Security

Hi community,

I upgraded ClearPass to 6.7, and as part of the upgrade I can see the enforcement profile for updating Palo Alto user-id has changed (automatically) as follow:

Do I have to do anything extra for the integration to work? Or is this new configuration good enough? I'm running PAN-OS 7.1.14.

I've tested this and it works well so far. Previously the user-id information was unstable on Palo Alto (when testing between ClearPass 6.6.8 and PAN-OS 7.1.14). Now I can open rules with user or role on PA and not unexpectedly got disconnected due to user info not available.  

Just to add, no there is nothing you have to do. As part of the upgrade to 6.7 we have migrated the PANW configuration and this is documented in the release notes.

Endpoint Context Servers

The following new features are introduced in Endpoint Context Servers in the 6.7.0 release.

l Context Server Action content can now be customized for Palo Alto Networks Firewall (PANW) endpoint

context servers. You can notify PANW of additional attributes by adding a new action or modifying an

existing action. You can also create or import new attributes for PANW at  Administration > Dictionaries

> Context Server Actions. (#31343, #38979, #40754)

As part of this feature, some new default actions have been added and some have been removed:

The Context Server Actions dictionary now includes the following new actions for a total of 18 actions —

Register Device, Register Posture, Register Role, Send HIP Report (Global Protect), Send Login Info, Send

Logout Info, Unregister Device, Unregisture Posture, and Unregister Role.

The following four options in the Endpoint Context Server have been removed — ClearPass Profiler,

ClearPass Role, GlobalProduct, and UserID Post URL.

Hello danny,

Thanks for your comment. Actually I've observed unexpected behavior with the CPPM - Palo Alto integration for the last several days (I thought it has been fixed with ClearPass 6.7). Though many user-ids are synced stably to PA, some others just got lost (unstable) for unknown reason. You can see it in the attached screenshot:

My company has about 2000 employees, and I don't know if this behavior is due to a large number of user-ids are being synced. Do I need to tune some parameters to fix this issue? I'm running ClearPass 6.7 and PAN-OS 7.1.14.

I know this issue is a few months old, but was this ever resolved for anyone?  We are seeing the same symptoms with Clearpass 6.7.0.101814 and Palo Alto 7.1.16.  So far, support cases with Aruba and Palo Alto haven't narrowed it down to anything specific, but it's causing all sorts of havoc with the firewall's content filtering policies as various higher-ups will randomly be subjected to the "we don't know who this is" generic policies and are restricted when they shouldn't be.

Hi davistim,

Per the ClearPass 6.7.2 release notes:

Looks like they have improved the user-id integration between CPPM and PANW. I haven't had a chance to test this because some issues (probably only specific to my environment) prevent me from updating CPPM to this version. But I think you could try updating CPPM and see if it solves the integration issue. Would be great if you can share the test result here.

Regards,

Just to circle back on this, we are still seeing this issue occasionally and can consistently reproduce it.  We're on Clearpass 6.7.4.107401, Palo Alto 8.0.10.  Trying to regroup with support on Aruba and Palo Alto side, but so far, the general consensus from both is that Clearpass/PAN are configured correctly and logs show they're doing what they're supposed to, so it must be the other vendor's fault.  If I can ever get this resolved, I'll update this thread.

davistim,

I'd like to follow up with you on this. What is the basic issue here, users being authN by CPPM not showing up in PANW?

Hi dannyjump,

I'm also experiencing this issue. I updated CPPM to the latest version (6.7.5) but it did not solve the issue. The user id is not showing up consistently on Palo Alto (which uses PAN-OS 7.1.15 btw). All settings on CPPM and Palo Alto are kept at their default.

Could you please help on this?

Regards,

Hi Danny,

I'm looking how e when the logout (or deregistrer) actions are sent to PAN. I'd like to understand when these actions are sent becouse I don't think that there is a policy match a logout event; the only information could be come from the accounting (STOP)... So in this case where I've to put these actions ?

Thanks

I too am having this same whacky behaviour with CPPM 6.7.4 and PanOS 7.1.18... ~2500 active wifi clients.

My issue is the same as above, they will initially auth fine the first time, get about 86000s timeout via xmlapi, then just randomly get "unknown" and then the user will be presented with the PA captive portal so it can re-learn the user-ip mapping. This doesn't happen to ALL clients, it seems to be really hit and miss.

Has there been any progress on a fix for this? Or has anyone at aruba been able to replicate the issue?

Could it be anything to do with radius re-auth and it sending the context server actions in the incorrect order?

I was thinking of applying the 6.7.5 patch, but looks like previous user has done this and it hasn't fixed the issue :(

We are running Clearpass 6.6.10 and PAN OS 8.0.9 and have the same problem. Some user-id information is passed, while others are not. I am following this, in case someone finds a resolution. 

I had this problem with UserID disappearing and figured out that it was because I had a UserID agents running on the domain controllers as well as collecting UserID from CPPM.  As soon as I disabled the UserID agents on the DCs the mappings stabilized.

Funnily enough... you might be on to to something there.

I found this article that stated that you can tail the userid log on the firewall and you will see rate-limiting happening due to loads of "unknown" users breaching a threshold. (~100 second)

I to have user-id scanning ranges on multiple dc's and subnets.

For lazyness i have summarised these and the summary scope has the byod ranges in. These would have a lot of unknown users.

I'm working on removing those scopes from the user-id agents and seeing if the behavior changes, as the byod users should be fed from CPPM via xmlapi... (Which it does before it looks like user-id takes over)

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cls9CAC

There is a snippet at the bottom of this that explains the rate limiting under FAQ-More info.

Hope this helps.

I'll feedback with my results.

Regards

John