Q:
Can we prefix NETBIOS name to PaloAlto when using server initiated as login method for captive portal?
A: When prefix NETBIOS name in Palo Alto settings is configured under Endpoint Context Server and when NETBIOS is not received in the web auth request
Clearpass will not prefix the NETBIOS name as Clearpass fetches the NETBIOS name and prefixes it in payload sent to Palo Alto only when NETBIOS name is fetched in computed attributes.
As shown below we do not see the NETBIOS name in web auth request, we only see the authentication source due to which Clearpass is unable to fetch the NETBIOS name for AD user and send it to Palo Alto as highlighted from netwatch log.
Request Details Summary -
Session Identifier: W00000561-12-786c0586
Date and Time: Jan 06, 2017 15:10:30 IST
Username: cppmtest
End-Host Identifier: -
Access Device IP/Port: -
Audit Posture Status: UNKNOWN (100)
System Posture Status: UNKNOWN (100)
Login Status: ACCEPT
Policies Used -
Service: CPPM_BYOT
Authentication Method: Not applicable
Authentication Source: BLR_AD
Authorization Source: [Time Source], BLR_AD
Roles: 512, BLR_AD_USER, [User Authenticated]
Enforcement Profiles: [Update Endpoint Known], CPPM_BYOT_MAC_CACHE, PAN-update-node-FW1-WEBAUTH, PAN-update-node-FW2-WEBAUTH, BLR_COA_BYOT_DEVICE_ROLE
Service Monitor Mode: Disabled
Input Computed Attributes -
Application:WebLoginURL:apgroup = CPPM-TEST
Application:WebLoginURL:apname = CO_CPPM_Drew
Application:WebLoginURL:cmd = login
Application:WebLoginURL:essid = CPPM
Application:WebLoginURL:ip = 10.18.64.36
Application:WebLoginURL:mac = 9c:f4:8e:9a:36:23
Application:WebLoginURL:switchip = 10.11.67.29
Application:WebLoginURL:url = http://www.aruba.com/
Authentication:Full-Username = cppmtest
Authentication:Full-Username-Normalized = cppmtest
Authentication:Posture = Unknown
Authentication:Source = BLR AD
Authentication:Status = User
Authentication:Username = cppmtest
Authorization:Sources = [Time Source], bLR AD
Connection:Client-IP-Address = 10.18.112.39
Connection:Client-Mac-Address = 9cf48e9a3623
Connection:Client-Mac-Address-Colon = 9c:f4:8e:9a:36:23
Connection:Client-Mac-Address-Dot = 9cf4.8e9a.3623
Connection:Client-Mac-Address-Hyphen = 9c-f4-8e-9a-36-23
Connection:Client-Mac-Address-NoDelim = 9cf48e9a3623
Connection:Client-Mac-Address-Upper-Hyphen = 9C-F4-8E-9a-36-23
Connection:Client-Mac-Vendor = Apple, Inc.
Connection:Protocol = WEBAUTH
Connection:Src-IP-Address = 127.0.0.1
Date:Date-of-Year = 2017-01-06
Date:Date-Time = 2017-01-06 15:10:30
Date:Day-of-Week = Friday
Date:Time-of-Day = 15:10:30
Host:CheckType = Authentication
From the netwatch log, we see that NETBIOS name is not fetched by Clearpass due to which it is not sent to Palo Alto. netwatch log file can be viewd under policy manager folder->async-netd folder after collecting the server logs from Clearpass.
2017/01/07 15:11:33 PUB endpoint {"mac":"9cf48e9a3623","ip":"10.18.112.39","user":"cppmtest","full_username":"cppmtest","netbios_name":"","nad_ip":"10.11.67.29","status":"up","agent_status":"","device_category":"SmartDevice","device_name":"Apple iPad","apts":"","updated_at":1483733493} -> [10.17.64.18 10.17.64.20]