We have ClearPass 6.4 and a PaloAlto firewall running their v6 OS. We set up the integration with PaloAlto which gives us a post-authentication trigger to use in policies so that the PaloAlto will receive user ID to IP address mappings. We have used this trigger for wireless client policies, and the PaloAlto receives mapping information for them successfully.
We also use ClearPass to perform 802.1X and MAB authentication for wired Cisco switches, so we have two services to handle these requests. We have the PaloAlto post-authentication trigger invoked for these, but it looks like ClearPass does not know or have the IP address of the client that is being authenticated by the Cisco switch. In the ClearPass postauthctrl.log, we see entries such as:
2015-01-06 10:36:20,049 DEBUG root pactrlmonitprofile Sending UID mapping to Palo Alto device
2015-01-06 10:36:20,049 WARNING root pactrlmonitprofile Not sending userid object for padevice=10.X.X.X as the data or auth_token is empty
However, there are a scant few entries where there is client data shown in XML and a "success" response coming back from the PaloAlto call, so it doesn't look like it is without info for each and every wired client:
2015-01-10 12:03:37,447 DEBUG root pactrlmonitprofile Sending UID mapping to Palo Alto device
2015-01-10 12:03:37,447 DEBUG root pactrlmonitprofile Sending userid object for padevice=10.20.70.195
2015-01-10 12:03:37,764 DEBUG root pactrlmonitprofile Read response={<response status="success"><result><uid-response>...
Anyone out there using ClearPass this way? If so, what does the device setup look like for your Cisco switches in ClearPass? Thanks!