04-11-2017 05:24 PM
Following this document...
...I configured my enforcement profile as described on page 19. Am I to understand that when configured exactly as described, CPPM will inform PAN/Panorama of the username, regardless of the type of CPPM service (e.g. 802.1X, Guest MAC caching or Guest captive portal)? It seems to me that unless we explicitly call some variable from the authentication request such as Radius:IETF:User-Name or Endpoint:Username (assuming this attribute exists), it's not very clear what info gets sent to PAN.
I see in an older document (https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=14554) that we actually call "Session-Check" referencing the above variable, but this is not consistent in the newer document. It doesn't seem to me that ClearPass can just make an educated guess; it needs to be told which attribute to send to PAN for the username.
To summarize in case it's not clear, I'm trying to make sure I'm getting my enforcement profiles set up correctly to send the appropriate username in all cases.
We are on 6.6.5.