Header Only - DO NOT REMOVE - Extreme Networks
Question

Palo Alto Management Login ExtremeControl Missing Attribute Issue

  • 9 July 2019
  • 2 replies
  • 347 views

Userlevel 5
Hi,

Currently in the process of configuring Palo Alto to authenticate with ExtremeControl via RADIUS authentication.

Have everything in place, have configured the respective custom attributes to send Palo Alto once authentication has passed.

At this time ExtremeControl is continually returning a reject due to Missing Attributes!?

Everything else configuration seems to be working as it should, by this last issue.

Here is a snapshot of the logs showing the issue:

code:
Got ES authorization result: Rule: "Palo Alto Management Login" with profile: Administrator NAC Profile
Switch: 172.20.255.111 requires the port (ReqStdAttrs: true, ForIpRes: false, ForReauth: true, DoesPostAuthDisc: false)
rejecting request because: RADIUS client not standards-compliant. Missing attributes: End-System MAC Address, NAS Port


The issue seems to be the missing End-System MAC address and / or NAS Port?

From what I can tell there doesn't seem to be any means within Palo Alto to add these VSA's to pass back to ExtremeControl?

Have looked into this GTAC entry that mentions requiring the Calling-Station-ID:

https://gtacknowledge.extremenetworks.com/articles/Solution/NAC-Rejecting-RADIUS-request-is-reason-RADIUS-client-not-standards-compliant-Missing-attributes-End-System-MAC-Address

The only VSA's that I can find with are configurable on the Palo Alto to send are as follows, but seem client related only:

https://docs.paloaltonetworks.com/globalprotect/7-1/globalprotect-admin/set-up-the-globalprotect-infrastructure/enable-delivery-of-globalprotect-client-vsas-to-a-radius-server.html

code:
set authentication radius-vsa-on client-source-ip
set authentication radius-vsa-on client-os
set authentication radius-vsa-on client-hostname
set authentication radius-vsa-on user-domain
set authentication radius-vsa-on client-gp-version


This is what I've configured in ExtremeControl to return to Palo Alto on a successful access accept, so my hope is once past this last hurdle all should work:

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/authentication/radius-vendor-specific-attributes-support.html#

XMC / Control = 8.2.4.54
Palo Alto = 8.1.5

Thanks in advance

2 replies

Userlevel 6
Hello Martin,

Engineering is currently working on a way to improve how the NAC handles management authentications requests.

We are unable to process the request as it does not following standardized practices regarding AVPs. The result is that the NAC cannot identify that this is a management authentication request and not an end system authentication.

We keep tracking of authentications for end systems inside an end system records, management authentications do not have an end system so they need to be handled differently and in this case the NAC is unable to determine if this is a management request or end system that is being authenticated.

Thanks
-Ryan
Userlevel 5
Hi Ryan,

Ok, shame, least I know where I stand on it.

If you have any idea when you think the function would be available, that would be great.

If there is anything I could add to include in the improvement would be some kind of visibility, either in a new window or the end-system window, showing management authenticated devices - not being available at the moment makes diagnosing issues more difficult / time consuming.

Many thanks for responding, always glad I can count on the forum to get an answer.

Reply