Was working with my local Aruba tech on this, but time to open one I think. I did have a case open with Palo Alto but no result. Also I didn't manage to get any information on how to verify the push is working from the PA end. It seems the Collect Logs is the only mechanism.
I have just upgraded Clearpass to 6.3.6 and we are now seeing some usernames in Panorama, but not all clients IPs have one. Would like to figure out why it doesn't occur for all users.
The second issue is the Panorama integration doesn't seem to work at all, so my workaround is to push to all firewall appliances instead (i.e. one enforcement profile with a rule for each appliance in the network).
The downside of this is we are pushing to firewalls that don't even know about a particular IP. Might this be causing push failures since 8 firewalls have to updated for every login event?
So I have just refined this a bit at the expense of complicating the Enforcement Policy. Now we check NAS IP address and only push to the relevant firewalls for that NAS's location. First indications are this hasn't made the push any more reliable.
Worth noting if I manually create and post the XML it works every time :)