Security

Reply
Occasional Contributor II

CPPM 6.7 and Palo Alto userid integration - idle timeout setting

Dear all,

 

refering following related discussion,

 

https://community.arubanetworks.com/t5/Security/Clearpass-Palo-Alto-integration-pan-OS-7-1-5-xmlapi-user-timeout/td-p/278098

 

http://community.arubanetworks.com/t5/Wireless-Access/Palo-Alto-integration-ClearPass-vs-controller/td-p/311933

i invesitgated about an XMLAPI user timeout setting issue.

My environment is composed of PANOS 7.1.18 and CPPM 6.7.4.

 

The issue was the same; idle timeout for injected users from ClearPass (XMLAPI) inherits default PAN user-id value (45 min) due to missing XML "timeout" parameter from Clearpass.

 

That is confirmed reviewing default content for PAN Endpoint Context Server Actions "Send Login Info" on my CPPM:

 default-action.jpg

"timeout" parameter misses.

 

I solved modifying content as following:

 

<uid-message><version>1.0</version><type>update</type><payload><login><entry name="%{user}" ip="%{ip}" timeout="0"/></login></payload></uid-message>

 

I added timeout="0", to get "never" expiration.

 

My question is, why timeout misses in the predefined content action?

Based on the posts above mentioned, I would have expected this to be implemented by default in 6.7 version...

 

Another question, I found following parameter under Administration->Server Configuration->Server Parameters->Async Network Service:

immagine.png

Is this related to topic in object?

I suppose yes, in my opinion this could be the default timeout injected from CPPM to PAN with post authentication action, but as discussed it doesn't apply/work.

 

thanks

Andrea

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: