Aruba clearpass user id issue with Palo Alto

Jatin.Singh — Wed, 15 Jul 2020 22:22:11 GMT

We have ClearPass integrated to Palo Alto. ClearPass sends user-id to the firewall upon successful authentication. Customer is experiencing an issue where the laptop (on wireless) would fail to access Internet at re-authentication.

There is another client device that is login with the same user-id. I think the question here is with user-identity, does PA allows a one-to-many (one user-id to multiple IP) relationships???

Also we see the ClearPass re-authenticating the user and it is successful. However, we do not see the corresponding timestamp re-authentication appearing on the PA. The timeout wasn’t reset back to 9 hrs (as configured in the global setting). Is that normal?

In the screen capture seen below for today, I had restarted the wireless at 9.16am. But there was no user-id mapping for the IP address. You can see there is a close correlation on the PA at 9.17am. I did a second restart of the wireless on the client at 9.24am. There was a user-id mapping and it was able to access Internet. The timestamp on PA was at 9.24am. However, at 10.01am, it appears there is another successful mapping of the user-id to IP on the PA but there wasn’t any re-authentication on the ClearPass.

Re: Aruba clearpass user id issue with Palo Alto

BPry — Tue, 14 Jul 2020 03:17:17 GMT

@Jatin.Singh,

Yes, one user-id can be allocated to multiple IPs. It's looks like you're feeding the authentication through the API?

topic Re: Aruba clearpass user id issue with Palo Alto in General Topics

Aruba clearpass user id issue with Palo Alto

Re: Aruba clearpass user id issue with Palo Alto