Security

The IP is the interface that has USER-ID enabled for that Zone on the PANFW.

I'm not 100% sure of the endpoint URL in a multi-vsys environment. However you shouldn't have to modify the URL with the IP.

I tried default adding &vsys=vsys3, adding &cmd={cmd} and adding https://{server_ip} in front of the url to both the PAFW management interface and an interface in vsys 3 with no result. None of the documents I can find does specify what Ip address to use in the Endpoint Context configuration.

Is there an option to collect the raw XML Clearpass sents? The Access Tracker Outpu just shows the enforcement profile being sent.
What PAFW Ip address do I use in the Endpoint Context Server configuration in a multi vsys enfironment?

Could someone provide me a link to PAN api syntax documentation?

Clearpass 6.9.3, PAN 9.1.4.

txs, Erik

The IP is the interface that has USER-ID enabled for that Zone on the PANFW.

I'm not 100% sure of the endpoint URL in a multi-vsys environment. However you shouldn't have to modify the URL with the IP.

I tried default adding &vsys=vsys3, adding &cmd={cmd} and adding https://{server_ip} in front of the url to both the PAFW management interface and an interface in vsys 3 with no result. None of the documents I can find does specify what Ip address to use in the Endpoint Context configuration.

Is there an option to collect the raw XML Clearpass sents? The Access Tracker Outpu just shows the enforcement profile being sent.
What PAFW Ip address do I use in the Endpoint Context Server configuration in a multi vsys enfironment?

Could someone provide me a link to PAN api syntax documentation?

Clearpass 6.9.3, PAN 9.1.4.

txs, Erik

Is a "few weeks back" a guestimate? The doc you linked to is dated to June.

The announcement says the doc was updated in OCT. . were the doc dates not updated aswell ?

Just looking for clarification, Danny.

The IP is the interface that has USER-ID enabled for that Zone on the PANFW.

I'm not 100% sure of the endpoint URL in a multi-vsys environment. However you shouldn't have to modify the URL with the IP.

I tried default adding &vsys=vsys3, adding &cmd={cmd} and adding https://{server_ip} in front of the url to both the PAFW management interface and an interface in vsys 3 with no result. None of the documents I can find does specify what Ip address to use in the Endpoint Context configuration.

Is there an option to collect the raw XML Clearpass sents? The Access Tracker Outpu just shows the enforcement profile being sent.
What PAFW Ip address do I use in the Endpoint Context Server configuration in a multi vsys enfironment?

Could someone provide me a link to PAN api syntax documentation?

Clearpass 6.9.3, PAN 9.1.4.

txs, Erik

Is a "few weeks back" a guestimate? The doc you linked to is dated to June.

The announcement says the doc was updated in OCT. . were the doc dates not updated aswell ?

Just looking for clarification, Danny.

The IP is the interface that has USER-ID enabled for that Zone on the PANFW.

I'm not 100% sure of the endpoint URL in a multi-vsys environment. However you shouldn't have to modify the URL with the IP.

I tried default adding &vsys=vsys3, adding &cmd={cmd} and adding https://{server_ip} in front of the url to both the PAFW management interface and an interface in vsys 3 with no result. None of the documents I can find does specify what Ip address to use in the Endpoint Context configuration.

Is there an option to collect the raw XML Clearpass sents? The Access Tracker Outpu just shows the enforcement profile being sent.
What PAFW Ip address do I use in the Endpoint Context Server configuration in a multi vsys enfironment?

Could someone provide me a link to PAN api syntax documentation?

Clearpass 6.9.3, PAN 9.1.4.

txs, Erik

Is a "few weeks back" a guestimate? The doc you linked to is dated to June.

The announcement says the doc was updated in OCT. . were the doc dates not updated aswell ?

Just looking for clarification, Danny.

The IP is the interface that has USER-ID enabled for that Zone on the PANFW.

I'm not 100% sure of the endpoint URL in a multi-vsys environment. However you shouldn't have to modify the URL with the IP.

I tried default adding &vsys=vsys3, adding &cmd={cmd} and adding https://{server_ip} in front of the url to both the PAFW management interface and an interface in vsys 3 with no result. None of the documents I can find does specify what Ip address to use in the Endpoint Context configuration.

Is there an option to collect the raw XML Clearpass sents? The Access Tracker Outpu just shows the enforcement profile being sent.
What PAFW Ip address do I use in the Endpoint Context Server configuration in a multi vsys enfironment?

Could someone provide me a link to PAN api syntax documentation?

Clearpass 6.9.3, PAN 9.1.4.

txs, Erik

Is a "few weeks back" a guestimate? The doc you linked to is dated to June.

The announcement says the doc was updated in OCT. . were the doc dates not updated aswell ?

Just looking for clarification, Danny.

The IP is the interface that has USER-ID enabled for that Zone on the PANFW.

I'm not 100% sure of the endpoint URL in a multi-vsys environment. However you shouldn't have to modify the URL with the IP.

I tried default adding &vsys=vsys3, adding &cmd={cmd} and adding https://{server_ip} in front of the url to both the PAFW management interface and an interface in vsys 3 with no result. None of the documents I can find does specify what Ip address to use in the Endpoint Context configuration.

Is there an option to collect the raw XML Clearpass sents? The Access Tracker Outpu just shows the enforcement profile being sent.
What PAFW Ip address do I use in the Endpoint Context Server configuration in a multi vsys enfironment?

Could someone provide me a link to PAN api syntax documentation?

Clearpass 6.9.3, PAN 9.1.4.

txs, Erik

Correction; partly fixed. 

If you use Per User Tunneled Node, the WLC does not add the Framed-IP-Address in radius-accounting. For a wireless client it does. Aruba WLC does not support DHCP Snooping

I tried enabling Use IP address for calling station ID but this didn't resolve the issue. What other configuration options in the WLC do I have?

thanks,

Erik

Is a "few weeks back" a guestimate? The doc you linked to is dated to June.

The announcement says the doc was updated in OCT. . were the doc dates not updated aswell ?

Just looking for clarification, Danny.

The IP is the interface that has USER-ID enabled for that Zone on the PANFW.

I'm not 100% sure of the endpoint URL in a multi-vsys environment. However you shouldn't have to modify the URL with the IP.

I tried default adding &vsys=vsys3, adding &cmd={cmd} and adding https://{server_ip} in front of the url to both the PAFW management interface and an interface in vsys 3 with no result. None of the documents I can find does specify what Ip address to use in the Endpoint Context configuration.

Is there an option to collect the raw XML Clearpass sents? The Access Tracker Outpu just shows the enforcement profile being sent.
What PAFW Ip address do I use in the Endpoint Context Server configuration in a multi vsys enfironment?

Could someone provide me a link to PAN api syntax documentation?

Clearpass 6.9.3, PAN 9.1.4.

txs, Erik

Update on above. Kudos to Dik van Oeveren en Herman Robers for their input.

IP Client Tracker on the ArubaOS switch will add the IP address to RADIUS Acccounting for UBT. Unfortunately that caused a lot of issues with traffic to the tunneled client. Time constraints did not allow me to troubleshoot why . Observations let met to believe that TCP traffic was not arriving to the client. 

One example of the issue: I can ping a tunneled printer, I can print to a tunneled printer (page was printed) but I cannot open the internal webpage of the printer.  Lots of simular issues and the zero trust setup using Palo Alto for intervlan traffic, made us drop dynamic segmentation for this project since it did not add taht much in security. UBT use was more a convenience.

rgds,

Correction; partly fixed. 

If you use Per User Tunneled Node, the WLC does not add the Framed-IP-Address in radius-accounting. For a wireless client it does. Aruba WLC does not support DHCP Snooping

I tried enabling Use IP address for calling station ID but this didn't resolve the issue. What other configuration options in the WLC do I have?

thanks,

Erik

Is a "few weeks back" a guestimate? The doc you linked to is dated to June.

The announcement says the doc was updated in OCT. . were the doc dates not updated aswell ?

Just looking for clarification, Danny.

The IP is the interface that has USER-ID enabled for that Zone on the PANFW.

I'm not 100% sure of the endpoint URL in a multi-vsys environment. However you shouldn't have to modify the URL with the IP.

I tried default adding &vsys=vsys3, adding &cmd={cmd} and adding https://{server_ip} in front of the url to both the PAFW management interface and an interface in vsys 3 with no result. None of the documents I can find does specify what Ip address to use in the Endpoint Context configuration.

Is there an option to collect the raw XML Clearpass sents? The Access Tracker Outpu just shows the enforcement profile being sent.
What PAFW Ip address do I use in the Endpoint Context Server configuration in a multi vsys enfironment?

Could someone provide me a link to PAN api syntax documentation?

Clearpass 6.9.3, PAN 9.1.4.

txs, Erik