Security

 View Only
last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Palo Alto Integration : User Idle timeout

This thread has been viewed 13 times

  • 1.  Clearpass Palo Alto Integration : User Idle timeout

    Posted Oct 13, 2021 07:49 PM
    Hi All,

    I would like to get some information regarding some of the parameters used in the Clearpass-Palo Alto integration (6.9.6 version on CPPM)

    1. Does Clearpass passes the user id timeout as 45 mins based on this configuration over to PA  or is it set to never expire?


    2. Does Clearpass keeps updating PA to extend this timeout value based on Radius interim account updates that it receives for the user in case user doesn't roam and stays connected for more than 45 mins? 
    3. Does Clearpass sends User ID information on each authentication request that is received for the user?
    4. Are there any recommendations around changing the User Identification timeout values on Clearpass & Palo Alto based on your experience ?
    5. What is the best way to tackle the issue where Clearpass receives authentication request that are missing the domain prefix in the username

    Is there a way in Clearpass to append domain prefix only if it receives a username without a prefix ? I don't want to append domain name when username is the email address format since that breaks the user-group mapping on Palo Alto ?

    6.  I am seeing some issues with Clearpass not sending over User id information for some users randomly. At times, i am seeing the following in the logs:

    2021/10/14 00:41:32 ERROR pan.go:507:postauth/plugins/pan.PaloAltoPlugin.PostFile: Error in post
    <response status="error"><msg><line><uid-response>
    <version>2.0</version>
    <payload>
    <register>
    <entry ip="10.1.1.1" message="tag Computer already exists, ignore"/>
    <entry ip="10.1.1.4" message="tag Computer already exists, ignore"/>
    <entry ip="10.1.1.9" message="tag Computer already exists, ignore"/>
    <entry ip="10.1.1.12" message="tag Computer already exists, ignore"/>
    <entry ip="10.1.1.131" message="tag Computer already exists, ignore"/>
    <entry ip="10.1.1.51" message="tag Computer already exists, ignore"/>
    <entry ip="10.1.1.135" message="tag Computer already exists, ignore"/>
    <entry ip="10.1.1.15" message="tag Computer already exists, ignore"/>
    <entry ip="10.1.1.187" message="tag Computer already exists, ignore"/>

    Has anyone else encountered the same issue?


    ------------------------------
    Nitesh Singla
    ------------------------------