Security

Current Setup:

2 x ClearPass Policy Manager 6.12.4.305024 on C3000V platform

2 x PaloAlto PA-3220 Appliances running in Active/Passive - PAN OS 11.1.10-h1

We have been trying to use the PaloAlto API XML to update Username and IP Address mappings from ClearPass. We have followed all of the documentation provided by Aruba, however we have found it very unreliable. It would appear that either ClearPass is not sending over 60%+ of the information, or the PaloAlto is ignoring it.

We have resorted to using the Syslog feature to update the details, however that isn't as quick as the API and quite limiting on what you can pass to the PaloAlto. It's getting us by at the moment, however there is a 30 second delay in authentication and the syslog sending the information to PaloAlto.

Has anyone else experienced issues with the API setup?

Thanks

Tom

Similar setup here. Been chasing this intermittent issue a while now and have had multiple TAC cases open. At first they thought it was a known bug and had me upgrade to 6.11 but that didnt help. Then they came out with a cli command to perform a daily flush of the postauth database; this didnt help. Then I was told it was an issue on Palo Altos side (opened a case with them, it was not). Then we played with the (Administration -> Server Manager -> Server Configuration -> <server> -> Service Parameters -> Async network services -> Post-Auth [Connection Timeout]) setting; this didnt help.

Finally on my current TAC case, they acknowledged a bug where there is an issue with ClearPass where it is not renewing the Palo Alto API token after expiration. The only manual workaround is to stop/restart the async network service. I was told they were hoping to get the fix into 6.12.6 which just released yesterday, however I confirmed with TAC that the fix did not make it into 6.12.6. I am waiting to hear if I have to wait until 6.12.7, or if a hotfix will be made available.

Current Setup:

2 x ClearPass Policy Manager 6.12.4.305024 on C3000V platform

2 x PaloAlto PA-3220 Appliances running in Active/Passive - PAN OS 11.1.10-h1

We have been trying to use the PaloAlto API XML to update Username and IP Address mappings from ClearPass. We have followed all of the documentation provided by Aruba, however we have found it very unreliable. It would appear that either ClearPass is not sending over 60%+ of the information, or the PaloAlto is ignoring it.

We have resorted to using the Syslog feature to update the details, however that isn't as quick as the API and quite limiting on what you can pass to the PaloAlto. It's getting us by at the moment, however there is a 30 second delay in authentication and the syslog sending the information to PaloAlto.

Has anyone else experienced issues with the API setup?

Thanks

Tom

That's good to know that they are aware of the bug. I hope they come up with a hotfix for it.

Similar setup here. Been chasing this intermittent issue a while now and have had multiple TAC cases open. At first they thought it was a known bug and had me upgrade to 6.11 but that didnt help. Then they came out with a cli command to perform a daily flush of the postauth database; this didnt help. Then I was told it was an issue on Palo Altos side (opened a case with them, it was not). Then we played with the (Administration -> Server Manager -> Server Configuration -> <server> -> Service Parameters -> Async network services -> Post-Auth [Connection Timeout]) setting; this didnt help.

Finally on my current TAC case, they acknowledged a bug where there is an issue with ClearPass where it is not renewing the Palo Alto API token after expiration. The only manual workaround is to stop/restart the async network service. I was told they were hoping to get the fix into 6.12.6 which just released yesterday, however I confirmed with TAC that the fix did not make it into 6.12.6. I am waiting to hear if I have to wait until 6.12.7, or if a hotfix will be made available.

Current Setup:

2 x ClearPass Policy Manager 6.12.4.305024 on C3000V platform

2 x PaloAlto PA-3220 Appliances running in Active/Passive - PAN OS 11.1.10-h1

We have been trying to use the PaloAlto API XML to update Username and IP Address mappings from ClearPass. We have followed all of the documentation provided by Aruba, however we have found it very unreliable. It would appear that either ClearPass is not sending over 60%+ of the information, or the PaloAlto is ignoring it.

We have resorted to using the Syslog feature to update the details, however that isn't as quick as the API and quite limiting on what you can pass to the PaloAlto. It's getting us by at the moment, however there is a 30 second delay in authentication and the syslog sending the information to PaloAlto.

Has anyone else experienced issues with the API setup?

Thanks

Tom

Current Setup:

2 x ClearPass Policy Manager 6.12.4.305024 on C3000V platform

2 x PaloAlto PA-3220 Appliances running in Active/Passive - PAN OS 11.1.10-h1

We have been trying to use the PaloAlto API XML to update Username and IP Address mappings from ClearPass. We have followed all of the documentation provided by Aruba, however we have found it very unreliable. It would appear that either ClearPass is not sending over 60%+ of the information, or the PaloAlto is ignoring it.

We have resorted to using the Syslog feature to update the details, however that isn't as quick as the API and quite limiting on what you can pass to the PaloAlto. It's getting us by at the moment, however there is a 30 second delay in authentication and the syslog sending the information to PaloAlto.

Has anyone else experienced issues with the API setup?

Thanks

Tom

Have any of you tried this "new feature" that comes in disabled by default in your cluster?

This is applicable for 6.12.5 ( ClearPass 6.x.x Release Notes - New Features in the 6.12.5 Release ) and 6.11.11 ( ClearPass 6.x.x Release Notes - New Features in the 6.11.11 Release )

Current Setup:

2 x ClearPass Policy Manager 6.12.4.305024 on C3000V platform

2 x PaloAlto PA-3220 Appliances running in Active/Passive - PAN OS 11.1.10-h1

We have been trying to use the PaloAlto API XML to update Username and IP Address mappings from ClearPass. We have followed all of the documentation provided by Aruba, however we have found it very unreliable. It would appear that either ClearPass is not sending over 60%+ of the information, or the PaloAlto is ignoring it.

We have resorted to using the Syslog feature to update the details, however that isn't as quick as the API and quite limiting on what you can pass to the PaloAlto. It's getting us by at the moment, however there is a 30 second delay in authentication and the syslog sending the information to PaloAlto.

Has anyone else experienced issues with the API setup?

Thanks

Tom

Yes I tried this feature and it doesn't help the root issue, which is the api token expiration and failure to renew the token. I'm sure this setting helps with other issues, but not the issue of the intermittent failures to post to the PAN due to the api token expiring.

Have any of you tried this "new feature" that comes in disabled by default in your cluster?

This is applicable for 6.12.5 ( ClearPass 6.x.x Release Notes - New Features in the 6.12.5 Release ) and 6.11.11 ( ClearPass 6.x.x Release Notes - New Features in the 6.11.11 Release )

Current Setup:

2 x ClearPass Policy Manager 6.12.4.305024 on C3000V platform

2 x PaloAlto PA-3220 Appliances running in Active/Passive - PAN OS 11.1.10-h1

We have been trying to use the PaloAlto API XML to update Username and IP Address mappings from ClearPass. We have followed all of the documentation provided by Aruba, however we have found it very unreliable. It would appear that either ClearPass is not sending over 60%+ of the information, or the PaloAlto is ignoring it.

We have resorted to using the Syslog feature to update the details, however that isn't as quick as the API and quite limiting on what you can pass to the PaloAlto. It's getting us by at the moment, however there is a 30 second delay in authentication and the syslog sending the information to PaloAlto.

Has anyone else experienced issues with the API setup?

Thanks

Tom

Current Setup:

2 x ClearPass Policy Manager 6.12.4.305024 on C3000V platform

2 x PaloAlto PA-3220 Appliances running in Active/Passive - PAN OS 11.1.10-h1

We have been trying to use the PaloAlto API XML to update Username and IP Address mappings from ClearPass. We have followed all of the documentation provided by Aruba, however we have found it very unreliable. It would appear that either ClearPass is not sending over 60%+ of the information, or the PaloAlto is ignoring it.

We have resorted to using the Syslog feature to update the details, however that isn't as quick as the API and quite limiting on what you can pass to the PaloAlto. It's getting us by at the moment, however there is a 30 second delay in authentication and the syslog sending the information to PaloAlto.

Has anyone else experienced issues with the API setup?

Thanks

Tom

This sounds similar to an issue we found after upgrading from 6.11.10.260785 to 6.11.12.262976.

When running 6.11.12 there were a number of API XML events that did not contain the username, so were discarded by the firewall.

TAC support call including debug session

Issue:

• After upgrading to 6.11.12, it was observed that the user entry processed on Palo Alto is missing the username information.

 Analysis:

•  It has been observed that the data processed by Postauth does not include the username. Additionally, it was identified that the data retrieved by Postauth from Insight is also missing the username.
• While the data for the above user stored under Insight contains the username information, the field is missed out while it is processed for postauth. 
• Since the issue is occurring post 6.11.12 update, server was rollback to 6.11.11 and the behaviour in 6.11.11 confirmed the issue is specific to 6.11.12 code.  

This is a different bug that the auth token not renewing.

You may need to setup a debug session with TAC to confirm if this specific behaviour is also present in 6.12.

Original Message:
Sent: Sep 18, 2025 03:16 AM
From: Tom Norton
Subject: ClearPass User Mapping to PaloAlto via XML API

Current Setup:

2 x ClearPass Policy Manager 6.12.4.305024 on C3000V platform

2 x PaloAlto PA-3220 Appliances running in Active/Passive - PAN OS 11.1.10-h1

We have been trying to use the PaloAlto API XML to update Username and IP Address mappings from ClearPass. We have followed all of the documentation provided by Aruba, however we have found it very unreliable. It would appear that either ClearPass is not sending over 60%+ of the information, or the PaloAlto is ignoring it.

We have resorted to using the Syslog feature to update the details, however that isn't as quick as the API and quite limiting on what you can pass to the PaloAlto. It's getting us by at the moment, however there is a 30 second delay in authentication and the syslog sending the information to PaloAlto.

Has anyone else experienced issues with the API setup?

Thanks

Tom

-------------------------------------------

Yea, from my experience with the Palo Alto XMLAPI integration, there have been multiple bugs (which depending on the bug, may or may not be related to one another). For example...

• there's the token refresh issue (CP-57023)
• the issue where usernames are not being sent in the XMLAPI calls to the Palo Alto
• an issue which caused Aruba to introduce the "Post-Authentication v2 Combine Session Notification Events to PAN" setting in cluster-wide parameters
• an issue which caused Aruba to introduce a CLI command (flush-postauth-cache -s) so you can set a daily cache flush
• others I may be missing

I am still waiting to hear if a hotfix will be released for the token refresh issue, since it didn't make it into 6.12.6; and I really hope I don't need to wait until 6.12.7.

This sounds similar to an issue we found after upgrading from 6.11.10.260785 to 6.11.12.262976.

When running 6.11.12 there were a number of API XML events that did not contain the username, so were discarded by the firewall.

TAC support call including debug session

Issue:

• After upgrading to 6.11.12, it was observed that the user entry processed on Palo Alto is missing the username information.

 Analysis:

•  It has been observed that the data processed by Postauth does not include the username. Additionally, it was identified that the data retrieved by Postauth from Insight is also missing the username.
• While the data for the above user stored under Insight contains the username information, the field is missed out while it is processed for postauth. 
• Since the issue is occurring post 6.11.12 update, server was rollback to 6.11.11 and the behaviour in 6.11.11 confirmed the issue is specific to 6.11.12 code.  

This is a different bug that the auth token not renewing.

You may need to setup a debug session with TAC to confirm if this specific behaviour is also present in 6.12.

Current Setup:

2 x ClearPass Policy Manager 6.12.4.305024 on C3000V platform

2 x PaloAlto PA-3220 Appliances running in Active/Passive - PAN OS 11.1.10-h1

We have been trying to use the PaloAlto API XML to update Username and IP Address mappings from ClearPass. We have followed all of the documentation provided by Aruba, however we have found it very unreliable. It would appear that either ClearPass is not sending over 60%+ of the information, or the PaloAlto is ignoring it.

We have resorted to using the Syslog feature to update the details, however that isn't as quick as the API and quite limiting on what you can pass to the PaloAlto. It's getting us by at the moment, however there is a 30 second delay in authentication and the syslog sending the information to PaloAlto.

Has anyone else experienced issues with the API setup?

Thanks

Tom

I may have found another bug. I have sent this to my TAC engineer asking them to investigate.

I was digging into an issue I believe wasn't related to the xmlapi token refresh issue. While many username/IP mappings are making it to the firewall, some users still are not. After enabling debug on the async network service and digging through logs, I believe I found an issue...

When ClearPass attempts to combine payloads into a single xmlapi call, the resulting code block has two sets of <login> xml tags. The users in the first block appear to be processed by the firewall, as confirmed in logs on the firewall. The user in the 2nd <login> xml tag, is not processed, and no log entry is made for them in the firewall. I believe having more than one <login> block in the xmlapi post code is a syntax error and isn't processed by the firewalls. I believe there should only be a single <login> block containing all the username/IP entries.

I would add, I have two different services calling two different context server actions which perform xmlapi calls to my firewalls. So I am not sure if the issue is tied to ClearPass trying to combine payloads from different context server actions; if the issue is tied to the "Post-Authentication v2 Combine Session Notification Events to PAN" setting which I have enabled, or if the issue is tied to something else in the code/workflows.

Yea, from my experience with the Palo Alto XMLAPI integration, there have been multiple bugs (which depending on the bug, may or may not be related to one another). For example...

• there's the token refresh issue (CP-57023)
• the issue where usernames are not being sent in the XMLAPI calls to the Palo Alto
• an issue which caused Aruba to introduce the "Post-Authentication v2 Combine Session Notification Events to PAN" setting in cluster-wide parameters
• an issue which caused Aruba to introduce a CLI command (flush-postauth-cache -s) so you can set a daily cache flush
• others I may be missing

I am still waiting to hear if a hotfix will be released for the token refresh issue, since it didn't make it into 6.12.6; and I really hope I don't need to wait until 6.12.7.

This sounds similar to an issue we found after upgrading from 6.11.10.260785 to 6.11.12.262976.

When running 6.11.12 there were a number of API XML events that did not contain the username, so were discarded by the firewall.

TAC support call including debug session

Issue:

• After upgrading to 6.11.12, it was observed that the user entry processed on Palo Alto is missing the username information.

 Analysis:

•  It has been observed that the data processed by Postauth does not include the username. Additionally, it was identified that the data retrieved by Postauth from Insight is also missing the username.
• While the data for the above user stored under Insight contains the username information, the field is missed out while it is processed for postauth. 
• Since the issue is occurring post 6.11.12 update, server was rollback to 6.11.11 and the behaviour in 6.11.11 confirmed the issue is specific to 6.11.12 code.  

This is a different bug that the auth token not renewing.

You may need to setup a debug session with TAC to confirm if this specific behaviour is also present in 6.12.

Current Setup:

2 x ClearPass Policy Manager 6.12.4.305024 on C3000V platform

2 x PaloAlto PA-3220 Appliances running in Active/Passive - PAN OS 11.1.10-h1

We have been trying to use the PaloAlto API XML to update Username and IP Address mappings from ClearPass. We have followed all of the documentation provided by Aruba, however we have found it very unreliable. It would appear that either ClearPass is not sending over 60%+ of the information, or the PaloAlto is ignoring it.

We have resorted to using the Syslog feature to update the details, however that isn't as quick as the API and quite limiting on what you can pass to the PaloAlto. It's getting us by at the moment, however there is a 30 second delay in authentication and the syslog sending the information to PaloAlto.

Has anyone else experienced issues with the API setup?

Thanks

Tom

EDITED 9/29/25

Yea, from my experience with the Palo Alto XMLAPI integration, there have been multiple bugs (which depending on the bug, may or may not be related to one another). For example...

• there's the token refresh issue (CP-57023)
• the issue where usernames are not being sent in the XMLAPI calls to the Palo Alto
• an issue which caused Aruba to introduce the "Post-Authentication v2 Combine Session Notification Events to PAN" setting in cluster-wide parameters
• the above setting has its own bug in that when xmlapi payloads are combined, the resulting xmlapi call is improperly formatted and includes two <login></login> elements, when the Palo Altos are only expecting one pair (and only process the 1st pair, ignoring entries in the second pair)
• an issue which caused Aruba to introduce a CLI command (flush-postauth-cache -s) so you can set a daily cache flush
• others I may be missing

I am still waiting to hear if a hotfix will be released for the token refresh issue, since it didn't make it into 6.12.6; and I really hope I don't need to wait until 6.12.7.

Original Message:
Sent: Sep 24, 2025 02:14 AM
From: tobi.coonan
Subject: ClearPass User Mapping to PaloAlto via XML API

This sounds similar to an issue we found after upgrading from 6.11.10.260785 to 6.11.12.262976.

When running 6.11.12 there were a number of API XML events that did not contain the username, so were discarded by the firewall.

TAC support call including debug session

Issue:

• After upgrading to 6.11.12, it was observed that the user entry processed on Palo Alto is missing the username information.

 Analysis:

•  It has been observed that the data processed by Postauth does not include the username. Additionally, it was identified that the data retrieved by Postauth from Insight is also missing the username.
• While the data for the above user stored under Insight contains the username information, the field is missed out while it is processed for postauth. 
• Since the issue is occurring post 6.11.12 update, server was rollback to 6.11.11 and the behaviour in 6.11.11 confirmed the issue is specific to 6.11.12 code.  

This is a different bug that the auth token not renewing.

You may need to setup a debug session with TAC to confirm if this specific behaviour is also present in 6.12.

Original Message:
Sent: Sep 18, 2025 03:16 AM
From: Tom Norton
Subject: ClearPass User Mapping to PaloAlto via XML API

Current Setup:

2 x ClearPass Policy Manager 6.12.4.305024 on C3000V platform

2 x PaloAlto PA-3220 Appliances running in Active/Passive - PAN OS 11.1.10-h1

We have been trying to use the PaloAlto API XML to update Username and IP Address mappings from ClearPass. We have followed all of the documentation provided by Aruba, however we have found it very unreliable. It would appear that either ClearPass is not sending over 60%+ of the information, or the PaloAlto is ignoring it.

We have resorted to using the Syslog feature to update the details, however that isn't as quick as the API and quite limiting on what you can pass to the PaloAlto. It's getting us by at the moment, however there is a 30 second delay in authentication and the syslog sending the information to PaloAlto.

Has anyone else experienced issues with the API setup?

Thanks

Tom

-------------------------------------------

Not sure if this is still relevant for anyone, but I managed to get around the bug of no username being sent by changing the XML payload in clearpass to use SamAccountName rather than the {user} attribute. Assuming you are using local AD with Palo for user/groups and have your AD in as a source in clearpass. 

You will need to ensure that sAMAccountName is in your ad source authentication filter in clearpass, then make a copy of the Palo Alto context server login/out actions and change the {user} to the sAMAccountName like below. 

<uid-message><version>1.0</version><type>update</type><payload><login><entry name="%{Authorization:AD-Source:sAMAccountName}" ip="%{ip}"/></login></payload></uid-message>

I assume you could change this to any attribute to suit your environment.

Still have a bug that I haven't seen anyone mention yet - we see phantom IP addresses in the IP-TAG monitor from the XML-API source in Palo. We still see the correct IP assigning and unassigning from the devices however these can be sometimes accompanied by single or multiple IP addresses that are not even addressable on our network. They all seem to be typical home network ranges eg 192.168.0.0/16 (most common) and 10.0.0.0/8 and are always logout events. 

Thanks

EDITED 9/29/25

Yea, from my experience with the Palo Alto XMLAPI integration, there have been multiple bugs (which depending on the bug, may or may not be related to one another). For example...

• there's the token refresh issue (CP-57023)
• the issue where usernames are not being sent in the XMLAPI calls to the Palo Alto
• an issue which caused Aruba to introduce the "Post-Authentication v2 Combine Session Notification Events to PAN" setting in cluster-wide parameters
• the above setting has its own bug in that when xmlapi payloads are combined, the resulting xmlapi call is improperly formatted and includes two <login></login> elements, when the Palo Altos are only expecting one pair (and only process the 1st pair, ignoring entries in the second pair)
• an issue which caused Aruba to introduce a CLI command (flush-postauth-cache -s) so you can set a daily cache flush
• others I may be missing

I am still waiting to hear if a hotfix will be released for the token refresh issue, since it didn't make it into 6.12.6; and I really hope I don't need to wait until 6.12.7.

Original Message:
Sent: Sep 24, 2025 02:14 AM
From: tobi.coonan
Subject: ClearPass User Mapping to PaloAlto via XML API

This sounds similar to an issue we found after upgrading from 6.11.10.260785 to 6.11.12.262976.

When running 6.11.12 there were a number of API XML events that did not contain the username, so were discarded by the firewall.

TAC support call including debug session

Issue:

• After upgrading to 6.11.12, it was observed that the user entry processed on Palo Alto is missing the username information.

 Analysis:

•  It has been observed that the data processed by Postauth does not include the username. Additionally, it was identified that the data retrieved by Postauth from Insight is also missing the username.
• While the data for the above user stored under Insight contains the username information, the field is missed out while it is processed for postauth. 
• Since the issue is occurring post 6.11.12 update, server was rollback to 6.11.11 and the behaviour in 6.11.11 confirmed the issue is specific to 6.11.12 code.  

This is a different bug that the auth token not renewing.

You may need to setup a debug session with TAC to confirm if this specific behaviour is also present in 6.12.

Original Message:
Sent: Sep 18, 2025 03:16 AM
From: Tom Norton
Subject: ClearPass User Mapping to PaloAlto via XML API

Current Setup:

2 x ClearPass Policy Manager 6.12.4.305024 on C3000V platform

2 x PaloAlto PA-3220 Appliances running in Active/Passive - PAN OS 11.1.10-h1

We have been trying to use the PaloAlto API XML to update Username and IP Address mappings from ClearPass. We have followed all of the documentation provided by Aruba, however we have found it very unreliable. It would appear that either ClearPass is not sending over 60%+ of the information, or the PaloAlto is ignoring it.

We have resorted to using the Syslog feature to update the details, however that isn't as quick as the API and quite limiting on what you can pass to the PaloAlto. It's getting us by at the moment, however there is a 30 second delay in authentication and the syslog sending the information to PaloAlto.

Has anyone else experienced issues with the API setup?

Thanks

Tom

-------------------------------------------

Thanks for adding your potential workaround.

I upgraded to 6.12.7 which was supposed to resolve some of the Palo Alto xmlapi token issues:


However, I still see intermittent post failures in my event viewer:

While I believe some bugs were addressed, I believe there are others lingering.

Not sure if this is still relevant for anyone, but I managed to get around the bug of no username being sent by changing the XML payload in clearpass to use SamAccountName rather than the {user} attribute. Assuming you are using local AD with Palo for user/groups and have your AD in as a source in clearpass. 

You will need to ensure that sAMAccountName is in your ad source authentication filter in clearpass, then make a copy of the Palo Alto context server login/out actions and change the {user} to the sAMAccountName like below. 

<uid-message><version>1.0</version><type>update</type><payload><login><entry name="%{Authorization:AD-Source:sAMAccountName}" ip="%{ip}"/></login></payload></uid-message>

I assume you could change this to any attribute to suit your environment.

Still have a bug that I haven't seen anyone mention yet - we see phantom IP addresses in the IP-TAG monitor from the XML-API source in Palo. We still see the correct IP assigning and unassigning from the devices however these can be sometimes accompanied by single or multiple IP addresses that are not even addressable on our network. They all seem to be typical home network ranges eg 192.168.0.0/16 (most common) and 10.0.0.0/8 and are always logout events. 

Thanks

EDITED 9/29/25

Yea, from my experience with the Palo Alto XMLAPI integration, there have been multiple bugs (which depending on the bug, may or may not be related to one another). For example...

• there's the token refresh issue (CP-57023)
• the issue where usernames are not being sent in the XMLAPI calls to the Palo Alto
• an issue which caused Aruba to introduce the "Post-Authentication v2 Combine Session Notification Events to PAN" setting in cluster-wide parameters
• the above setting has its own bug in that when xmlapi payloads are combined, the resulting xmlapi call is improperly formatted and includes two <login></login> elements, when the Palo Altos are only expecting one pair (and only process the 1st pair, ignoring entries in the second pair)
• an issue which caused Aruba to introduce a CLI command (flush-postauth-cache -s) so you can set a daily cache flush
• others I may be missing

I am still waiting to hear if a hotfix will be released for the token refresh issue, since it didn't make it into 6.12.6; and I really hope I don't need to wait until 6.12.7.

Original Message:
Sent: Sep 24, 2025 02:14 AM
From: tobi.coonan
Subject: ClearPass User Mapping to PaloAlto via XML API

This sounds similar to an issue we found after upgrading from 6.11.10.260785 to 6.11.12.262976.

When running 6.11.12 there were a number of API XML events that did not contain the username, so were discarded by the firewall.

TAC support call including debug session

Issue:

• After upgrading to 6.11.12, it was observed that the user entry processed on Palo Alto is missing the username information.

 Analysis:

•  It has been observed that the data processed by Postauth does not include the username. Additionally, it was identified that the data retrieved by Postauth from Insight is also missing the username.
• While the data for the above user stored under Insight contains the username information, the field is missed out while it is processed for postauth. 
• Since the issue is occurring post 6.11.12 update, server was rollback to 6.11.11 and the behaviour in 6.11.11 confirmed the issue is specific to 6.11.12 code.  

This is a different bug that the auth token not renewing.

You may need to setup a debug session with TAC to confirm if this specific behaviour is also present in 6.12.

Original Message:
Sent: Sep 18, 2025 03:16 AM
From: Tom Norton
Subject: ClearPass User Mapping to PaloAlto via XML API

Current Setup:

2 x ClearPass Policy Manager 6.12.4.305024 on C3000V platform

2 x PaloAlto PA-3220 Appliances running in Active/Passive - PAN OS 11.1.10-h1

We have been trying to use the PaloAlto API XML to update Username and IP Address mappings from ClearPass. We have followed all of the documentation provided by Aruba, however we have found it very unreliable. It would appear that either ClearPass is not sending over 60%+ of the information, or the PaloAlto is ignoring it.

We have resorted to using the Syslog feature to update the details, however that isn't as quick as the API and quite limiting on what you can pass to the PaloAlto. It's getting us by at the moment, however there is a 30 second delay in authentication and the syslog sending the information to PaloAlto.

Has anyone else experienced issues with the API setup?

Thanks

Tom

-------------------------------------------