Security

 View Only
Back to discussions
Expand all | Collapse all

CPPM 6.7 and Palo Alto userid integration - idle timeout setting

This thread has been viewed 5 times

  • 1.  CPPM 6.7 and Palo Alto userid integration - idle timeout setting

    Posted Jul 18, 2018 11:20 AM

    Dear all,

     

    refering following related discussion,

     

    https://community.arubanetworks.com/t5/Security/Clearpass-Palo-Alto-integration-pan-OS-7-1-5-xmlapi-user-timeout/td-p/278098

     

    http://community.arubanetworks.com/t5/Wireless-Access/Palo-Alto-integration-ClearPass-vs-controller/td-p/311933

    i invesitgated about an XMLAPI user timeout setting issue.

    My environment is composed of PANOS 7.1.18 and CPPM 6.7.4.

     

    The issue was the same; idle timeout for injected users from ClearPass (XMLAPI) inherits default PAN user-id value (45 min) due to missing XML "timeout" parameter from Clearpass.

     

    That is confirmed reviewing default content for PAN Endpoint Context Server Actions "Send Login Info" on my CPPM:

     default-action.jpg

    "timeout" parameter misses.

     

    I solved modifying content as following:

     

    <uid-message><version>1.0</version><type>update</type><payload><login><entry name="%{user}" ip="%{ip}" timeout="0"/></login></payload></uid-message>

     

    I added timeout="0", to get "never" expiration.

     

    My question is, why timeout misses in the predefined content action?

    Based on the posts above mentioned, I would have expected this to be implemented by default in 6.7 version...

     

    Another question, I found following parameter under Administration->Server Configuration->Server Parameters->Async Network Service:

    immagine.png

    Is this related to topic in object?

    I suppose yes, in my opinion this could be the default timeout injected from CPPM to PAN with post authentication action, but as discussed it doesn't apply/work.

     

    thanks

    Andrea

     



Related Content