Security

last person joined: 3 days ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Palo Alto Integration : User Idle timeout

This thread has been viewed 7 times
  • 1.  Clearpass Palo Alto Integration : User Idle timeout

    Posted Oct 13, 2021 07:49 PM
    Hi All,

    I would like to get some information regarding some of the parameters used in the Clearpass-Palo Alto integration (6.9.6 version on CPPM)

    1. Does Clearpass passes the user id timeout as 45 mins based on this configuration over to PA  or is it set to never expire?


    2. Does Clearpass keeps updating PA to extend this timeout value based on Radius interim account updates that it receives for the user in case user doesn't roam and stays connected for more than 45 mins? 
    3. Does Clearpass sends User ID information on each authentication request that is received for the user?
    4. Are there any recommendations around changing the User Identification timeout values on Clearpass & Palo Alto based on your experience ?
    5. What is the best way to tackle the issue where Clearpass receives authentication request that are missing the domain prefix in the username

    Is there a way in Clearpass to append domain prefix only if it receives a username without a prefix ? I don't want to append domain name when username is the email address format since that breaks the user-group mapping on Palo Alto ?

    6.  I am seeing some issues with Clearpass not sending over User id information for some users randomly. At times, i am seeing the following in the logs:

    2021/10/14 00:41:32 ERROR pan.go:507:postauth/plugins/pan.PaloAltoPlugin.PostFile: Error in post
    <response status="error"><msg><line><uid-response>
    <version>2.0</version>
    <payload>
    <register>
    <entry ip="10.1.1.1" message="tag Computer already exists, ignore"/>
    <entry ip="10.1.1.4" message="tag Computer already exists, ignore"/>
    <entry ip="10.1.1.9" message="tag Computer already exists, ignore"/>
    <entry ip="10.1.1.12" message="tag Computer already exists, ignore"/>
    <entry ip="10.1.1.131" message="tag Computer already exists, ignore"/>
    <entry ip="10.1.1.51" message="tag Computer already exists, ignore"/>
    <entry ip="10.1.1.135" message="tag Computer already exists, ignore"/>
    <entry ip="10.1.1.15" message="tag Computer already exists, ignore"/>
    <entry ip="10.1.1.187" message="tag Computer already exists, ignore"/>

    Has anyone else encountered the same issue?


    ------------------------------
    Nitesh Singla
    ------------------------------