Security

last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass Palo Alto integration pan OS 7.1.5 xmlapi user timeout

This thread has been viewed 3 times

  • 1.  Clearpass Palo Alto integration pan OS 7.1.5 xmlapi user timeout

    Posted Oct 13, 2016 07:54 AM

    Since upgrading to pan os 7.1.5 from 7.1.4-h2 we noticed that user-ip mappings in the palo alto wre timing out within 45 minutes. And that although reauthenticating via clearpass clearpass would only push the user properities agian when user got a new dhcp lease. Renewal didnt work.

    Can you give user amx timeout value from within clearpass that was introduced in pan os 5.x to set the xmlapi user timeout on the palo alto.

    Before pan os 7.1.5 default uxmlapi user timeout was never and now it is 45 minutes.



  • 2.  RE: Clearpass Palo Alto integration pan OS 7.1.5 xmlapi user timeout

    Posted Oct 24, 2016 04:33 PM

    Running into a very similiar problem after upgading to 7.1.5.  Any resolution?



  • 3.  RE: Clearpass Palo Alto integration pan OS 7.1.5 xmlapi user timeout

    Posted Oct 24, 2016 10:51 PM

    Guys,

     

    Were looking into this. I'm working with DEV to see if we can identify any issues and if so where the fault-domian is.

     

     



  • 4.  RE: Clearpass Palo Alto integration pan OS 7.1.5 xmlapi user timeout

    Posted Oct 25, 2016 02:10 AM

    Goodmorning,

     

    We have a workaround at the moment. We didn't have radius accounting configured on the wireless networks on our motorola vx9000. This will trigger the postauthentication process via intermediate accounting. And palo alto has also identiefied this as a bug in their code as it shouldn't have changed timeout of XML api user-id timeout. What we have seen with radius accounting configured on vx9000 with clearpass as the target and running pan os 7.1.5 xml api will take gloabla user-id timeout configured from the gui as the time out for user-id cache for users supplied via xml api

     

    Kind regards Igor



  • 5.  RE: Clearpass Palo Alto integration pan OS 7.1.5 xmlapi user timeout

    Posted Nov 01, 2016 06:15 PM

    Hi,

     

    I talked to PAN support and from what I heard is that this change was intentional and they are not going to revert it back to what it was. Basically before 7.1.5 if you do not add the timeout value in the user-id message it defaults to never, now it uses the timeout value configured in the userid settings on the firewall.

     

    What will work (so DEV use this) is the following XML message, by setting timeout to 0, the result is the same as it was and Clearpass can send login and logout messages based on accounting data.

     

    <uid-message> 
      <version>1.0</version> 
      <type>update</type> 
      <payload> 
        <login> 
        <entry name="domain\uid2" ip="10.1.1.2" timeout=”0”> 
        </entry> 
      </login> 
      </payload> 
    </uid-message> 

     

    Bart.



  • 6.  RE: Clearpass Palo Alto integration pan OS 7.1.5 xmlapi user timeout

    Posted Nov 07, 2016 07:21 PM

    While we work to decide on the best route forward for this change introduced by PANW, I want to let you know for now where you can set the timeout value....

     

    image001.jpg.jpeg