ClearPass normally does not do anything with the username, but takes it directly from the authenticating device. Does the same device authenticate on multiple services? For example when OnGuard is running? Or a combination of Web Auth and 802.1X or OnGuard?
From this point you should also see the same username or domain\username in Access Tracker... from there you may be able to find the source and differences when ClearPass receives the one or the other form.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Dec 08, 2023 04:39 AM
From: Palves
Subject: Clearpass - Palo Alto - Username with domain-name twice
Ok, so part of the problem was a config-error. I forgot that the User Transformation on the Endpoint Context server was set to "Prefix NetBIOS name". So that's why I've got the leading DOMAIN\ prefix. Makes sense.Setting this to None or Use Full Username eliminated the duplicate DOMAIN\domain\

So I guess my real problem is: why does ClearPass sometimes send "domain\username" sometimes just "username"? This even happens with the same user on the same device.

Original Message:
Sent: Dec 07, 2023 07:17 AM
From: Palves
Subject: Clearpass - Palo Alto - Username with domain-name twice
Hi.
After experiencing some trouble with the PAN-integration on our Mobility Controllers, we are considering reverting to pushing UserID from Clearpass to Palo Alto.
During testing we noticed that in the Palo Alto - UserID-log, a lot of users gets username DOMAIN\domain\username.
Even though in the Access Tracker, all of these have Radius:IETF:User-Name | DOMAIN\username, about 50% ends up at the Palo Alto with a "User provided by source: DOMAIN\domain\username".
I just can't figure out why. Any ideas?