

in HA deployments.

Proceed to the next step if your license details are verified and correct.


STEP 3 – CONFIGURING THE PAN 802.1X CONNECTOR APPLICATION

Configuration settings can be found by expanding “User Identification” and then clicking on “PAN

802.1x Connector Setup”

The PAN 802.1x Connector service related configuration details, Palo Alto Networkss firewall(s)

configuration as well as the DHCP server configuration will be in the right hand pane. The PAN

802.1x Connector service configuration and Palo Alto firewall(s) will be setup first. For more

information on each setting, see table 1.

Settings for a secondary Palo Alto Networks firewall will only be available if you activated

your PAN 802.1x Connector software using a high availability license.


Table 1: PAN 802.1x Connector Settings Explained

Setting Function Windows Service Logon Account Username

Specify a Microsoft Windows account with which the PAN 802.1x Connector service will be installed and started as a

service. Any Microsoft windows account belonging to the Microsoft AD group “Administrators” will work. For a more

restrictive windows service account, see page 46 for

minimum administrator rights required

Windows Service Logon Account

Password

Password for the specified Microsoft Windows account

Software License PAN 802.1x Connector software license

Primary Palo Alto Networks Firewall

IP

Primary Palo Alto Networks firewall IP to which the PAN

802.1x Connector service will be communicating. User to IP mappings will be pushed to this specified IP on port 443.

Ensure that the Palo Alto Networks firewall Web interface is accessible on this IP.

Primary Palo Alto Networks Firewall

API key

It Is necessary to generate an API key which the PAN

802.1x Connector service will use to authenticate with the Palo Alto Networks firewall. A Palo Alto Networks firewall

key can be generated by clicking the "Generate" button. Ensure that the Palo Alto Networks firewall is online and

reachable before clicking on the "Generate" button

You will be prompted to enter a username and password after clicking on "Generate". Fill in the Palo Alto Networks

firewall login credentials. The PAN 802.1x Connector application will use these credentials to generate a Palo

Alto Networks firewall API key.

User Identification timeout(min) This value is pushed with the user and IP mapping to the Palo Alto Networks firewall. The firewall uses this value as

the user cache timeout value - i.e. the user mapping will be

removed from the Palo Alto Networks firewall user database after the specified time is reached. The default is

90 minutes. Maximum is 44640.


Secondary Palo Alto Networks Firewall IP

This setting is only available when a high availability PAN 802.1x Connector software license was purchased and

activated. The PAN 802.1x Connector service can push user to IP mappings to a secondary Palo Alto Networks firewall.

This ensures user to IP mappings are sent to both your

Palo Alto Networks HA primary and secondary firewalls

Secondary Palo Alto Networks

Firewall API key

An API key must be generated to allow the PAN 802.1x

Connector service to authenticate and communicate with

the secondary Palo Alto Networks firewall. Ensure that the secondary firewall is reachable and online. Click on the

button "Generate"

You will be prompted for a username and password after

clicking on "Generate". Fill in the Palo Alto Networks firewall login credentials. The PAN 802.1x Connector

application will use these credentials to generate a Palo Alto Networks firewall API key

User Identification timeout (min) This value is sent with the user and IP mapping to the

secondary Palo Alto Networks firewall. The firewall uses this value as the user cache timeout value - i.e. the user

mapping will be removed from the Palo Alto Networks

firewall user database after the specified time is reached. The default is 90 minutes. Maximum is 44640.

Click the button after completing the configuration. At this point the PAN 802.1x

Connector application related settings are configured. The next step is to add a DHCP server or

servers which the PAN 802.1x Connector service will use to perform MAC to IP address lookups.


STEP 4 – ADDING DHCP SERVERS

The PAN 802.1x Connector application will perform MAC to IP address lookups using the specified

DHCP server(s). The PAN 802.1x Connector application supports 3 types of DHCP servers at

present. These are: Microsoft 2008, Microsoft 2008 R2, Microsoft 2012, Microsoft 2012 R2, Palo

Alto Networks’ and Cisco IOS based DHCP servers. The application will attempt to lookup the IP

address of a user’s device MAC address found in a successful authentication log generated by the

Microsoft Network Policy Server (NPS). The authenticated username will be combined with the

discovered IP address if an IP address lookup was successful. The application uses various

connection methods to connect to the respective DHCP servers. See table 2 for more information.

The order of process is top down. It is recommended to put the most widely used DHCP servers in

descending order of use – the most used DHCP servers first, least used last. The PAN 802.1x

Connector service will perform an IP address lookup on each of the DHCP server(s) in the list until

a match is found or the last DHCP server is processed. After that the PAN 802.1x Connector

service exits with “MAC not found on configured DHCP servers” in the logs.


Table 2: DHCP Server Types Explained

DHCP Server Type

Connection Method Required Permissions

Microsoft DHCP

server (Microsoft Server 2008, 2008

R2, 2012, 2012 R2)

Local DHCP DLL libraries are called if

the DHCP server is local. RPC calls are used if the DHCP server is running on a

remote Microsoft DHCP server

The configured Microsoft Windows

service account must have permissions to read the local and/or remote

Microsoft DHCP server leases using RPC calls. See table 1. The configured

service account must be part of the

correct AD groups. See page 46 for more information.

Palo Alto Networks DHCP server

The Palo Alto Networks firewall is accessed on port 443 to retrieve the

DHCP client leases

The configured Palo Alto Networks firewall API username and password

must have permission to access the

Palo Alto Networks REST API (SSL port 443)

Cisco IOS DHCP

server

The DHCP client bindings is retrieved

via a SSH2 connection to the Cisco device

SSH2 must be configured and running

on the Cisco IOS device. A valid username and password must be

supplied to log into the Cisco IOS device. Only user EXEC mode is

required

The PAN 802.1x Connector service will perform a second lookup attempt for a given MAC

address if a match was found on the configured DHCP server(s). The delay between the

first and second lookup is 3 seconds. This is by design. This caters for DHCP servers that

can take up to 3 seconds to allocate a DHCP lease to a request DHCP client.

The configurable parameters for each DHCP server type are explained below. To add a DHCP

server, click on the “Add” button.


i. DHCP server type “Microsoft”

Server Name Fill in a short descriptive name for the DHCP server

Domain The domain will be prepended to the authenticated user by the

PAN 802.1x service before being pushed to the configured Palo

Alto Networks firewall(s). The domain must be in NetBIOS

format and not in FQDN. If the fully qualified domain name for

a company’s Active Directory domain is acme.com and the

NetBIOS domain name is ACME, fill in ACME in the domain field.

Authenticated users will be pushed to the configured Palo Alto

Networks firewall(s) as “<NETBIOS>\<username>”. For

example, an authenticated user “John” will be mapped as

“ACME\John” when pushed to the firewalls. The firewall(s) will

accept <FQDN domain>\<username> as well. This may result

in users not matching security policies correctly on the

firewall(s). Always use the Microsoft NetBIOS domain name.

Server IP Fill in the Microsoft DHCP server IP. This can be the local server

IP or a remote Microsoft DHCP server IP. Do not use the local

host IP address if the DHCP server is local. (Do not use

127.0.0.1). Fill in the local network interface IP address on

which the DHCP server is running. Refer to your Microsoft

DHCP server configuration to verify on which network interface

the DHCP server is running

Server type Select “Microsoft”


Subnet Fill in the IP subnet for which the PAN 802.1x Connector must

do MAC to IP lookups. This will be the configured Microsoft

DHCP server scope subnet. Do not fill in the subnet mask, only

the subnet as configured in your Microsoft DHCP server. Below

is a screen snapshot of a Microsoft DHCP server scope. To open

the Microsoft DHCP server console, click “Start”, then navigate

to the “Administrative tools” menu and on click DHCP. The list

of available subnets will be displayed under the IPV4 section


ii. DHCP server type “Palo Alto Networks”

”















Server IP Fill in the IP address of the Palo Alto Networks firewall running

the DHCP server. Please note that the API key configured in the

PAN 802.1x Connector application settings will be used for

accessing the Palo Alto Networks firewall(s) to retrieve DHCP

client leases. For more information regarding the API key, see

step 3 on page 13.

Server type Select “Palo Alto Networks”

Interface Fill in the Ethernet interface on which the DHCP server is

enabled on the Palo Alto Networks firewall. To find out on


which interface DHCP is running, log on to the Palo Alto

Networks firewall web interface and navigate to “DHCP”. The

“DHCP” settings can be found under the “Network” tab


iii. DHCP server type “Cisco”

”


Server IP Fill in the IP address of the Cisco IOS device on which the

DHCP server is enabled and running. Ensure that SSH2 is

configured and enabled on the Cisco IOS device, and that the

device is accepting SSH2 logins. You may verify SSH2

connectivity to your Cisco IOS device by using an SSH2 capable

application such as “Putty” and connecting to your Cisco IOS

device from the Microsoft server running the PAN 802.1x

Connector service. You will be prompted for login credentials by

the Cisco device if SSH2 is enabled. You may be blocked or

SSH2 is not enabled on the Cisco IOS device if no login prompt

is displayed.

Server type Select “Cisco”

SSH2 username Fill in the SSH2 username with which the PAN 802.1x

application will connect to the Cisco device

SSH2 password Fill in the SSH2 password















The Cisco DHCP server does not require then configuration of an IP subnet. The

PAN 802.1x Connector application will retrieve the complete DHCP binding table

from the Cisco device.

Configuration of the PAN 802.1x Connector application is now complete. In the next section

the PAN 802.1x Connector service will be installed and started as a Windows service. The

service will persist and automatically start after a reboot.


STEP 5 - INSTALLING AND STARTING THE PAN 802.1X CONNECTOR

SERVICE

The PAN 802.1x Connector service is responsible for processing incoming Microsoft Network Policy

Server (NPS) security event logs, discovering IP addresses associated with an authenticated user

and pushing successfully mapped user to IP mappings to the Palo Alto Networks firewall(s). The

service is configured to automatically start with the Microsoft Windows server. The service can be

manually stopped if required from within the PAN 802.1x Connector application or by stopping the

service from the Windows services console. In the PAN 802.1x Connector application, click on the

“Service Setup” menu. The service can be installed, uninstalled, started or stopped from here.

Please ensure that step 3 is completed before proceeding.

i. Install the Service

The PAN 802.1x Connector application must be installed first before the service can be

started or stopped. The service only has to be installed once. The PAN 802.1x Connector

service can be installed by clicking on then “Install” button. This will install and register the

PAN 802.1x Connector application as a Windows service. The service can be uninstalled by

clicking on the “Uninstall” button on the same page.

Optionally, verify that the service is installed by launching the Microsoft Windows services

manager. The Microsoft Windows services manager may be launched by searching for and

running the command “services.msc” from the Microsoft Windows start bar.


Look for a service named “PAN 802.1x Connector” within the Microsoft services manager.


ii. Start the Service

The service may be started and stopped if it was successfully installed. Click on “Start” to

start the service. Click on “Stop” to stop the service.

The PAN 802.1x Connector service is now installed and running.

The PAN 802.1x Connector application and service is now fully configured, installed and

running as a Windows system service. The next section of the installation guide will go

through various steps to verify that your installation is working as expected. Read through

the “Configuration tips and troubleshooting” on page 50 if your service does not start, or if

you experienced any other issues. It is important that your service is running before

continuing on to the next section entitled “Verifying the PAN 802.1x Connector installation”.


Verifying the PAN 802.1x Connector installation

This part of the installation guide will test the various components of the PAN 802.1x Connector

application and service. The correct functioning of the PAN 802.1x Connector service is dependent

on various components working as expected. There are 3 main components which will be tested.

The 3 components to be tested are:

Accessing and reading the local Microsoft Windows security event logs

Communicating with the configured Palo Alto Networks firewall(s)

IP address lookup using a MAC address

For more information see appendix A for an operational overview of the PAN 802.1x

Connector service as well as a workflow chart detailing the processing logic.

Each of the components must be functional before a successful user to IP mapping will be mapped

and pushed to the Palo Alto Networks firewall(s). Testing the PAN 802.1 x Connector

configurations will start by verifying read access to the Microsoft Windows local security event

logs.


STEP 1 – VERIFY READ ACCESS OF THE MICROSOFT SECURITY EVENT

LOGS

The Microsoft security event logs may be viewed by launching the Microsoft Event log viewer. The

PAN 802.1x Connector application will read the same Microsoft Windows security event logs. The

PAN 802.1x Connector test function “Test Security Event Log” will attempt to retrieve the last 10

Microsoft security events with ID 6272. The Microsoft Network Policy Server (NPS) server

generates event ID 6272 security logs for each user who authenticates successfully.

The test functions can be found by navigating to the “Testing” section within the PAN 802.1x

Connector application.


Navigate to “Test Security Event Log” by expanding the “Testing” menu. In the right hand pane

will be a button named “Retrieve”. Click on this button to attempt read access of the Microsoft

Windows security event logs.

The following output may be observed after clicking “Retrieve”:

Result: SUCCESS

Explanation of result: “SUCCESS” indicates that the PAN 802.1x Connector application

was able to successfully access the Microsoft security event

logs. The last 10 or less event logs will be displayed in the

results window. The output will contain the username and the

associated MAC address from which the user authenticated.

Resolution: It is possible to successfully access the Windows security event

logs yet no results in the output box. The two most common

reasons for this are:

1) There are no security event ID 6272 logs in the Windows

security logs. This can be manually verified by launching

the Windows Event viewer

(https://technet.microsoft.com/en-

us/library/cc766401.aspx) and searching for event ID 6272

logs in the Windows security logs. Verify that there are

event ID 6272 logs. You may generate an event 6272

event ID by performing a successful 802.1x authentication.

Refresh the Event viewer and recheck.

https://technet.microsoft.com/en-us/library/cc766401.aspx

https://technet.microsoft.com/en-us/library/cc766401.aspx


2) Successful Microsoft NPS authentications may not be

logged. See the following document for more information

on how to check the current Microsoft NPS logging level

(https://technet.microsoft.com/en-

us/library/cc731085(v=ws.10).aspx). Ensure that

“Successful authentication requests” are checked, click

“Ok” and restart the Microsoft NPS service. Recheck the

Windows security event logs for event ID 6272 logs after

successfully performing an 802.1x authentication

The PAN 802.1x Connector service is dependent on Microsoft security event logs with ID 6272. No

user to IP mappings will be generated if there are no event ID 6272 logs generated by the

Microsoft NPS server. Check the Microsoft NPS documentation or Microsoft support forums if you

still do not see any security event ID 6272 event ID logs after trying the above suggestions.

https://technet.microsoft.com/en-us/library/cc731085(v=ws.10).aspx)

https://technet.microsoft.com/en-us/library/cc731085(v=ws.10).aspx)


Result: FAILED – “Attempted to perform an unauthorized operation”

Explanation of result: Failure to read the security event logs may be the result of the

configured Windows service account not having enough

permission to access the Windows security event logs. The

service account must be part of the built-in Microsoft Active

Directory group “Event log readers” to be able to read the


Resolution: There are a couple of tests that may be performed to verify if

the issue is related to the Windows service account. If you

configured a service account with limited rights, try using an

administrator account with full admin rights. See page 46 for

more information on the minimum service account permissions.

A simple command using Microsoft’s native command prompt

event viewer application may be used to test read access to the


Use the following command to test:

“Wevtutil qe security /q:"*[System [(EventID=6272)]]" /u:<DOMAIN\username> /p:<password>

/r:<SERVER IP> /c:<count>”

The command will use the specified Windows service account to access and retrieve the last x

amount of security logs with event ID 6272 from the Microsoft Windows security logs. Replace

<domain\username>, <password>, <SERVER IP> and <count> with the appropriate values.

An example of how the command may be used is shown below. The output of the command is

also shown:

C:\Users\spock>Wevtutil qe security /q:"*[System [(EventID=6272)]]" /u:lab\servicetest

/p:12345678 /r:127.0.0.1 /c:1


The following command uses an incorrect password for the specified Windows service account.

The error output of the command is also shown. See page 46 for more information on what the

minimum permissions are for a restricted Windows service account.

C:\Users\spock>Wevtutil qe security /q:"*[System [(EventID=6272)]]" /u:lab\servicetest

/p:wrongpassword /r:127.0.0.1 /c:1

Troubleshoot and correct any “Access is denied” errors when using your specified

Windows service account.

You may continue to test the rest of the PAN 802.1x Connector application components regardless

of the result from testing the read access of the Microsoft security event logs. Each component of

the PAN 802.1x Connector application may be tested independently of each other. Note that the

PAN 802.1x Connector application is reliant on each component working correctly.


STEP 2 – TEST CONNECTIVITY TO THE PALO ALTO NETWORKS

FIREWALL(S)

This test function will test connectivity to the Palo Alto firewall or firewalls when in high availability.

The PAN 802.1x Connector application will attempt to access the firewall(s) using the settings

specified on the PAN 802.1x Connector setup. Click on “Test Palo Alto Networks Firewall” under

the “Testing” sub menu. Click on the “Verify” button.

Result: Palo Alto Networks firewall 1: Successful

Palo Alto Networks firewall 2: Successful

Explanation of result: Communication with the configured Palo Alto Networks firewall

was successful. In case of high availability, communication with

both Palo Alto Networks firewalls will be tested.

Resolution: No further action required. Component functions as expected.

The Palo Alto Networks firewall(s) are reachable and that the

Palo Alto Networks API key is correct.

Result: Palo Alto Networks firewall 1: Failed

Palo Alto Networks firewall 2: Successful

Explanation of result: Communication with the primary Palo Alto Networks firewall

failed. Communication with the secondary Palo Alto Networks

firewall was successfully.

Resolution: This may be due to one of the following reasons:

1) The primary Palo Alto Networks firewall management

interface may not be accessible. Test connectivity to the


primary Palo Alto Networks firewall management interface

by launching a web browser and navigating to

HTTPS://<Firewall IP>. The Palo Alto Networks firewall

web interface page should be displayed.

If it is not displayed, it means connectivity from the PAN

802.1x Connector application to the Palo Alto Networks

firewall management interface is unreachable or

inaccessible. This may be due to network related issues

such as routing, or firewall policies blocking access from

the Microsoft server running PAN 802.1x Connector

application to the primary Palo Alto Networks firewall.

Verify that the routing is correct and that no security

appliances or routing devices are blocking access to the

primary Palo Alto Networks firewall’s IP and port 443 from

the Microsoft server’s IP.

2) Another possible cause may be access control lists applied

to the Palo Alto Networks firewall management interface.

Verify that the management interface allows access to the

IP address of the Microsoft server running the PAN 802.1x

Connector by navigating to “Device > Setup >

Management Interface Settings” on the Palo Alto Networks.


Resolution: Verify that routing between the Microsoft server and the Palo

Alto Networks firewall is correct. Try and ping the Palo Alto

Networks’ management interface. Ensure that there are no

firewall rules blocking access to the Palo Alto Networks firewall

IP on TCP port 443. Also ensure that the Microsoft Server IP is

added to the Palo Alto Networks’ management interface access

list (“permitted IP”) if the access control list is being used.

Please consult the Palo Alto Networks’ administration guide for

more information on to configure this function. A failed result

may be observed on either the primary or secondary Palo Alto

Networks firewall. Follow the same troubleshooting procedure

as outlined for either primary or secondary failed results. Try

using a different Palo Alto Networks firewall API key if routing is

correct and the Palo Alto Networks web interface is accessible.

Generate a new API key in the PAN 802.1x Connector

application settings page using a different set of login

credentials and retest. See page 13 for information on

generating an API key.

Result: Palo Alto Networks firewall 1: Failed

Palo Alto Networks firewall 2: Failed

Explanation of result: The PAN 802.1x Connector application cannot connect to either

the primary or secondary Palo Alto Networks firewall.

Resolution: Follow the same diagnostic steps as outlined above.


STEP 3 – TEST DHCP SERVER

This function tests the IP lookup component of the PAN 802.1x application. The function will

attempt to resolve a given MAC address to an IP address by querying the configured DHCP

server(s). A MAC address is required as input. You may use a MAC address from any device source

such as Android, Apple or Microsoft Windows systems.

Ensure that the mobile device, laptop or network devices received an IP address

from a DHCP server before running this test. You will not see an IP address

returned in the result output if the network device has not received an IP address

yet. You may see an IP address returned if the network device did receive an IP

address prior and the DHCP lease has not yet expired. Furthermore ensure that the

DHCP server is added to the DHCP server configuration of the PAN 802.1x

Connector application. For more information on how to add a DHCP servers, refer to

page 16.

Navigate to “Testing” and then click on “Test DHCP Servers”

Fill in the MAC address at location A. A DHCP server must be configured in the PAN 802.1x

Connector application settings page. Multiple DHCP servers may be configured. The test function

will query each one of the configured DHCP servers once until a match is found. The test function

will exit when a match is found or the last DHCP server was queried. The discovered IP address

will be displayed in the “Returned IP Address” output. The test function will exit with a “Not

found”.


Below is an example of how to use the “Test DHCP server” test function:

Open a command prompt on a Microsoft Window host. Run the command “ipconfig /all”. This will

list all network adapter information including the MAC address for each network interface. Scroll

through the output until the interface with the IP address that you are interested in is found. In

this example the Wireless adapter’s MAC address will be used.

Fill in the MAC address

Click on the “Find” button after filling in the MAC address of the network interface. The PAN

802.1x Connector application will now query the configured DHCP server(s) by inspecting the

DHCP server client leases (“or bindings”). The PAN 802.1x Connector application will do a top

down processing sequence of the DHCP servers if more than one is configured. Be sure to test

MAC addresses from multiple hosts if more than one DHCP server and subnet is in use. This will

ensure that all IP subnets are verified and working within the PAN 802.1x Connector application.


Result: SUCCESS Return IP Address <IP ADDRESS>

Explanation of result: An IP address was successfully retrieved from the configured

DHCP servers. The component works as expected.

Resolution: No further action is required. The DHCP function successfully

discovered the IP address associated with the MAC address

entered

Result: FAILED

Explanation of result: The PAN 802.1x Connector application was not able to discover

the IP address of the supplied MAC address on the configured

DHCP server(s). This may be due to routing issues, incorrect

configuration of the DHCP servers or the DHCP client lease is

not present on the DHCP servers.

Resolution: Ensure that you can ping the DHCP server(s) if possible. Also

verify that there is a valid DHCP lease on the configured DHCP

server. Consult the respective DHCP server documentation on

how to view current DHCP client leases. A brief overview of

viewing DHCP client leases on the different types of DHCP

servers are given in the following section. Also review your

DHCP server configuration within the PAN 802.1x Connector

application. Ensure that the correct interface is specified for

DHCP type Palo Alto, and that the correct subnet is configured

for DHCP type Microsoft.


Verify that a valid DHCP client lease does exist on the configured DHCP server

DHCP type: Microsoft

Launch the “DHCP” console from the “Administrative tools” control panel on the Microsoft Windows

server running the DHCP service.

DHCP type: Cisco IOS

Connect to the Cisco IOS device using SSH. A free SSH2 application named “Putty” may be used to

connect to the Cisco IOS device. Once connected, run the command “show ip dhcp binding”.

The Cisco IOS may display the client ID instead of the actual MAC address of the

DHCP client. Typically the client ID is 14 characters long whereas a MAC address is

12 characters long. To determine the MAC address, use the 12 right most

characters. For example, a Client-ID of "0100.1346.8bbe.b2" may be displayed for a

DHCP client. Use only the right most 12 characters as the MAC. In this example, the

first 2 characters "01" must be omitted and only the last 12 characters used which

is "00.1346.8bbe.b2". This represents the MAC address (Hardware address) of the

DHCP client


DHCP type: Palo Alto

Log into the Palo Alto Networks web interface (HTTPS://<Palo Alto IP>). Navigate to “Network”

and then “DHCP”.


STEP 4 – VERIFY THAT THE PAN 802.1X CONNECTOR SERVICE IS

RUNNING

The PAN 802.1x Connector service is responsible for mapping Microsoft NPS authenticated users to

IP addresses and pushing those to the Palo Alto Networks firewall(s). No user to IP mappings will

be pushed to the Palo Alto Networks firewalls if this service is not running. Verify the current

service status by clicking on “Status” in the PAN 802.1x Connector application.

Further verification may be done by launching the Microsoft Service manager console. This can be

done by clicking on “Services” from within the “Administrative tools” control panel on the Windows

server. Verify that the “PAN 802.1x Connector Service” is “Started”


STEP 5 – CHECK THE PALO ALTO NETWORKS FIREWALL(S) FOR USER

MAPPINGS

The final verification step requires checking the Palo Alto Networks firewall or firewalls (HA) for

XMLAPI user mappings. SSH to the primary Palo Alto Networks firewall IP. Run the command

“show user ip-user-mapping-mp all type XMLAPI”. This command will output user to IP mappings

received via the Palo Alto Networks firewall API. User mappings with type “XMLAPI” are mappings

pushed by the PAN 802.1x Connector service.

The installation, configuration and verification of the PAN 802.1x Connector application and service

are now complete. Please read through the “Configuration tips and troubleshooting” section on

page 47 if you experienced any issues while configuring or testing any component of the PAN

802.1x Connector application.


Application and Service Logs

The application and service logs may be found under the “Monitoring” menu. Each of the logs

stores specific information related to component of the PAN 802.1x Connector application.

Each log represents the following component of the PAN 802.1x Connector software:

PAN 802.1x Connector Log: Contains log messages related to the application itself as well

as anything related to the application interface. Examples of log

messages are errors while configuring the application,

application crashes or any application interface related log

messages.

PAN Service Log: This log contains messages related to the operations of the PAN

802.1x Connector service. Examples of log messages are event

ID 6272 events triggered, IP lookups of authenticated 802.1x

users, user to IP mappings pushed to Palo Alto Networks

firewalls as well as PAN 802.1x Connector service start up and

service related error messages. Licensing related messages are

also logged to this container. It is a very useful for

troubleshooting purposes.


The log files are stores within the installation directory of the PAN 802.1x Connector application.

This is normally “C:\%programdata%\PAN 802.1X Connector”. A total of 6 log files will be stored

for each log container. Each of the 6 log files will consume a maximum of 10Mb disc space. The

logs will be rotated – this ensures that the logs will never consume more than 120Mb of disc

space.

By default the log level is set to “Information”. The log level can be changed be selecting “File”

and then “Log Level”.

During normal operation it is not needed to set the log level to “Debug”. “Informational” is

sufficient enough. Be aware when setting the log level to “Debug”. The logging may generate too

much information and may impact performance. Always change the debug level back to

“Informational” after troubleshooting. “Informational” generates more logs than “Error” while

“Debug” generates the most log messages.


Application Licensing

The application license is perpetual. Renewal is required yearly for production licenses. There is no

cost involved with renewing PAN 802.1x Connector version 1 licenses. There are 3 types of

licenses.

Trial license. Valid for 30 days from issuing. Allows for the pushing of user to IP mappings

to a single Palo Alto Networks firewall only

Production license (Single). Fully functional production license. This license allows for

pushing of user to IP mapping information to one Palo Alto Networks firewall only. Valid for 1

year from issuing

Production license (High Availability). Fully functional production license. This license

allows you to push user to IP mapping information to two Palo Alto Networks firewalls. This

type license is for environments where two Palo Alto Networks firewalls are configured in

high availability (HA).

The PAN 802.1x Connector application license is linked to the Palo Alto Networks

firewall serial number(s) specified during the licensing purchase. The PAN 802.1x

Connector service will not push user to IP mappings to any Palo Alto Networks

firewall for which the serial number is not within the license. You may view which

firewall serial number or numbers (HA) is allowed by clicking “Status” under the

“User Identification” menu item. For more information have a look at the service

logs under “Monitoring” when starting or restarting the service.

The license allows for the installation of the application on as many Microsoft Windows servers

needed. The license is linked to the Palo Alto Networks serial numbers and not how many

installations of the application. This allows the administrator to install the PAN 802.1x Connector

application on all Microsoft NPS servers for redundancy purposes.


Default Action upon License Expiry

It is important to note that the PAN 802.1x Connector service will be stopped. The PAN 802.1x

Connector service will generate a log message indicating the reason. A log message will be

generated informing the user that the license has expired on the specific date. The license expiry

date may be found on the “Status” page under “User Identification”. Please be sure to renew your

application license at least 2 weeks in advance of the license expiry date.

License Renewal

Licenses are renewed through the www.codecentrix.co.za/purchase web page. The license

renewal is done in a similar manner to purchasing the software. Select “renewal” as the license

type. Fill in your firewall serial number or numbers. A confirmation email will be emailed to the

email address which was supplied during the purchase. Your renewed license key will be emailed

to you once approved. Copy and paste your new license into the PAN 802.1x Connector application

settings’ “Software license” field. Click the “Update” button and restart the application. Your new

license will now be active. Verify the license particulars by clicking on the “User Identification”

menu item and then “Status”. Next stop and start the PAN 802.1x Connector service by clicking on

“Service Setup”, then “Stop” and “Start” after the service was stopped.

Upgrading to a High Availability License

License upgrades can be done through the www.codecentrix.co.za/purchase web page. Select

“License upgrade” when prompted for a license type. A confirmation email will be sent to the email

address once the request has been processed. Copy and paste your new license into the PAN

802.1x Connector application settings page. Click the “Update” button and restart the application.

Your new license should now be active. Verify the license particulars by clicking on the “User

Identification” menu item and then “Status”. Next configure the secondary Palo Alto Networks

firewall settings. Click “Update” and then restart the service by going to the “Service Setup” sub

menu. First stop the running service by clicking on “Stop”. Click on “Start” after the service was

stopped. Check the PAN 802.1x Connector service logs to verify that the service was started

successfully.

For any licensing related questions or issues, please email [email protected]

http://www.codecentrix.co.za/purchase

http://www.codecentrix.co.za/purchase



CONFIGURATION TIPS AND TROUBLESHOOTING

Minimum rights required to run the PAN 802.1x Connector service

The PAN 802.1x Connector application must always be “Run as Administrator”. For security

reasons, the PAN 802.1x Connector service may be started with a more restrictive account. The

following are the minimum rights required by the service account:

1) “Log on as a service” rights. Add the service account to the “Log on as a service” local policy.

This can be done by editing the local security policy on the Microsoft server running the

Microsoft Network Policy Server (NPS). Please refer to the following document for more

information - https://technet.microsoft.com/en-us/library/cc739424%28v=ws.10%29.aspx

2) Add the service account to the following groups:

a. Server operators

b. Event log readers

c. Distributed COM users

d. DHCP users

This will allow the PAN 802.x Connector service to run with minimum rights on the Microsoft

server.

https://technet.microsoft.com/en-us/library/cc739424%28v=ws.10%29.aspx


Backup/Restore the PAN 802.1x Connector configuration

The PAN 802.1x Connector application configuration file is stored in the directory

“C:\%programdata%\PAN 802.1X Connector”. Copy the file “configfile.xml” and store it in a safe

place. To restore a configuration after a new installation, copy the backed up file “configfile.xml”

into the directory “C:\%programdata%\PAN 802.1X Connector”. This will restore the full

configuration including the software license. Please do not edit the configuration file manually.

The PAN 802.1x Connector application will reset the configuration to default!

Optimising Microsoft NPS session, DHCP and user-ID timeout values

It is important to ensure that your timeout values for each of these systems are configured in the

correct rations. This is to ensure that user to IP mappings do not expire before an 802.1x re-

authentication occurs.

It is recommended that the DHCP client lease be configured to expire at a minimum every 24

hours, the Microsoft Network Policy Server (NPS) client sessions every 60 minutes and the PAN

802.1x Connector application user-ID timeout every 270 minutes. This configuration will ensure

that a user’s 802.1x session is re-authenticated every 60 minutes. It is completely transparent to

the end user. They will not have to fill in their login credentials every 60 minutes. All devices will

cache the login credentials and use it to authenticate automatically and seamless in the

background. This will result in the PAN 802.1x Connector service pushing re-authenticated user

mappings to the configured Palo Alto Networks firewalls every 60 minutes. It ensures that the user

mapping is refreshed every 60 minutes on the firewall – long before the configured Palo Alto

Networks firewall user cache expiry time of 270 minutes.


Configure the Microsoft Network Policy Server session timeout value:

For more information, reference the following Microsoft NPS document (see “session timeout”) -

https://technet.microsoft.com/en-us/library/cc772474(v=ws.10).aspx

Configure the PAN 802.1x Connector user identification timeout:

Do not configure the PAN 802.1x Connector application user-ID session timeout lower than

the Microsoft NPS client session timeout. This will result in the Palo Alto Networks firewall

caching out a user mapping before they are re-authenticated.

For large network user environments, consider setting the Microsoft NPS client session timeout

value to 3 hours, and the PAN 802.1x Connector user-ID timeout value to 600 minutes (10 hours)

https://technet.microsoft.com/en-us/library/cc772474(v=ws.10).aspx


Problem with starting the PAN 802.1x Connector service

There could be a couple of reasons why the service could not be started. Always consult the PAN

802.1x Connector service log first. Possible reasons why the service could not be started are:

1) The configured service account may not have “Log on as a service” rights. Please page 46

for more information. Try entering the username and password manually within the Windows

service manager console.


2) Microsoft Windows related issue such as the PAN 802.1x Connector service process is

unresponsive. It may be necessary to kill the service process and start it again. First find the

process ID of the PAN 802.1x Connector service by running the command “sc queryex

PANConnectorService”.

Now kill the PAN 802.1x Connector service by issuing the following command: “taskkill /f

/pid <PID>”. In the above example, the command would be as follows: “taskkill /f /pid

2004”. Restart the PAN 802.1x Connector service from within the PAN 802.1x Connector

application or Windows service manager console.

3) Attempt to start the service from within the Windows service properties window. Note down

any Windows error that you may receive. Consult Microsoft documentation on the error you

received. Have a look at the Windows event viewer for any errors related to the PAN 802.1x

Connector service – look for


Appendix A – PAN 802.1x Connector application operations

The PAN 802.1x Connector service operation is shown in the below flow diagram. The PAN 802.1x

Connector service is trigged by the Microsoft service sub system when a security event 6272 log is

generated. The Microsoft Network Protection Server (NPS) handles incoming 802.1x authentication

requests via the Radius protocol, and the Microsoft NPS server is responsible for generating

security event ID 6272 logs for successfully authenticated users. The PAN 802.1x Connector

service processes each log event as follows:

User device connects and successfully

authenticates to an 802.1x enabled

network switch or wireless access point

Security event ID

6272 generated by

Microsoft NPS

server

PAN 802.1x

Connector service

processes event

6272

Username extracted

and stored in memory

PAN 802.1x

service extracts

user device MAC

address

Perform MAC lookup

on first DHCP servers

MAC not found on DHCP

server. Try next DHCP

server in the list. Continue

until last DHCP server

checked. MAC found?

MAC

Not

found

Found MAC

address on DHCP

server. Extract

associated IP

address

MAC found

Prepend domain name

from DHCP server

configuration to username.

Link username to IP

address

Push username to

IP address

mapping to

primary firewall

No more DHCP

servers. MAC not

found. Processing

complete and exit

No

Yes

Push username to IP

address mapping to

secondary firewall

(HA only)

Cannot access

primary firewall.

Processing

complete. Disable

firewall for 5

minutes if down 10

times in a row

Username to IP

mapping

successfully

pushed to firewall.

Processing

complete. Exit

Cannot access

primary firewall.

Processing

complete. Disable

firewall for 5

minutes if down 10

times in a row

Primary

firewall

offline

Secondary

firewall

offline

It is important to ensure that the Microsoft NPS server does log successful authentications. The

PAN 802.1x Connector application depends on a fully operation Microsoft NPS server with logging

enabled. Consult Microsoft documentation on how to install, operate and maintain a Microsoft NPS

server.

Documents

PAN 802.1x Connector installation guide - CodeCentrix 802 1x Connector installation... · This installation guide takes you through the installation, ... Microsoft Network Policy