On the Palo Alto firewall, each vsys has its own ip-user-mapping table on a device configured with vsys enabled. The XML API xpath being used by ClearPass does not accout for this, so the integration fails to produce the desired result.
What is needed to make this work is an alteration of the xpath so that it has /vsys/entry@name='vsysN', where 'N' is the vsys number. This is documented in the PA XML API guide. I can't see a way to hack it in by altering the default string used by ClearPass, since the xpath is encapsulated by "cmd={cmd}".
Example why we need this: PA firewall originally inserted into the network in Virtual Wire mode. Transition to a new infrastructure is being accomplished with a second (Layer-3) vsys. Eventually the vwire goes away, but in the meantime, both want User-ID mappings from CPM. Right now, neither get it.
Is there a way to get this vsys info into the command? If not, does Aruba have any plan to provide this functionality?