Am I really the only one with this problem? Or do I have to create a support case to get an answer?
Let's say UPN is 'first.last@domain.com' and sAMAccountName is 'flast' and domain is INTERNAL. The PaloAlto needs INTERNAL\flast to make user-based policies work, as described in the Tech Notes.
By using
(|(&(objectClass=user)(sAMAccountName=%{Authentication:Username}))(&(objectClass=user)(userPrincipalName=%{Authentication:Username})))
Our users can both authenticate using INTERNAL\flast (used mostly by Windows workstations) or first.last@domain.com, mostly used by BYOD, smartphones etc. When using their first.last@domain.com, we have to do some tricks to make INTERNAL\flast appear in PaloAlto. The first steps I have already described above: we can get the NetBIOS Name and sAMAccountName from the Authentication- and Authorization-sources.
Next step: in ClearPass we can modify the Radius:IETF:User-Name to send the correct INTERNAL\flast in the RADIUS Reply, and ClearPass can also modify the Endpoint:Username.
Last step is to send the correct contents of these fields through the PaloAlto-integration... But that's what fails.
When a client uses first.last@domain.com to authenticate,I can find my modified output for Endpoint:Username and Radius:IETF:User-Name in the RADIUS Response (In the Request Details in the Access Tracker)
the ClearPass-PaloAlto-integration sends domain\first.last, or only first.last, so it must use one of these fields:
Radius:IETF:User-Name (from the RADIUS Request)
Authentication:Full-Username (from Computed Attributes)
Authentication:Username (from Computed Attributes)
Is there any way to modify these Authentication:(Full-)Username fields, and are these the fields used by the ClearPass-PaloAlto-integration?
Otherwise I'll have to conclude the ClearPass + Palo Alto integration is useless in our scenario, because it has no option to control what is used as the Username-data.