Security

Hi.

After experiencing some trouble with the PAN-integration on our Mobility Controllers, we are considering reverting to pushing UserID from Clearpass to Palo Alto.

During testing we noticed that in the Palo Alto - UserID-log, a lot of users gets username DOMAIN\domain\username.

Even though in the Access Tracker, all of these have Radius:IETF:User-Name | DOMAIN\username, about 50% ends up at the Palo Alto with a "User provided by source: DOMAIN\domain\username".

I just can't figure out why. Any ideas?

May be easiest to have a look at this with TAC. As a start you may look at the postauthcrtl.log (from the Async Network services logs), as you can see there what ClearPass sends out. If you see the duplication there already, it's something in ClearPass to further explore, otherwise focus on the Palo Alto side.

Hi.

After experiencing some trouble with the PAN-integration on our Mobility Controllers, we are considering reverting to pushing UserID from Clearpass to Palo Alto.

During testing we noticed that in the Palo Alto - UserID-log, a lot of users gets username DOMAIN\domain\username.

Even though in the Access Tracker, all of these have Radius:IETF:User-Name | DOMAIN\username, about 50% ends up at the Palo Alto with a "User provided by source: DOMAIN\domain\username".

I just can't figure out why. Any ideas?

May be easiest to have a look at this with TAC. As a start you may look at the postauthcrtl.log (from the Async Network services logs), as you can see there what ClearPass sends out. If you see the duplication there already, it's something in ClearPass to further explore, otherwise focus on the Palo Alto side.

Hi.

After experiencing some trouble with the PAN-integration on our Mobility Controllers, we are considering reverting to pushing UserID from Clearpass to Palo Alto.

During testing we noticed that in the Palo Alto - UserID-log, a lot of users gets username DOMAIN\domain\username.

Even though in the Access Tracker, all of these have Radius:IETF:User-Name | DOMAIN\username, about 50% ends up at the Palo Alto with a "User provided by source: DOMAIN\domain\username".

I just can't figure out why. Any ideas?

Hi.

After experiencing some trouble with the PAN-integration on our Mobility Controllers, we are considering reverting to pushing UserID from Clearpass to Palo Alto.

During testing we noticed that in the Palo Alto - UserID-log, a lot of users gets username DOMAIN\domain\username.

Even though in the Access Tracker, all of these have Radius:IETF:User-Name | DOMAIN\username, about 50% ends up at the Palo Alto with a "User provided by source: DOMAIN\domain\username".

I just can't figure out why. Any ideas?

Ok, so part of the problem was a config-error. I forgot that the User Transformation on the Endpoint Context server was set to "Prefix NetBIOS name". So that's why I've got the leading DOMAIN\ prefix. Makes sense.Setting this to None or Use Full Username eliminated the duplicate DOMAIN\domain\

So I guess my real problem is: why does ClearPass sometimes send "domain\username" sometimes just "username"? This even happens with the same user on the same device. 

Hi.

After experiencing some trouble with the PAN-integration on our Mobility Controllers, we are considering reverting to pushing UserID from Clearpass to Palo Alto.

During testing we noticed that in the Palo Alto - UserID-log, a lot of users gets username DOMAIN\domain\username.

Even though in the Access Tracker, all of these have Radius:IETF:User-Name | DOMAIN\username, about 50% ends up at the Palo Alto with a "User provided by source: DOMAIN\domain\username".

I just can't figure out why. Any ideas?