Prepare to Use Okyo Garde with Prisma Access

Okyo needs unencumbered open lines of communication to work with Prisma Access. So, before using Okyo with Prisma Access, you’ll need to make sure your RADIUS policy, firewall policy, and user ID mappings allow the traffic Okyo Garde needs to function properly. Let’s have a look under the hood of Okyo Garde and make sure we’re ready to roll!

Under the Hood of Okyo Garde with Prisma Access

A) Personal network segment
When users set it up, Okyo Garde broadcasts a personal network SSID. Personal devices on this network connect to the internet through the Okyo Garde router.
B) Corporate network segment
Okyo Garde broadcasts a corporate network segment. When NAT (Network Address Translation) is enabled, corporate devices on this network get a 100.64.x.x IP address from Prisma Access and connect to the internet through Prisma Access. When NAT is not enabled, you’ll need to configure a custom client IP pool. In either case, standard security policies are enforced for traffic on this network.
C) Prisma Access side device authentication
Your security policy must allow authentication traffic from managed corporate devices to the RADIUS server to authenticate successfully. Create an explicit policy rule that allows traffic from IP addresses assigned to Okyo routers by Prisma Access to accomplish this.
D) RADIUS-side device authentication
Prisma Access uses RADIUS servers (such as Aruba ClearPass or Cisco Identity Services Engine) to authenticate devices and allow them to connect to the corporate network segment. So, it’s important to allow communication with the RADIUS server. You can do this by:
  1. Establishing a service connection from PA to the data center hosting the RADIUS server so that authentication requests can flow through.
  2. Adding the Okyo infrastructure subnet as a trusted RADIUS supplicant for the RADIUS server.
E) Additionally, in cases where user-ID based policies are in use:
  • RADIUS learns the user ID mappings
    for the corporate network segment through RADIUS accounting. To achieve this, first
    Enable Accounting
    for all RADIUS servers in Okyo Garde RADIUS settings.
    Then, to teach the user ID agent the proper mappings, follow these steps:
    1. Configure your RADIUS server to send RADIUS accounting as syslog messages.
    2. Ensure that there is a predefined Syslog Parse profile for your particular syslog senders. Alternatively, you could create a custom Syslog Parse profile.
    3. Specify which syslog senders the firewall should monitor.
    4. Enable syslog listener services on the interface that the firewall uses to collect user mappings.
  • Prisma Access redistributes UID information.

Recommended For You