After some fiddling and database querying, we agreed that there were stale entries in the redis queue, and I observed that most of the MAC addresses were for devices which I had been using to test my enforcement policy, and which hadn't logged out, so much as been removed from the role-matching when I completed testing. Effectively I'd added them to the role-match to make something happen, and removed them from the match when I was ready to go live - with no way to tell CPPM that I was done with them.
I had hoped that when they logged off, they'd get flushed - but they don't log off, they were iPads and all out users ever did was lock the screen and leave them on the charger over night.
We flushed the redis queue and let new authentication events repopulate.
No stale entires have reappeared. (so far)
------------------------------
--Matthew
If I have in some way helped, please click the KUDOS button
------------------------------
Original Message:
Sent: Jan 28, 2021 07:24 AM
From: Daniel Jan�en
Subject: CPPM -> PaloAlto XMLAPI UserID data resend?
Thanks for keeping us up to date! Really looking forward to your results
Original Message:
Sent: Jan 27, 2021 11:29 PM
From: Danny Jump
Subject: CPPM -> PaloAlto XMLAPI UserID data resend?
Thats cool, Mathew George is "THE TAC ENGINEER, GLOBALLY", and knows the PANW/CPPM integration very well, your in the best of hands with him.
------------------------------
Danny Jump
"Passionate about CPPM"
Original Message:
Sent: Jan 27, 2021 08:26 PM
From: Matthew Sabin
Subject: CPPM -> PaloAlto XMLAPI UserID data resend?
I'm never sure when I do or not. I Email a gentleman in TAC who handles my reqeust and finds me the appropriate resource [in this case Mathew George (Aruba-ERT)] then my handler or whoever he finds to help me opens a ticket when tracking is needed. I think my case is 5353130348 at this time.
------------------------------
--Matthew
If I have in some way helped, please click the KUDOS button
Original Message:
Sent: Jan 27, 2021 07:41 PM
From: Danny Jump
Subject: CPPM -> PaloAlto XMLAPI UserID data resend?
Do you actually have a TAC case open?
------------------------------
Danny Jump
"Passionate about CPPM"
Original Message:
Sent: Jan 27, 2021 07:22 PM
From: Matthew Sabin
Subject: CPPM -> PaloAlto XMLAPI UserID data resend?
I made it worse by upgrading versions mid-troubleshoot. All UserID updates stopped after the upgrade.
We got the postauth service restarted and the updates started again including the stale entries continuing to update as well.
Troubleshooting tomorrow.
I'll keep the updates trickling in.
------------------------------
--Matthew
If I have in some way helped, please click the KUDOS button
Original Message:
Sent: Jan 20, 2021 03:55 AM
From: Daniel Jan�en
Subject: CPPM -> PaloAlto XMLAPI UserID data resend?
Hi Matthew,
did you get any further with that? We noticed this behaviour as well after upgrading to CPPM 6.9.3. Stale entries are resend irregularly and generate wrong user-ids which really is a security issue.
Post-Auth v2 should be the default now. Seems there is currently no workaround available.
Regards
Edit: Maybe it is related to CP‑31417:
ClearPass leaves stale entries when a client roams from one ClearPass server to another.In a cluster environment where the user first authenticated on one ClearPass server and later authenticated on a different ClearPass server, ClearPass might leave a stale entry in a Palo Alto Networks (PANW) server.Workaround: If you use a load balancer to load-balance ClearPass RADIUS traffic, configure a load balancing algorithm that maintains connection persistence based on a RADIUS username.
------------------------------
Daniel
Original Message:
Sent: Dec 23, 2020 02:29 PM
From: Matthew Sabin
Subject: CPPM -> PaloAlto XMLAPI UserID data resend?
Nope - still continuing to update stale records. Heading to TAC.
------------------------------
--Matthew
If I have in some way helped, please click the KUDOS button
Original Message:
Sent: Dec 23, 2020 01:19 PM
From: Matthew Sabin
Subject: CPPM -> PaloAlto XMLAPI UserID data resend?
Thanks, we recently turned this feature back on and I was seeing the returned bug (CPPM version 6.9.3.x) and am now trying the work-around.
------------------------------
--Matthew
If I have in some way helped, please click the KUDOS button
Original Message:
Sent: Aug 15, 2019 04:38 AM
From: Daniel Jan�en
Subject: CPPM -> PaloAlto XMLAPI UserID data resend?
Recently had a TAC case, turned out that it is a known bug again. But there exists a workaround:
- Under Cluster-Wide Parameters General Tab set Post-Auth v2 to ENABLED
- then restart Async network service on all machines
That fixed it for me.