- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-10-2025 03:25 AM
Hello,
at the moment i'm authenticating users via the local database on palo alto firewall for vpn gp users; what 'id like to do is trying to authenticate vpn users via Cisco Ise.
I've configured local users on Ise and what i want to do is that when a user tries to login, ise checks if the user is present in the local group, and if present it sends a radius-accept packet back to the Palo alto firewall.
On ise side everything it's working but i'm receiving the "Matching client config not found" in the global protect:
this is the log from gp monitor:
and this is the actual rule:
what i can't understand is how to get the correct client config, because this setting is configured on the gateway tab but it's referred to only gp local database users.......
Did you face this issue? Do you know how to fix?
Furthermore how should the policy be configured? I can't use any filter in source ip/user because i don't know how to retrieve this data.
thank you
Regards
01-15-2025 01:19 AM - edited 01-15-2025 01:22 AM
which parameters did you set in the AGENT tabs (both portal and gateway), you can set restrictions (like group membership and OS etc)
if you set all client configs to require group membership and there is a mismatch with the userid (while speaking to ISE) and the group mapping, you won't be able to fetch a client config
if you add a 'catchall' config (any/any/any) at the bottom of your agent config, you should be able to connect and continue troubleshooting from there
01-15-2025 03:03 AM
Hi @reaper ,
thank you for the advice.
This is my client setting, i use an "any" for the 1st profile and "windows + mac" for the 2nd and 3rd; for each profile i use a different ip pool and each profile has its own group that is actually populated with all the local users.
This screen is about the ACLs, at the moment i'm using the user groups to differentiate each ACL in other that users in "GROUP1" can access only their specific network and users in "GROUP2" can access other networks.
Now using this configuration it's working, but implementing ISE no, because i'm unable to pass the correct group.
The name of the local groups in ISE are different from the ones used on the Palo alto.
To test, I've created the following an "any any" profile on GP gateway, and with this configuration using the local user in ISE it's working BUT i'm unable to use the different ACL anymore; thus basically allowing any user (and so all the different external consultant companies) to reach the same networks.
Instead, what i want to achieve is to authenticate via ISE (using the local users configured on its local groups) and still continue to use the group a user belongs to to use the different ACLs to allow an external consultant to access only the networks he need to access to.
To answer your question: i'm not using USERID on this Firewall.
thank you for the advice you'll give me!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!