I'm trying to get dynamic tags working with our Palo Alto firewall. I've read through the technote written by Danny Jump. Everything on my end looks correct. I am trying to use the endpoint profiler within Clearpass to identify Apple Ipad / Iphone devices so that I can use them in a security or decryption policy. However, it's not working. From the CLI on the PA firewall, I see the registered IP, along with the tag. I also see a list of dynamic tags that the PA sees from clearpass. If I create a dynamic group using the dynamic tag, it doesn't work. The security policy doesn't have any affect. I opened up a ticket with PA support, and they said what I'm trying to do is "impossible", but I could request a feature request. Anyone else able to get this working? We are currently on 6.6.3, but are in the process of upgrading to 6.6.4 to see if we can accomplish the same thing with Clearpass roles.