Security

Hello,

I have palo alto integration setup for my clearpass. So the way I understand it is that as users authenticate it will hand the data over via xml to the Palo Alto Firewall. 

We are only seeing that maybe 60% of users that authenticate are having their user-id sent over. 

Not sure why Palo Alto is missing out on these, whether it is a Palo Alto setting, ClearPass, or a networking issue. 

My question is, what could cause some user-id's that are authenticated to not be sent over/processed? 

I have an example:

We have a user, I show he authenticated yesterday via ClearPass Access Tracker and Accounting. Under accounting I show him being issued the IP I see him having. 

I can find that IP in the Palo Alto Firewall with no User data tied to it. 

If I look up the IP in Airwave then I find the username by IP. 

I assume it's setup correctly since some user-id data is sent over, just not all users. 

These are users joining a wireless network, using ClearPass as a RADIUS. 

My initial thought is that the service that is authenticating some of the users is not referencing the corect enforcment policy/profile definition that has the configured with the session-check option....or my second though is that these users are coming from a different wifeless-ctrl that does not have interim accounting enabled....

Go find a user in access-tracker that auth BUT you don't see over in the PANW and see if you see the accounting tab for that user....

We only use a signle 7210 controller. They are authenticated using the same service as others. 

We do have 2 domains that we authenticate against, but I don't know how this would cause an issue. (I see user-id info coming from both domains)

If I view a user in Access-tracker that doesn't show user-id in PANW, I do indeed see an Accounting tab. 

I am not sure if there was detail included in a picture you included. It did not load for me if there was. 

I included examples of what I see as attachments. Just snips from my screen.

So assuming that you've also reviewed my TechNote : CPPM + PANW Integration....I'm likely to suggest you open a TAC ticket. I'n my TechNote at the end is a section of how to extract and review the LOG file where we log messages related to this function.....lookin in this file may provide you an insight or offer some other log info which helps you track this down.

I think I may have come up with something. 

So the Updates trigger we have set looks like this

Session-Check                   IP-Address-Change-Notify                      =   10.10.8.1 (which is our Firewall)

Well, we don't change IP's very freqently, so only users that have changed IP would notify the Firewall if I understand this correctly.

Is there another Session-Check that might work on like an Authentication? Looking at the options in the drop down, nothing really stands out as a usable option for us. 

I suppose the other option I can potentially see, rather than changing this session-check setting. Since I don't care that users keep the same IP for so long, is there a simple way to possibly clear the IPs from the insight database making ALL IPs appear to change/new?

I assume this would potentially force everyone to reauthenticate, but most Operating Systems should do that automatically if I'm not mistaken. 

Its VERY misleading, but this session-check/address-change should not be read lirerally....its just an internal thing, nothing to do really with devices/endpoints changing IP address but an INTERNAL under the skin way enginering utilised a feature to allow us to trigger updates from CPPM to PANW when a device gets its initial IP addres.