Unable to connet via Global protect and ISE - "Matching client config not found"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to connet via Global protect and ISE - "Matching client config not found"

L2 Linker

Hello,

at the moment i'm authenticating users via the local database on palo alto firewall for vpn gp users; what 'id like to do is trying to authenticate vpn users via Cisco Ise.

I've configured local users on Ise and what i want to do is that when a user tries to login, ise checks if the user is present in the local group, and if present it sends a radius-accept packet back to the Palo alto firewall.

On ise side everything it's working but i'm receiving the "Matching client config not found" in the global protect:

 

MAerre_0-1736505371308.jpeg

 

this is the log from gp monitor:

 

MAerre_1-1736505393553.jpeg

 

and this is the actual rule:

 

MAerre_2-1736505414395.jpeg

what i can't understand is how to get the correct client config, because this setting is configured on the gateway tab but it's referred to only gp local database users.......

Did you face this issue? Do you know how to fix?

Furthermore how should the policy be configured? I can't use any filter in source ip/user because i don't know how to retrieve this data.

thank you

Regards

2 REPLIES 2

Cyber Elite
Cyber Elite

which parameters did you set in the AGENT tabs (both portal and gateway), you can set restrictions (like group membership and OS etc) 

reaper_0-1736932852604.png

 

if you set all client configs to require group membership and there is a mismatch with the userid (while speaking to ISE) and the group mapping, you won't be able to fetch a client config

 

if you add a 'catchall' config (any/any/any) at the bottom of your agent config, you should be able to connect and continue troubleshooting from there

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi @reaper ,

thank you for the advice.

This is my client setting, i use an "any" for the 1st profile and "windows + mac" for the 2nd and 3rd; for each profile i use a different ip pool and each profile has its own group that is actually populated with all the local users.

MAerre_0-1736937389284.png

This screen is about the ACLs, at the moment i'm using the user groups to differentiate each ACL in other that users in "GROUP1" can access only their specific network and users in "GROUP2" can access other networks.

MAerre_1-1736937397582.png


Now using this configuration it's working, but implementing ISE no, because i'm unable to pass the correct group.

The name of the local groups in ISE are different from the ones used on the Palo alto.

To test, I've created the following an "any any" profile on GP gateway, and with this configuration using the local user in ISE it's working BUT i'm unable to use the different ACL anymore; thus basically allowing any user (and so all the different external consultant companies) to reach the same networks.

MAerre_2-1736938482733.png

Instead, what i want to achieve is to authenticate via ISE (using the local users configured on its local groups) and still continue to use the group a user belongs to to use the different ACLs to allow an external consultant to access only the networks he need to access to.
To answer your question: i'm not using USERID on this Firewall.

 

thank you for the advice you'll give me!

  • 347 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!