PAN 802.1x Connector Application Installation Guide

Contact Information CodeCentrix www.codecentrix.co.za/contact Email: info@codecentrix.co.za About this Guide This installation guide takes you through the installation, activation and configuration of the PAN 802.1x Connector application. The installation guide details the necessary steps to activate the software, perform an initial configuration, install and start the application service as well as verify and test the configuration using the built in test functions. It also includes troubleshooting steps should you have any issue during the testing of the configuration. An overview of the application s operation as well as a process flow chart can be found in appendix A. This guide does not cover the configuration of any 802.1x capable infrastructure such as switches and/or wireless access points. Please refer to the respective switch and/or wireless access point vendor s configuration manual for instructions on how to configure those network infrastructure devices and appliances for 802.1x authentication. The majority of network devices such as mobile, printer, projector, Microsoft and Apple devices and computers support 802.1x authentication. A prerequisite is that a Microsoft Network Policy Server (NPS) is installed and running and accepting authentication requests from network devices. For more information on how to deploy and run a Microsoft NPS role, visit Microsoft s website: https://msdn.microsoft.com/en-us/library/cc732912.aspx PAN 802.1x Connector tech notes and articles can be found at www.codecentrix.co.za/knowledgebase Email support@codecentrix.co.za if you have any technical questions, issues or feature requests. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 2

TABLE OF CONTENTS Installing and configuring the PAN 802.1x Connector application... 5 Step 1 Run Setup.exe... 6 Step 2 Activate the PAN 802.1x Connector application... 10 Step 3 Configuring the PAN 802.1x Connector application... 13 Step 4 Adding DHCP servers... 16 i. DHCP server type Microsoft... 18 ii. DHCP server type Palo Alto Networkss... 20 iii. DHCP server type Cisco... 22 Step 5 - Installing and starting the PAN 802.1x Connector service... 24 Install the service... 24 Start the service... 26 Verifying the PAN 802.1x Connector installation... 27 Step 1 Verify read access to the Microsoft security event logs... 28 Step 2 Test connectivity to the Palo Alto Networks firewall(s)... 33 Step 3 Test DHCP server functionality... 36 Step 4 Verify that the PAN 802.1x Connector service is running... 41 Step 5 Check the Palo Alto Networks firewall for user mappings... 42 Application and Service logs... 43 Application licensing... 45 Default action upon license expiry... 46 License renewal... 46 Upgrading to a high availability license... 46 Configuration tips and troubleshooting... 47 Minimum rights required to run the PAN 802.1x Connector service... 47 Backup/Restore the PAN 802.1x Connector configuration... 48 Optimising Microsoft NPS session, DHCP and user-id timeout values... 48 Issues starting the PAN 802.1x Connector service... 50 Appendix A PAN 802.1x Connector application operations... 52 "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 3

System Requirements Supported Operating Systems: Microsoft Windows 2008 Microsoft Windows 2008 R2 Microsoft Windows 2012 Microsoft Windows 2012 R2 Prerequisites: - Microsoft.NET 4.0 - Microsoft Network Policy Server (NPS) - 802.1x capable network infrastructure (switch or wireless Access Point (AP)) configured to authenticate to the Microsoft NPS - A Microsoft DHCP server and/or Palo Alto Networks firewall DHCP server and/or Cisco IOS DHCP server - Palo Alto Networks firewall or firewalls (high availability mode) The PAN 802.1x Connector application will function without specifying any DHCP servers. No MAC to IP mappings will be discoverable since the PAN 802.1x application uses the DHCP server s binding table (IP leases) to discover the IP address of the 802.1x authenticated network device. More than 1 DHCP server may be configured. The PAN 802.1x Connector application will process the configured DHCP servers in a top down sequence. Any combination of Microsoft, Palo Alto Networks, and Cisco DHCP servers may be configured. See appendix A for more information on the processing logic of the PAN 802.1x Connector application. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 4

INSTALLING AND CONFIGURING THE PAN 802.1X CONNECTOR APPLICATION The PAN 802.1x Connector application must be installed on a Microsoft server that is running a Microsoft Network Policy Server (NPS). The PAN 802.1x Connector service depends on logs generated by the Microsoft NPS server to extract user and user device related information. This information will be processed and pushed to the Palo Alto Networks firewall(s) when processing completed successfully. The PAN 802.1x Connector application can be installed on all Microsoft servers running Microsoft Network Policy Server (NPS). This is ideal for environments where high availability is essential. Various PAN 802.1x Connector applications can push mappings to a single Palo Alto Networks firewall or firewalls when a high availability license is activated. Each installation of the PAN 802.1x Connector application runs independently of each other and do not require to be connected. Each of the installed PAN 802.1x Connector applications communicate directly with the Palo Alto Networks firewall(s) when a Microsoft NPS log was processed successfully. The same license key may be used for each of the installed PAN 802.1x Connector applications. The application license key is bound to the Palo Alto Networks firewall(s) and not the installation instances itself. Each of the installed applications will only communicate with the Palo Alto Networks serials specified in the license key. See page 44 for more information on application licensing. The latest version of the PAN 802.1x Connector application may be downloaded from www.codecentrix.co.za/download The following section details the installation steps. Please ensure that you have administrative rights to install the application. The PAN 802.1x Connector application must be installed on a Microsoft server that is running a Microsoft Network Policy Server (NPS). You may install the PAN 802.1x Connector applications on all Microsoft NPS servers in your organisation or environment. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 5

STEP 1 RUN SETUP.EXE Upon successful download of the application, right click on the Setup.exe installer and select Run as administrator. Click Next on the initial setup screen to start with the installation process. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 6

Select I accept the license agreement and click Next Click Next to install the PAN 802.1x Connector with the Application menu group of PAN 802.1X Connector. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 7

Optionally a shortcut can be created on the desktop. If required, tick next to Create desktop icon. Click Install to start installing the PAN 802.1x Connector application. The PAN 802.1x Connector application may optionally be launched after successfully installing. Please ensure that you have your application license key ready. The application requires a valid license key before any configuration may be done. Untick the tick box next to Launch PAN 802.1x Connector if you do not have your license key ready or if you want to perform the configuration at a later stage. Click Finish to complete the installation. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 8

The installation directory for the PAN 802.1x Connector application is C:\Program Files (x86)\pan 802.1x Connector. It is a 32bit application. A desktop shortcut will be placed on the desktop if this option was selected during the installation. A start menu folder will be created with the name PAN 802.1x Connector. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 9

STEP 2 ACTIVATE THE PAN 802.1X CONNECTOR APPLICATION The application requires activation by means of a license key upon first run. Your license key would have been emailed to the email address specified during the purchase process. Please check your email spam folder if you did not receive an email containing your license key. If you are evaluating the application, a 30 day evaluation license key would have been emailed to the specified email address during checkout. Please check your email spam folder if you did not receive your evaluation license key. Alternatively, you may request an evaluation license by emailing info@codecentrix.co.za. An email containing your license key will look similar to the below screen output: Email support@codecentrix.co.za if you have any issue with your license particulars such as Palo Alto firewall serial number(s) associated with your license key. Verify all particulars of your license entitlement. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 10

Select and copy the license key. Launch the PAN 802.1x Connector application and paste the copied license key into the text box. Click Accept. The PAN 802.1x Connector application will open the configuration screen if the license key was accepted. If not, an error message will be displayed. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 11

The first task after successfully activating the application is to navigate to the Status page and verify your license entitlement. Verify that the particulars associated with your license are correct. It is important to check and verify that the correct Palo Alto Networks firewall serial number(s) are listed under the Status page, and that the correct license type is displayed. The PAN 802.1x Connector service will not push any user to IP mappings to any Palo Alto Networks firewall or firewalls which are not listed under the Licensed Palo Alto Networks firewall serial numbers. The PAN 802.1x Connector software license is linked to the supplied Palo Alto Networks firewall serial number or serial numbers in HA deployments. Proceed to the next step if your license details are verified and correct. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 12

STEP 3 CONFIGURING THE PAN 802.1X CONNECTOR APPLICATION Configuration settings can be found by expanding User Identification and then clicking on PAN 802.1x Connector Setup The PAN 802.1x Connector service related configuration details, Palo Alto Networkss firewall(s) configuration as well as the DHCP server configuration will be in the right hand pane. The PAN 802.1x Connector service configuration and Palo Alto firewall(s) will be setup first. For more information on each setting, see table 1. Settings for a secondary Palo Alto Networks firewall will only be available if you activated your PAN 802.1x Connector software using a high availability license. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 13

Table 1: PAN 802.1x Connector Settings Explained Setting Windows Service Logon Account Username Windows Service Logon Account Password Software License Function Specify a Microsoft Windows account with which the PAN 802.1x Connector service will be installed and started as a service. Any Microsoft windows account belonging to the Microsoft AD group Administrators will work. For a more restrictive windows service account, see page 46 for minimum administrator rights required Password for the specified Microsoft Windows account PAN 802.1x Connector software license Primary Palo Alto Networks Firewall IP Primary Palo Alto Networks Firewall API key Primary Palo Alto Networks firewall IP to which the PAN 802.1x Connector service will be communicating. User to IP mappings will be pushed to this specified IP on port 443. Ensure that the Palo Alto Networks firewall Web interface is accessible on this IP. It Is necessary to generate an API key which the PAN 802.1x Connector service will use to authenticate with the Palo Alto Networks firewall. A Palo Alto Networks firewall key can be generated by clicking the "Generate" button. Ensure that the Palo Alto Networks firewall is online and reachable before clicking on the "Generate" button You will be prompted to enter a username and password after clicking on "Generate". Fill in the Palo Alto Networks firewall login credentials. The PAN 802.1x Connector application will use these credentials to generate a Palo Alto Networks firewall API key. User Identification timeout(min) This value is pushed with the user and IP mapping to the Palo Alto Networks firewall. The firewall uses this value as the user cache timeout value - i.e. the user mapping will be removed from the Palo Alto Networks firewall user database after the specified time is reached. The default is 90 minutes. Maximum is 44640. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 14

Secondary Palo Alto Networks Firewall IP Secondary Palo Alto Networks Firewall API key This setting is only available when a high availability PAN 802.1x Connector software license was purchased and activated. The PAN 802.1x Connector service can push user to IP mappings to a secondary Palo Alto Networks firewall. This ensures user to IP mappings are sent to both your Palo Alto Networks HA primary and secondary firewalls An API key must be generated to allow the PAN 802.1x Connector service to authenticate and communicate with the secondary Palo Alto Networks firewall. Ensure that the secondary firewall is reachable and online. Click on the button "Generate" You will be prompted for a username and password after clicking on "Generate". Fill in the Palo Alto Networks firewall login credentials. The PAN 802.1x Connector application will use these credentials to generate a Palo Alto Networks firewall API key User Identification timeout (min) This value is sent with the user and IP mapping to the secondary Palo Alto Networks firewall. The firewall uses this value as the user cache timeout value - i.e. the user mapping will be removed from the Palo Alto Networks firewall user database after the specified time is reached. The default is 90 minutes. Maximum is 44640. Click the button after completing the configuration. At this point the PAN 802.1x Connector application related settings are configured. The next step is to add a DHCP server or servers which the PAN 802.1x Connector service will use to perform MAC to IP address lookups. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 15

STEP 4 ADDING DHCP SERVERS The PAN 802.1x Connector application will perform MAC to IP address lookups using the specified DHCP server(s). The PAN 802.1x Connector application supports 3 types of DHCP servers at present. These are: Microsoft 2008, Microsoft 2008 R2, Microsoft 2012, Microsoft 2012 R2, Palo Alto Networks and Cisco IOS based DHCP servers. The application will attempt to lookup the IP address of a user s device MAC address found in a successful authentication log generated by the Microsoft Network Policy Server (NPS). The authenticated username will be combined with the discovered IP address if an IP address lookup was successful. The application uses various connection methods to connect to the respective DHCP servers. See table 2 for more information. The order of process is top down. It is recommended to put the most widely used DHCP servers in descending order of use the most used DHCP servers first, least used last. The PAN 802.1x Connector service will perform an IP address lookup on each of the DHCP server(s) in the list until a match is found or the last DHCP server is processed. After that the PAN 802.1x Connector service exits with MAC not found on configured DHCP servers in the logs. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 16

Table 2: DHCP Server Types Explained DHCP Server Type Microsoft DHCP server (Microsoft Server 2008, 2008 R2, 2012, 2012 R2) Palo Alto Networks DHCP server Cisco IOS DHCP server Connection Method Local DHCP DLL libraries are called if the DHCP server is local. RPC calls are used if the DHCP server is running on a remote Microsoft DHCP server The Palo Alto Networks firewall is accessed on port 443 to retrieve the DHCP client leases The DHCP client bindings is retrieved via a SSH2 connection to the Cisco device Required Permissions The configured Microsoft Windows service account must have permissions to read the local and/or remote Microsoft DHCP server leases using RPC calls. See table 1. The configured service account must be part of the correct AD groups. See page 46 for more information. The configured Palo Alto Networks firewall API username and password must have permission to access the Palo Alto Networks REST API (SSL port 443) SSH2 must be configured and running on the Cisco IOS device. A valid username and password must be supplied to log into the Cisco IOS device. Only user EXEC mode is required The PAN 802.1x Connector service will perform a second lookup attempt for a given MAC address if a match was found on the configured DHCP server(s). The delay between the first and second lookup is 3 seconds. This is by design. This caters for DHCP servers that can take up to 3 seconds to allocate a DHCP lease to a request DHCP client. The configurable parameters for each DHCP server type are explained below. To add a DHCP server, click on the Add button. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 17

i. DHCP server type Microsoft Server Name Domain Server IP Server type Fill in a short descriptive name for the DHCP server The domain will be prepended to the authenticated user by the PAN 802.1x service before being pushed to the configured Palo Alto Networks firewall(s). The domain must be in NetBIOS format and not in FQDN. If the fully qualified domain name for a company s Active Directory domain is acme.com and the NetBIOS domain name is ACME, fill in ACME in the domain field. Authenticated users will be pushed to the configured Palo Alto Networks firewall(s) as <NETBIOS>\<username>. For example, an authenticated user John will be mapped as ACME\John when pushed to the firewalls. The firewall(s) will accept <FQDN domain>\<username> as well. This may result in users not matching security policies correctly on the firewall(s). Always use the Microsoft NetBIOS domain name. Fill in the Microsoft DHCP server IP. This can be the local server IP or a remote Microsoft DHCP server IP. Do not use the local host IP address if the DHCP server is local. (Do not use 127.0.0.1). Fill in the local network interface IP address on which the DHCP server is running. Refer to your Microsoft DHCP server configuration to verify on which network interface the DHCP server is running Select Microsoft "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 18

Subnet Fill in the IP subnet for which the PAN 802.1x Connector must do MAC to IP lookups. This will be the configured Microsoft DHCP server scope subnet. Do not fill in the subnet mask, only the subnet as configured in your Microsoft DHCP server. Below is a screen snapshot of a Microsoft DHCP server scope. To open the Microsoft DHCP server console, click Start, then navigate to the Administrative tools menu and on click DHCP. The list of available subnets will be displayed under the IPV4 section "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 19

ii. DHCP server type Palo Alto Networks Server Name Domain Server IP Server type Interface Fill in a short descriptive name for the DHCP server The domain will be prepended to the authenticated user by the PAN 802.1x service before being pushed to the configured Palo Alto Networks firewall(s). The domain must be in NetBIOS format and not in FQDN. If the fully qualified domain name for a company s Active Directory domain is acme.com and the NetBIOS domain name is ACME, fill in ACME in the domain field. Authenticated users will be pushed to the configured Palo Alto Networks firewall(s) as <NETBIOS>\<username>. For example, an authenticated user John will be mapped as ACME\John when pushed to the firewalls. The firewall(s) will accept <FQDN domain>\<username> as well. This may result in users not matching security policies correctly on the firewall(s). Always use the Microsoft NetBIOS domain name. Fill in the IP address of the Palo Alto Networks firewall running the DHCP server. Please note that the API key configured in the PAN 802.1x Connector application settings will be used for accessing the Palo Alto Networks firewall(s) to retrieve DHCP client leases. For more information regarding the API key, see step 3 on page 13. Select Palo Alto Networks Fill in the Ethernet interface on which the DHCP server is enabled on the Palo Alto Networks firewall. To find out on "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 20

which interface DHCP is running, log on to the Palo Alto Networks firewall web interface and navigate to DHCP. The DHCP settings can be found under the Network tab "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 21

iii. DHCP server type Cisco Server Name Server IP Server type Fill in a short descriptive name for the DHCP server Fill in the IP address of the Cisco IOS device on which the DHCP server is enabled and running. Ensure that SSH2 is configured and enabled on the Cisco IOS device, and that the device is accepting SSH2 logins. You may verify SSH2 connectivity to your Cisco IOS device by using an SSH2 capable application such as Putty and connecting to your Cisco IOS device from the Microsoft server running the PAN 802.1x Connector service. You will be prompted for login credentials by the Cisco device if SSH2 is enabled. You may be blocked or SSH2 is not enabled on the Cisco IOS device if no login prompt is displayed. Select Cisco SSH2 username Fill in the SSH2 username with which the PAN 802.1x application will connect to the Cisco device SSH2 password Domain Fill in the SSH2 password The domain will be prepended to the authenticated user by the PAN 802.1x service before being pushed to the configured Palo Alto Networks firewall(s). The domain must be in NetBIOS format and not in FQDN. If the fully qualified domain name for a company s Active Directory domain is acme.com and the NetBIOS domain name is ACME, fill in ACME in the domain field. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 22

Authenticated users will be pushed to the configured Palo Alto Networks firewall(s) as <NETBIOS>\<username>. For example, an authenticated user John will be mapped as ACME\John when pushed to the firewalls. The firewall(s) will accept <FQDN domain>\<username> as well. This may result in users not matching security policies correctly on the firewall(s). Always use the Microsoft NetBIOS domain name. The Cisco DHCP server does not require then configuration of an IP subnet. The PAN 802.1x Connector application will retrieve the complete DHCP binding table from the Cisco device. Configuration of the PAN 802.1x Connector application is now complete. In the next section the PAN 802.1x Connector service will be installed and started as a Windows service. The service will persist and automatically start after a reboot. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 23

STEP 5 - INSTALLING AND STARTING THE PAN 802.1X CONNECTOR SERVICE The PAN 802.1x Connector service is responsible for processing incoming Microsoft Network Policy Server (NPS) security event logs, discovering IP addresses associated with an authenticated user and pushing successfully mapped user to IP mappings to the Palo Alto Networks firewall(s). The service is configured to automatically start with the Microsoft Windows server. The service can be manually stopped if required from within the PAN 802.1x Connector application or by stopping the service from the Windows services console. In the PAN 802.1x Connector application, click on the Service Setup menu. The service can be installed, uninstalled, started or stopped from here. Please ensure that step 3 is completed before proceeding. i. Install the Service The PAN 802.1x Connector application must be installed first before the service can be started or stopped. The service only has to be installed once. The PAN 802.1x Connector service can be installed by clicking on then Install button. This will install and register the PAN 802.1x Connector application as a Windows service. The service can be uninstalled by clicking on the Uninstall button on the same page. Optionally, verify that the service is installed by launching the Microsoft Windows services manager. The Microsoft Windows services manager may be launched by searching for and running the command services.msc from the Microsoft Windows start bar. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 24

ii. Start the Service The service may be started and stopped if it was successfully installed. Click on Start to start the service. Click on Stop to stop the service. The PAN 802.1x Connector service is now installed and running. The PAN 802.1x Connector application and service is now fully configured, installed and running as a Windows system service. The next section of the installation guide will go through various steps to verify that your installation is working as expected. Read through the Configuration tips and troubleshooting on page 50 if your service does not start, or if you experienced any other issues. It is important that your service is running before continuing on to the next section entitled Verifying the PAN 802.1x Connector installation. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 26

Verifying the PAN 802.1x Connector installation This part of the installation guide will test the various components of the PAN 802.1x Connector application and service. The correct functioning of the PAN 802.1x Connector service is dependent on various components working as expected. There are 3 main components which will be tested. The 3 components to be tested are: Accessing and reading the local Microsoft Windows security event logs Communicating with the configured Palo Alto Networks firewall(s) IP address lookup using a MAC address For more information see appendix A for an operational overview of the PAN 802.1x Connector service as well as a workflow chart detailing the processing logic. Each of the components must be functional before a successful user to IP mapping will be mapped and pushed to the Palo Alto Networks firewall(s). Testing the PAN 802.1 x Connector configurations will start by verifying read access to the Microsoft Windows local security event logs. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 27

STEP 1 VERIFY READ ACCESS OF THE MICROSOFT SECURITY EVENT LOGS The Microsoft security event logs may be viewed by launching the Microsoft Event log viewer. The PAN 802.1x Connector application will read the same Microsoft Windows security event logs. The PAN 802.1x Connector test function Test Security Event Log will attempt to retrieve the last 10 Microsoft security events with ID 6272. The Microsoft Network Policy Server (NPS) server generates event ID 6272 security logs for each user who authenticates successfully. The test functions can be found by navigating to the Testing section within the PAN 802.1x Connector application. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 28

Navigate to Test Security Event Log by expanding the Testing menu. In the right hand pane will be a button named Retrieve. Click on this button to attempt read access of the Microsoft Windows security event logs. The following output may be observed after clicking Retrieve : Result: Explanation of result: Resolution: SUCCESS SUCCESS indicates that the PAN 802.1x Connector application was able to successfully access the Microsoft security event logs. The last 10 or less event logs will be displayed in the results window. The output will contain the username and the associated MAC address from which the user authenticated. It is possible to successfully access the Windows security event logs yet no results in the output box. The two most common reasons for this are: 1) There are no security event ID 6272 logs in the Windows security logs. This can be manually verified by launching the Windows Event viewer (https://technet.microsoft.com/enus/library/cc766401.aspx) and searching for event ID 6272 logs in the Windows security logs. Verify that there are event ID 6272 logs. You may generate an event 6272 event ID by performing a successful 802.1x authentication. Refresh the Event viewer and recheck. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 29

2) Successful Microsoft NPS authentications may not be logged. See the following document for more information on how to check the current Microsoft NPS logging level (https://technet.microsoft.com/enus/library/cc731085(v=ws.10).aspx). Ensure that Successful authentication requests are checked, click Ok and restart the Microsoft NPS service. Recheck the Windows security event logs for event ID 6272 logs after successfully performing an 802.1x authentication The PAN 802.1x Connector service is dependent on Microsoft security event logs with ID 6272. No user to IP mappings will be generated if there are no event ID 6272 logs generated by the Microsoft NPS server. Check the Microsoft NPS documentation or Microsoft support forums if you still do not see any security event ID 6272 event ID logs after trying the above suggestions. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 30

Result: Explanation of result: Resolution: FAILED Attempted to perform an unauthorized operation Failure to read the security event logs may be the result of the configured Windows service account not having enough permission to access the Windows security event logs. The service account must be part of the built-in Microsoft Active Directory group Event log readers to be able to read the Windows security event logs. There are a couple of tests that may be performed to verify if the issue is related to the Windows service account. If you configured a service account with limited rights, try using an administrator account with full admin rights. See page 46 for more information on the minimum service account permissions. A simple command using Microsoft s native command prompt event viewer application may be used to test read access to the Windows security event logs. Use the following command to test: Wevtutil qe security /q:"*[system [(EventID=6272)]]" /u:<domain\username> /p:<password> /r:<server IP> /c:<count> The command will use the specified Windows service account to access and retrieve the last x amount of security logs with event ID 6272 from the Microsoft Windows security logs. Replace <domain\username>, <password>, <SERVER IP> and <count> with the appropriate values. An example of how the command may be used is shown below. The output of the command is also shown: C:\Users\spock>Wevtutil qe security /q:"*[system [(EventID=6272)]]" /u:lab\servicetest /p:12345678 /r:127.0.0.1 /c:1 "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 31

The following command uses an incorrect password for the specified Windows service account. The error output of the command is also shown. See page 46 for more information on what the minimum permissions are for a restricted Windows service account. C:\Users\spock>Wevtutil qe security /q:"*[system [(EventID=6272)]]" /u:lab\servicetest /p:wrongpassword /r:127.0.0.1 /c:1 Troubleshoot and correct any Access is denied errors when using your specified Windows service account. You may continue to test the rest of the PAN 802.1x Connector application components regardless of the result from testing the read access of the Microsoft security event logs. Each component of the PAN 802.1x Connector application may be tested independently of each other. Note that the PAN 802.1x Connector application is reliant on each component working correctly. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 32

STEP 2 TEST CONNECTIVITY TO THE PALO ALTO NETWORKS FIREWALL(S) This test function will test connectivity to the Palo Alto firewall or firewalls when in high availability. The PAN 802.1x Connector application will attempt to access the firewall(s) using the settings specified on the PAN 802.1x Connector setup. Click on Test Palo Alto Networks Firewall under the Testing sub menu. Click on the Verify button. Result: Explanation of result: Resolution: Result: Explanation of result: Resolution: Palo Alto Networks firewall 1: Successful Palo Alto Networks firewall 2: Successful Communication with the configured Palo Alto Networks firewall was successful. In case of high availability, communication with both Palo Alto Networks firewalls will be tested. No further action required. Component functions as expected. The Palo Alto Networks firewall(s) are reachable and that the Palo Alto Networks API key is correct. Palo Alto Networks firewall 1: Failed Palo Alto Networks firewall 2: Successful Communication with the primary Palo Alto Networks firewall failed. Communication with the secondary Palo Alto Networks firewall was successfully. This may be due to one of the following reasons: 1) The primary Palo Alto Networks firewall management interface may not be accessible. Test connectivity to the "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 33

primary Palo Alto Networks firewall management interface by launching a web browser and navigating to HTTPS://<Firewall IP>. The Palo Alto Networks firewall web interface page should be displayed. If it is not displayed, it means connectivity from the PAN 802.1x Connector application to the Palo Alto Networks firewall management interface is unreachable or inaccessible. This may be due to network related issues such as routing, or firewall policies blocking access from the Microsoft server running PAN 802.1x Connector application to the primary Palo Alto Networks firewall. Verify that the routing is correct and that no security appliances or routing devices are blocking access to the primary Palo Alto Networks firewall s IP and port 443 from the Microsoft server s IP. 2) Another possible cause may be access control lists applied to the Palo Alto Networks firewall management interface. Verify that the management interface allows access to the IP address of the Microsoft server running the PAN 802.1x Connector by navigating to Device > Setup > Management Interface Settings on the Palo Alto Networks. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 34

Resolution: Result: Explanation of result: Resolution: Verify that routing between the Microsoft server and the Palo Alto Networks firewall is correct. Try and ping the Palo Alto Networks management interface. Ensure that there are no firewall rules blocking access to the Palo Alto Networks firewall IP on TCP port 443. Also ensure that the Microsoft Server IP is added to the Palo Alto Networks management interface access list ( permitted IP ) if the access control list is being used. Please consult the Palo Alto Networks administration guide for more information on to configure this function. A failed result may be observed on either the primary or secondary Palo Alto Networks firewall. Follow the same troubleshooting procedure as outlined for either primary or secondary failed results. Try using a different Palo Alto Networks firewall API key if routing is correct and the Palo Alto Networks web interface is accessible. Generate a new API key in the PAN 802.1x Connector application settings page using a different set of login credentials and retest. See page 13 for information on generating an API key. Palo Alto Networks firewall 1: Failed Palo Alto Networks firewall 2: Failed The PAN 802.1x Connector application cannot connect to either the primary or secondary Palo Alto Networks firewall. Follow the same diagnostic steps as outlined above. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 35

STEP 3 TEST DHCP SERVER This function tests the IP lookup component of the PAN 802.1x application. The function will attempt to resolve a given MAC address to an IP address by querying the configured DHCP server(s). A MAC address is required as input. You may use a MAC address from any device source such as Android, Apple or Microsoft Windows systems. Ensure that the mobile device, laptop or network devices received an IP address from a DHCP server before running this test. You will not see an IP address returned in the result output if the network device has not received an IP address yet. You may see an IP address returned if the network device did receive an IP address prior and the DHCP lease has not yet expired. Furthermore ensure that the DHCP server is added to the DHCP server configuration of the PAN 802.1x Connector application. For more information on how to add a DHCP servers, refer to page 16. Navigate to Testing and then click on Test DHCP Servers Fill in the MAC address at location A. A DHCP server must be configured in the PAN 802.1x Connector application settings page. Multiple DHCP servers may be configured. The test function will query each one of the configured DHCP servers once until a match is found. The test function will exit when a match is found or the last DHCP server was queried. The discovered IP address will be displayed in the Returned IP Address output. The test function will exit with a Not found. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 36

Below is an example of how to use the Test DHCP server test function: Open a command prompt on a Microsoft Window host. Run the command ipconfig /all. This will list all network adapter information including the MAC address for each network interface. Scroll through the output until the interface with the IP address that you are interested in is found. In this example the Wireless adapter s MAC address will be used. Fill in the MAC address Click on the Find button after filling in the MAC address of the network interface. The PAN 802.1x Connector application will now query the configured DHCP server(s) by inspecting the DHCP server client leases ( or bindings ). The PAN 802.1x Connector application will do a top down processing sequence of the DHCP servers if more than one is configured. Be sure to test MAC addresses from multiple hosts if more than one DHCP server and subnet is in use. This will ensure that all IP subnets are verified and working within the PAN 802.1x Connector application. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 37

Result: SUCCESS Return IP Address <IP ADDRESS> Explanation of result: An IP address was successfully retrieved from the configured DHCP servers. The component works as expected. Resolution: Result: Explanation of result: Resolution: No further action is required. The DHCP function successfully discovered the IP address associated with the MAC address entered FAILED The PAN 802.1x Connector application was not able to discover the IP address of the supplied MAC address on the configured DHCP server(s). This may be due to routing issues, incorrect configuration of the DHCP servers or the DHCP client lease is not present on the DHCP servers. Ensure that you can ping the DHCP server(s) if possible. Also verify that there is a valid DHCP lease on the configured DHCP server. Consult the respective DHCP server documentation on how to view current DHCP client leases. A brief overview of viewing DHCP client leases on the different types of DHCP servers are given in the following section. Also review your DHCP server configuration within the PAN 802.1x Connector application. Ensure that the correct interface is specified for DHCP type Palo Alto, and that the correct subnet is configured for DHCP type Microsoft. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 38

Verify that a valid DHCP client lease does exist on the configured DHCP server DHCP type: Microsoft Launch the DHCP console from the Administrative tools control panel on the Microsoft Windows server running the DHCP service. DHCP type: Cisco IOS Connect to the Cisco IOS device using SSH. A free SSH2 application named Putty may be used to connect to the Cisco IOS device. Once connected, run the command show ip dhcp binding. The Cisco IOS may display the client ID instead of the actual MAC address of the DHCP client. Typically the client ID is 14 characters long whereas a MAC address is 12 characters long. To determine the MAC address, use the 12 right most characters. For example, a Client-ID of "0100.1346.8bbe.b2" may be displayed for a DHCP client. Use only the right most 12 characters as the MAC. In this example, the first 2 characters "01" must be omitted and only the last 12 characters used which is "00.1346.8bbe.b2". This represents the MAC address (Hardware address) of the DHCP client "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 39

STEP 4 VERIFY THAT THE PAN 802.1X CONNECTOR SERVICE IS RUNNING The PAN 802.1x Connector service is responsible for mapping Microsoft NPS authenticated users to IP addresses and pushing those to the Palo Alto Networks firewall(s). No user to IP mappings will be pushed to the Palo Alto Networks firewalls if this service is not running. Verify the current service status by clicking on Status in the PAN 802.1x Connector application. Further verification may be done by launching the Microsoft Service manager console. This can be done by clicking on Services from within the Administrative tools control panel on the Windows server. Verify that the PAN 802.1x Connector Service is Started "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 41

STEP 5 CHECK THE PALO ALTO NETWORKS FIREWALL(S) FOR USER MAPPINGS The final verification step requires checking the Palo Alto Networks firewall or firewalls (HA) for XMLAPI user mappings. SSH to the primary Palo Alto Networks firewall IP. Run the command show user ip-user-mapping-mp all type XMLAPI. This command will output user to IP mappings received via the Palo Alto Networks firewall API. User mappings with type XMLAPI are mappings pushed by the PAN 802.1x Connector service. The installation, configuration and verification of the PAN 802.1x Connector application and service are now complete. Please read through the Configuration tips and troubleshooting section on page 47 if you experienced any issues while configuring or testing any component of the PAN 802.1x Connector application. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 42

Application and Service Logs The application and service logs may be found under the Monitoring menu. Each of the logs stores specific information related to component of the PAN 802.1x Connector application. Each log represents the following component of the PAN 802.1x Connector software: PAN 802.1x Connector Log: PAN Service Log: Contains log messages related to the application itself as well as anything related to the application interface. Examples of log messages are errors while configuring the application, application crashes or any application interface related log messages. This log contains messages related to the operations of the PAN 802.1x Connector service. Examples of log messages are event ID 6272 events triggered, IP lookups of authenticated 802.1x users, user to IP mappings pushed to Palo Alto Networks firewalls as well as PAN 802.1x Connector service start up and service related error messages. Licensing related messages are also logged to this container. It is a very useful for troubleshooting purposes. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 43

The log files are stores within the installation directory of the PAN 802.1x Connector application. This is normally C:\%programdata%\PAN 802.1X Connector. A total of 6 log files will be stored for each log container. Each of the 6 log files will consume a maximum of 10Mb disc space. The logs will be rotated this ensures that the logs will never consume more than 120Mb of disc space. By default the log level is set to Information. The log level can be changed be selecting File and then Log Level. During normal operation it is not needed to set the log level to Debug. Informational is sufficient enough. Be aware when setting the log level to Debug. The logging may generate too much information and may impact performance. Always change the debug level back to Informational after troubleshooting. Informational generates more logs than Error while Debug generates the most log messages. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 44

Application Licensing The application license is perpetual. Renewal is required yearly for production licenses. There is no cost involved with renewing PAN 802.1x Connector version 1 licenses. There are 3 types of licenses. Trial license. Valid for 30 days from issuing. Allows for the pushing of user to IP mappings to a single Palo Alto Networks firewall only Production license (Single). Fully functional production license. This license allows for pushing of user to IP mapping information to one Palo Alto Networks firewall only. Valid for 1 year from issuing Production license (High Availability). Fully functional production license. This license allows you to push user to IP mapping information to two Palo Alto Networks firewalls. This type license is for environments where two Palo Alto Networks firewalls are configured in high availability (HA). The PAN 802.1x Connector application license is linked to the Palo Alto Networks firewall serial number(s) specified during the licensing purchase. The PAN 802.1x Connector service will not push user to IP mappings to any Palo Alto Networks firewall for which the serial number is not within the license. You may view which firewall serial number or numbers (HA) is allowed by clicking Status under the User Identification menu item. For more information have a look at the service logs under Monitoring when starting or restarting the service. The license allows for the installation of the application on as many Microsoft Windows servers needed. The license is linked to the Palo Alto Networks serial numbers and not how many installations of the application. This allows the administrator to install the PAN 802.1x Connector application on all Microsoft NPS servers for redundancy purposes. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 45

Default Action upon License Expiry It is important to note that the PAN 802.1x Connector service will be stopped. The PAN 802.1x Connector service will generate a log message indicating the reason. A log message will be generated informing the user that the license has expired on the specific date. The license expiry date may be found on the Status page under User Identification. Please be sure to renew your application license at least 2 weeks in advance of the license expiry date. License Renewal Licenses are renewed through the www.codecentrix.co.za/purchase web page. The license renewal is done in a similar manner to purchasing the software. Select renewal as the license type. Fill in your firewall serial number or numbers. A confirmation email will be emailed to the email address which was supplied during the purchase. Your renewed license key will be emailed to you once approved. Copy and paste your new license into the PAN 802.1x Connector application settings Software license field. Click the Update button and restart the application. Your new license will now be active. Verify the license particulars by clicking on the User Identification menu item and then Status. Next stop and start the PAN 802.1x Connector service by clicking on Service Setup, then Stop and Start after the service was stopped. Upgrading to a High Availability License License upgrades can be done through the www.codecentrix.co.za/purchase web page. Select License upgrade when prompted for a license type. A confirmation email will be sent to the email address once the request has been processed. Copy and paste your new license into the PAN 802.1x Connector application settings page. Click the Update button and restart the application. Your new license should now be active. Verify the license particulars by clicking on the User Identification menu item and then Status. Next configure the secondary Palo Alto Networks firewall settings. Click Update and then restart the service by going to the Service Setup sub menu. First stop the running service by clicking on Stop. Click on Start after the service was stopped. Check the PAN 802.1x Connector service logs to verify that the service was started successfully. For any licensing related questions or issues, please email support@codecentrix.co.za "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 46

CONFIGURATION TIPS AND TROUBLESHOOTING Minimum rights required to run the PAN 802.1x Connector service The PAN 802.1x Connector application must always be Run as Administrator. For security reasons, the PAN 802.1x Connector service may be started with a more restrictive account. The following are the minimum rights required by the service account: 1) Log on as a service rights. Add the service account to the Log on as a service local policy. This can be done by editing the local security policy on the Microsoft server running the Microsoft Network Policy Server (NPS). Please refer to the following document for more information - https://technet.microsoft.com/en-us/library/cc739424%28v=ws.10%29.aspx 2) Add the service account to the following groups: a. Server operators b. Event log readers c. Distributed COM users d. DHCP users This will allow the PAN 802.x Connector service to run with minimum rights on the Microsoft server. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 47

Backup/Restore the PAN 802.1x Connector configuration The PAN 802.1x Connector application configuration file is stored in the directory C:\%programdata%\PAN 802.1X Connector. Copy the file configfile.xml and store it in a safe place. To restore a configuration after a new installation, copy the backed up file configfile.xml into the directory C:\%programdata%\PAN 802.1X Connector. This will restore the full configuration including the software license. Please do not edit the configuration file manually. The PAN 802.1x Connector application will reset the configuration to default! Optimising Microsoft NPS session, DHCP and user-id timeout values It is important to ensure that your timeout values for each of these systems are configured in the correct rations. This is to ensure that user to IP mappings do not expire before an 802.1x reauthentication occurs. It is recommended that the DHCP client lease be configured to expire at a minimum every 24 hours, the Microsoft Network Policy Server (NPS) client sessions every 60 minutes and the PAN 802.1x Connector application user-id timeout every 270 minutes. This configuration will ensure that a user s 802.1x session is re-authenticated every 60 minutes. It is completely transparent to the end user. They will not have to fill in their login credentials every 60 minutes. All devices will cache the login credentials and use it to authenticate automatically and seamless in the background. This will result in the PAN 802.1x Connector service pushing re-authenticated user mappings to the configured Palo Alto Networks firewalls every 60 minutes. It ensures that the user mapping is refreshed every 60 minutes on the firewall long before the configured Palo Alto Networks firewall user cache expiry time of 270 minutes. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 48

Configure the Microsoft Network Policy Server session timeout value: For more information, reference the following Microsoft NPS document (see session timeout ) - https://technet.microsoft.com/en-us/library/cc772474(v=ws.10).aspx Configure the PAN 802.1x Connector user identification timeout: Do not configure the PAN 802.1x Connector application user-id session timeout lower than the Microsoft NPS client session timeout. This will result in the Palo Alto Networks firewall caching out a user mapping before they are re-authenticated. For large network user environments, consider setting the Microsoft NPS client session timeout value to 3 hours, and the PAN 802.1x Connector user-id timeout value to 600 minutes (10 hours) "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 49

Problem with starting the PAN 802.1x Connector service There could be a couple of reasons why the service could not be started. Always consult the PAN 802.1x Connector service log first. Possible reasons why the service could not be started are: 1) The configured service account may not have Log on as a service rights. Please page 46 for more information. Try entering the username and password manually within the Windows service manager console. "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 50

2) Microsoft Windows related issue such as the PAN 802.1x Connector service process is unresponsive. It may be necessary to kill the service process and start it again. First find the process ID of the PAN 802.1x Connector service by running the command sc queryex PANConnectorService. Now kill the PAN 802.1x Connector service by issuing the following command: taskkill /f /pid <PID>. In the above example, the command would be as follows: taskkill /f /pid 2004. Restart the PAN 802.1x Connector service from within the PAN 802.1x Connector application or Windows service manager console. 3) Attempt to start the service from within the Windows service properties window. Note down any Windows error that you may receive. Consult Microsoft documentation on the error you received. Have a look at the Windows event viewer for any errors related to the PAN 802.1x Connector service look for "Copyright CodeCentrix. All rights reserved 2015. Version 1.2 Page 51