Security

Reply
Occasional Contributor I
Posts: 7
Registered: ‎11-27-2015

Problem with RAP using mobile devices and Palo Alto integration

Dear Airheads,

I've got a problem with a 3200 controller after upgrading from a 6.4.2.5 to a 6.4.3.6 version.

I'm using the Palo Alto integration, and after the upgrade, I've imported the certificates into the Aruba WLC and the connector state is up and running. Everything works fine, I see the users properly authenticated against a RADIUS server, with username, IP and so on.

I've also several RAP, and here is the problem: the mobile devices authenticating on RAP are correctly seen by the WLC but NOT in the Palo Alto, while other devices such as windows machines do.

 

In short:

 

CAP with PC: Ok

CAP with mobile: Ok

RAP with PC: Ok

RAP with mobile: not working, correctly seen by WLC but the user is not forwarded to Palo Alto.

 

Any idea?

 

Kindest regards,

Luca

MVP
Posts: 1,422
Registered: ‎10-25-2011

Re: Problem with RAP using mobile devices and Palo Alto integration

are the users in the same role as cap users?
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Occasional Contributor I
Posts: 7
Registered: ‎11-27-2015

Re: Problem with RAP using mobile devices and Palo Alto integration

Yes absolutely, in example. I've got these two users

 

(sede-mc3200) #show user-table

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------

192.168.50.116 90:00:db:6d:42:e4 CBRBO\irenemanzi office-role 00:00:55 802.1x RAP-SAIARINO Associated(Remote) renana_office/18:64:72:7a:5a:60/g-HT office-aaa split tunnel Android
192.168.50.119 f4:b7:e2:51:65:6f CBRBO\mauriziobrunazzi office-role 00:04:50 802.1x RAP-SAIARINO Associated(Remote) renana_office/18:64:72:7a:5a:60/g-HT office-aaa split tunnel Win 8

 

 

They are the same but in the PA I see only the second IP associated with the user, that is a Windows machine. For the first, I see the IP but not the user, in the PA, so it goes in the wrong policy.

 

Thank you for your prompt response,

Luca

Search Airheads
Showing results for 
Search instead for 
Did you mean: