AAA, NAC, Guest Access & BYOD

Can we prefix NETBIOSname to PaloAlto when using server initiated as login method for captive portal
Q:

Can we prefix NETBIOS name to PaloAlto when using server initiated as login method for captive portal?



A:

When prefix NETBIOS name in Palo Alto settings is configured under Endpoint Context Server and when NETBIOS is not received in the web auth request

 

 

Clearpass will not prefix the NETBIOS name as Clearpass fetches the NETBIOS name and prefixes it in payload sent to Palo Alto only when NETBIOS name is fetched in computed attributes.

As shown below we do not see the NETBIOS name in web auth request, we only see the authentication source due to which Clearpass is unable to fetch the NETBIOS name for AD user and send it to Palo Alto as highlighted from netwatch log.

 

Request Details Summary -
Session Identifier: W00000561-12-786c0586
Date and Time: Jan 06, 2017 15:10:30 IST
Username: cppmtest
End-Host Identifier: -
Access Device IP/Port: -
Audit Posture Status: UNKNOWN (100)
System Posture Status: UNKNOWN (100)
Login Status: ACCEPT

Policies Used -
Service: CPPM_BYOT
Authentication Method: Not applicable
Authentication Source: BLR_AD
Authorization Source: [Time Source], BLR_AD
Roles: 512, BLR_AD_USER, [User Authenticated]
Enforcement Profiles: [Update Endpoint Known], CPPM_BYOT_MAC_CACHE, PAN-update-node-FW1-WEBAUTH, PAN-update-node-FW2-WEBAUTH, BLR_COA_BYOT_DEVICE_ROLE
Service Monitor Mode: Disabled

Input Computed Attributes -
Application:WebLoginURL:apgroup = CPPM-TEST
Application:WebLoginURL:apname = CO_CPPM_Drew
Application:WebLoginURL:cmd = login
Application:WebLoginURL:essid = CPPM
Application:WebLoginURL:ip = 10.18.64.36
Application:WebLoginURL:mac = 9c:f4:8e:9a:36:23
Application:WebLoginURL:switchip = 10.11.67.29
Application:WebLoginURL:url = http://www.aruba.com/
Authentication:Full-Username = cppmtest
Authentication:Full-Username-Normalized = cppmtest
AuthenticationSmiley Tongueosture = Unknown
AuthenticationSmiley Frustratedource = BLR AD
AuthenticationSmiley Frustratedtatus = User
Authentication:Username = cppmtest
AuthorizationSmiley Frustratedources = [Time Source], bLR AD
Connection:Client-IP-Address = 10.18.112.39
Connection:Client-Mac-Address = 9cf48e9a3623
Connection:Client-Mac-Address-Colon = 9c:f4:8e:9a:36:23
Connection:Client-Mac-Address-Dot = 9cf4.8e9a.3623
Connection:Client-Mac-Address-Hyphen = 9c-f4-8e-9a-36-23
Connection:Client-Mac-Address-NoDelim = 9cf48e9a3623
Connection:Client-Mac-Address-Upper-Hyphen = 9C-F4-8E-9a-36-23
Connection:Client-Mac-Vendor = Apple, Inc.
ConnectionSmiley Tonguerotocol = WEBAUTH
ConnectionSmiley Frustratedrc-IP-Address = 127.0.0.1
DateSmiley Very Happyate-of-Year = 2017-01-06
DateSmiley Very Happyate-Time = 2017-01-06 15:10:30
DateSmiley Very Happyay-of-Week = Friday
Date:Time-of-Day = 15:10:30
Host:CheckType = Authentication

 

From the netwatch log, we see that NETBIOS name is not fetched by Clearpass due to which it is not sent to Palo Alto. netwatch log file can be viewd under policy manager folder->async-netd folder after collecting the server logs from Clearpass.

2017/01/07 15:11:33 PUB endpoint {"mac":"9cf48e9a3623","ip":"10.18.112.39","user":"cppmtest","full_username":"cppmtest","netbios_name":"","nad_ip":"10.11.67.29","status":"up","agent_status":"","device_category":"SmartDevice","device_name":"Apple iPad","apts":"","updated_at":1483733493} -> [10.17.64.18 10.17.64.20]

Version history
Revision #:
2 of 2
Last update:
‎03-17-2017 05:07 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.