This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- Palo Alto Management Login ExtremeControl Missing ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Palo Alto Management Login ExtremeControl Missing Attribute Issue
Palo Alto Management Login ExtremeControl Missing Attribute Issue
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-09-2019 09:40 PM
Hi,
Currently in the process of configuring Palo Alto to authenticate with ExtremeControl via RADIUS authentication.
Have everything in place, have configured the respective custom attributes to send Palo Alto once authentication has passed.
At this time ExtremeControl is continually returning a reject due to Missing Attributes!?
Everything else configuration seems to be working as it should, by this last issue.
Here is a snapshot of the logs showing the issue:Got ES authorization result: Rule: "Palo Alto Management Login" with profile: Administrator NAC Profile Switch: 172.20.255.111 requires the port (ReqStdAttrs: true, ForIpRes: false, ForReauth: true, DoesPostAuthDisc: false) rejecting request because: RADIUS client not standards-compliant. Missing attributes: End-System MAC Address, NAS Port
The issue seems to be the missing End-System MAC address and / or NAS Port?
From what I can tell there doesn't seem to be any means within Palo Alto to add these VSA's to pass back to ExtremeControl?
Have looked into this GTAC entry that mentions requiring the Calling-Station-ID:
https://extremeportal.force.com/ExtrArticleDetail?an=000061640
The only VSA's that I can find with are configurable on the Palo Alto to send are as follows, but seem client related only:
https://docs.paloaltonetworks.com/globalprotect/7-1/globalprotect-admin/set-up-the-globalprotect-inf...set authentication radius-vsa-on client-source-ip set authentication radius-vsa-on client-os set authentication radius-vsa-on client-hostname set authentication radius-vsa-on user-domain set authentication radius-vsa-on client-gp-version
This is what I've configured in ExtremeControl to return to Palo Alto on a successful access accept, so my hope is once past this last hurdle all should work:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/authentication/radius-vendor-specific-attr...
XMC / Control = 8.2.4.54
Palo Alto = 8.1.5
Thanks in advance
2 REPLIES 2
Anonymous
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-14-2019 07:18 PM
Hi Ryan,
Ok, shame, least I know where I stand on it.
If you have any idea when you think the function would be available, that would be great.
If there is anything I could add to include in the improvement would be some kind of visibility, either in a new window or the end-system window, showing management authenticated devices - not being available at the moment makes diagnosing issues more difficult / time consuming.
Many thanks for responding, always glad I can count on the forum to get an answer.
Ok, shame, least I know where I stand on it.
If you have any idea when you think the function would be available, that would be great.
If there is anything I could add to include in the improvement would be some kind of visibility, either in a new window or the end-system window, showing management authenticated devices - not being available at the moment makes diagnosing issues more difficult / time consuming.
Many thanks for responding, always glad I can count on the forum to get an answer.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-14-2019 07:07 PM
Hello Martin,
Engineering is currently working on a way to improve how the NAC handles management authentications requests.
We are unable to process the request as it does not following standardized practices regarding AVPs. The result is that the NAC cannot identify that this is a management authentication request and not an end system authentication.
We keep tracking of authentications for end systems inside an end system records, management authentications do not have an end system so they need to be handled differently and in this case the NAC is unable to determine if this is a management request or end system that is being authenticated.
Thanks
-Ryan
Engineering is currently working on a way to improve how the NAC handles management authentications requests.
We are unable to process the request as it does not following standardized practices regarding AVPs. The result is that the NAC cannot identify that this is a management authentication request and not an end system authentication.
We keep tracking of authentications for end systems inside an end system records, management authentications do not have an end system so they need to be handled differently and in this case the NAC is unable to determine if this is a management request or end system that is being authenticated.
Thanks
-Ryan
