Hi mmartin
That worked (last step was to change the "Logging Levels" > "User Logs" to "notifications", "warnings" only sends failed login logs.
I also managed to get our Instant AP's working perfectly in the same manner, but my PAN User-ID Agent needed different syntaxes like attached pic.
Also, i eventually managed to get the Pala Alto and Aruba Native integration working, also spend hours with Aruba TAC on line, with no outcome.
For someone out there this might help, but to tell you the truth, the syslog setup is EASY and you can specify the default domain in the PAN UID Agent, but on the native integration, if you dont specify your domain when authenticating to the Wi-Fi, Palo Alto won't map you to a security group.
Follow this guide, I have some of the steps listed below aswell: http://www.arubanetworks.com/pdf/partners/SG_PaloAltoNetworks.pdf
- Create Admin account on your Palo Alto
- allow https (and user-id) on your Management Interface if thats what you are going to use.
- create dns record to point to your Palo Alto IP address. eg. pan.yourdomain.com
- now the trouble starts with the certificates. you should have a CA signed certificate.
- on your Palo Alto go to "Device" > "Setup" > "Management" > "General Settings" create a SSl/TLS Service Profile with your CA cert.
- Now you shold be able to access your Palo Alto via the DNS name on https://pan.yourdomain.com without getting a certificate error, This is KEY! if you get cert error, don't go any further, try and get this to work first. See attached PAN Certs picture, how our certs looks like.
- If your cert is signed by a default trusted CA like ours "GlobalSign_Root_CA". < This needs to be uploaded to your local controllers
- On your Palo Alto go to "Device" > "Certificates" > "Default Tusted Certificate Authorties", export the Certificate eg. in our case the "GlobalSign_Root_CA".
- This Certificate you import into Aruba controller (this is why most people in get the (Fatal, unknown CA) in a wireshark capture! I also uploaded my companies cert, the one attached in the pic to the Aruba controller, just in case.
- All you need now is to activate the PAN integration tick boxes and server setup as per the guide and your PAN state will now be up.
Like I said, syslog is easier and WAY faster to manage/setup.