Hi Everyone,
I am trying to intergrate clearpass with Palo alto using xlampi, all was going well however i struck a problem
In clearpass i have two types of users that are autheticating, domain joined machines (which authenticate using "compute authentication" and i also have byod users that authenticate using user based ad authetication.
so when a byod users authenticates with his ad credentials against clear pass and this is passed through to Palo alto all is good . Ihave a xlampi mapping of user and IP.
However when a user authenticates against Clearpass as a domain machine ,I now have a xmlapi mapping of ip and computer name . and considering my palo alto policies are user based policies user cant get internet.
I do have uia in play which works well for domain machines, but i have the problem when both are in play sometimes the xmlapi mapping from clearpass overides the uia mapping.
Hope that makes sense
Kind Regards
Paul
My thought was to set a ignore list as all computers that get authenticated via xmlapi appear domain\computername$
show user ip-user-mapping all | match $
it returns 1026 results so using set vsys vsys1 user-id-collector ignore-user domain\*$ ?
however this brings all users back will ignore 1026
and thats were i am stuck.