topic Unable to connet via Global protect and ISE - "Matching client config not found" in GlobalProtect Discussions

Unable to connet via Global protect and ISE - "Matching client config not found"

MAerre — Fri, 10 Jan 2025 11:25:28 GMT

Hello,

at the moment i'm authenticating users via the local database on palo alto firewall for vpn gp users; what 'id like to do is trying to authenticate vpn users via Cisco Ise.

I've configured local users on Ise and what i want to do is that when a user tries to login, ise checks if the user is present in the local group, and if present it sends a radius-accept packet back to the Palo alto firewall.

On ise side everything it's working but i'm receiving the "Matching client config not found" in the global protect:

this is the log from gp monitor:

and this is the actual rule:

what i can't understand is how to get the correct client config, because this setting is configured on the gateway tab but it's referred to only gp local database users.......

Did you face this issue? Do you know how to fix?

Furthermore how should the policy be configured? I can't use any filter in source ip/user because i don't know how to retrieve this data.

thank you

Regards

Re: Unable to connet via Global protect and ISE - "Matching client config not found"

reaper — Wed, 15 Jan 2025 09:22:47 GMT

which parameters did you set in the AGENT tabs (both portal and gateway), you can set restrictions (like group membership and OS etc)

if you set all client configs to require group membership and there is a mismatch with the userid (while speaking to ISE) and the group mapping, you won't be able to fetch a client config

if you add a 'catchall' config (any/any/any) at the bottom of your agent config, you should be able to connect and continue troubleshooting from there

Re: Unable to connet via Global protect and ISE - "Matching client config not found"

MAerre — Wed, 15 Jan 2025 11:03:55 GMT

Hi @reaper ,

thank you for the advice.

This is my client setting, i use an "any" for the 1st profile and "windows + mac" for the 2nd and 3rd; for each profile i use a different ip pool and each profile has its own group that is actually populated with all the local users.

This screen is about the ACLs, at the moment i'm using the user groups to differentiate each ACL in other that users in "GROUP1" can access only their specific network and users in "GROUP2" can access other networks.

Now using this configuration it's working, but implementing ISE no, because i'm unable to pass the correct group.

The name of the local groups in ISE are different from the ones used on the Palo alto.

To test, I've created the following an "any any" profile on GP gateway, and with this configuration using the local user in ISE it's working BUT i'm unable to use the different ACL anymore; thus basically allowing any user (and so all the different external consultant companies) to reach the same networks.

Instead, what i want to achieve is to authenticate via ISE (using the local users configured on its local groups) and still continue to use the group a user belongs to to use the different ACLs to allow an external consultant to access only the networks he need to access to.
To answer your question: i'm not using USERID on this Firewall.

thank you for the advice you'll give me!