Security

What version of PANOS?   There was a specific fix for this very issue; but it was back in version 5.0.5:

Also, did you input all the PAN endpiont serial numbers in the Palo Alto Networks Panorama Endpoint Context Server configuration?

Hi,

Software is 6.0.5. We have entered all the serial numbers and the Panorama one too just in case.

Current perms attached, the user has most perms under web as well.

The user is under the Panorama Admins not Device Admins, would that make a difference?

Anyone have experience with this?

Issue still unresolved...

No usernames appearing and no logs/errors in either PA or CP.

Enforcement profiles shows it is working.

Let me do some mock and i'll get back to you.

have you opened a TAC ticket?

Was working with my local Aruba tech on this, but time to open one I think. I did have a case open with Palo Alto but no result. Also I didn't manage to get any information on how to verify the push is working from the PA end. It seems the Collect Logs is the only mechanism. 

I have just upgraded Clearpass to 6.3.6 and we are now seeing some usernames in Panorama, but not all clients IPs have one. Would like to figure out why it doesn't occur for all users.

The second issue is the Panorama integration doesn't seem to work at all, so my workaround is to push to all firewall appliances instead (i.e. one enforcement profile with a rule for each appliance in the network).

The downside of this is we are pushing to firewalls that don't even know about a particular IP. Might this be causing push failures since 8 firewalls have to updated for every login event?

So I have just refined this a bit at the expense of complicating the Enforcement Policy. Now we check NAS IP address and only push to the relevant firewalls for that NAS's location. First indications are this hasn't made the push any more reliable.

Worth noting if I manually create and post the XML it works every time :)

Was curious if you had any resolution on this issue. We just received a PA5060 to demo, and I'm seeing the same error you are despite following the technotes/having their professional services guy walk us through the integration.

2015-02-28 01:09:06,077 INFO root pactrlmonitprofile PA_Panorama_Username_Transform=none
2015-02-28 01:09:06,077 DEBUG root pactrlmonitprofile Sending UID mapping to Palo Alto device
2015-02-28 01:09:06,078 WARNING root pactrlmonitprofile Not sending userid object for padevice=172.29.40.252 as the data or auth_token is empty
2015-02-28 01:09:06,078 DEBUG root pactrlmonitprofile Sending userid object for padevice=172.29.40.252
2015-02-28 01:09:06,246 DEBUG root pactrlmonitprofile Read response={<response status = 'error' code = '403'><result><msg>User not authorized to perform this operation.</msg></result></response>} from padevice

Our ClearPass install is on 6.4.4 and the PAN-OS is 6.1.2 so neither are particularly old. I'll be opening a TAC ticket of my own shortly but figured it wouldn't hurt to ask if you had found a solution for this yet. :)

For information, i have the same error with a customer and the problem coming from password complexity on PAN...

There is a tech note on Palo Alto Web Site (Need a account or use Google Cache...)

http://webcache.googleusercontent.com/search?q=cache:UgTTp3XX5csJ:https://live.paloaltonetworks.com/t5/tkb/articleprintpage/tkb-id/TechnologiesSDKsArticles/article-id/382+&cd=3&hl=fr&ct=clnk&gl=fr