Security

Reply
New Contributor
Posts: 3
Registered: ‎03-25-2016

Clearpass Palo Alto integration pan OS 7.1.5 xmlapi user timeout

Since upgrading to pan os 7.1.5 from 7.1.4-h2 we noticed that user-ip mappings in the palo alto wre timing out within 45 minutes. And that although reauthenticating via clearpass clearpass would only push the user properities agian when user got a new dhcp lease. Renewal didnt work.

Can you give user amx timeout value from within clearpass that was introduced in pan os 5.x to set the xmlapi user timeout on the palo alto.

Before pan os 7.1.5 default uxmlapi user timeout was never and now it is 45 minutes.

New Contributor
Posts: 1
Registered: ‎07-27-2016

Re: Clearpass Palo Alto integration pan OS 7.1.5 xmlapi user timeout

Running into a very similiar problem after upgading to 7.1.5.  Any resolution?

Moderator
Posts: 476
Registered: ‎11-09-2012

Re: Clearpass Palo Alto integration pan OS 7.1.5 xmlapi user timeout

Guys,

 

Were looking into this. I'm working with DEV to see if we can identify any issues and if so where the fault-domian is.

 

 


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
New Contributor
Posts: 3
Registered: ‎03-25-2016

Re: Clearpass Palo Alto integration pan OS 7.1.5 xmlapi user timeout

Goodmorning,

 

We have a workaround at the moment. We didn't have radius accounting configured on the wireless networks on our motorola vx9000. This will trigger the postauthentication process via intermediate accounting. And palo alto has also identiefied this as a bug in their code as it shouldn't have changed timeout of XML api user-id timeout. What we have seen with radius accounting configured on vx9000 with clearpass as the target and running pan os 7.1.5 xml api will take gloabla user-id timeout configured from the gui as the time out for user-id cache for users supplied via xml api

 

Kind regards Igor

New Contributor
Posts: 1
Registered: ‎04-13-2009

Re: Clearpass Palo Alto integration pan OS 7.1.5 xmlapi user timeout

Hi,

 

I talked to PAN support and from what I heard is that this change was intentional and they are not going to revert it back to what it was. Basically before 7.1.5 if you do not add the timeout value in the user-id message it defaults to never, now it uses the timeout value configured in the userid settings on the firewall.

 

What will work (so DEV use this) is the following XML message, by setting timeout to 0, the result is the same as it was and Clearpass can send login and logout messages based on accounting data.

 

<uid-message> 
  <version>1.0</version> 
  <type>update</type> 
  <payload> 
    <login> 
    <entry name="domain\uid2" ip="10.1.1.2" timeout=”0”> 
    </entry> 
  </login> 
  </payload> 
</uid-message> 

 

Bart.

Moderator
Posts: 476
Registered: ‎11-09-2012

Re: Clearpass Palo Alto integration pan OS 7.1.5 xmlapi user timeout

While we work to decide on the best route forward for this change introduced by PANW, I want to let you know for now where you can set the timeout value....

 

image001.jpg.jpeg


Best Regards
-d

Snr Tech Marketing Engineer - ClearPass

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: