https://live.paloaltonetworks.com/t5/general-topics/ignore-all-computers-from-xmlapi-mappings/m-p/125706#M46453 <P>Hi Everyone,</P><P>I am trying to intergrate clearpass with Palo alto using xlampi, all was going well however i struck a problem</P><P>In clearpass i have two types of users that are autheticating, domain joined machines (which authenticate using "compute authentication" and i also have byod users that authenticate using user based ad authetication.</P><P>so when a byod users authenticates with his ad credentials against clear pass and this is passed through to Palo alto all is good . &nbsp;Ihave a xlampi mapping of user and IP.</P><P>&nbsp;</P><P>However when a user authenticates against Clearpass as a domain machine ,I now have a xmlapi mapping of ip and computer name . and considering my palo alto policies are user based policies user cant get internet.</P><P>&nbsp;</P><P>I do have uia in play which works well for domain machines, but i have the problem when both are in play sometimes the xmlapi mapping from clearpass overides the uia mapping.</P><P>&nbsp;</P><P>Hope that makes sense</P><P>Kind Regards</P><P>Paul</P><P>My thought was to set a ignore list &nbsp;as all computers that get authenticated via xmlapi appear domain\computername$</P><P>&nbsp;</P><P>show user ip-user-mapping all | match $</P><P>it returns 1026 results so using set vsys vsys1 user-id-collector ignore-user domain\*$&nbsp;&nbsp;&nbsp; ?</P><P>however this brings all users back will ignore 1026</P><P>&nbsp;</P><P>and thats were i am stuck.</P><P>&nbsp;</P> Thu, 10 Nov 2016 23:30:17 GMT PaulBrock 2016-11-10T23:30:17Z https://live.paloaltonetworks.com/t5/general-topics/ignore-all-computers-from-xmlapi-mappings/m-p/125706#M46453 <P>Hi Everyone,</P><P>I am trying to intergrate clearpass with Palo alto using xlampi, all was going well however i struck a problem</P><P>In clearpass i have two types of users that are autheticating, domain joined machines (which authenticate using "compute authentication" and i also have byod users that authenticate using user based ad authetication.</P><P>so when a byod users authenticates with his ad credentials against clear pass and this is passed through to Palo alto all is good . &nbsp;Ihave a xlampi mapping of user and IP.</P><P>&nbsp;</P><P>However when a user authenticates against Clearpass as a domain machine ,I now have a xmlapi mapping of ip and computer name . and considering my palo alto policies are user based policies user cant get internet.</P><P>&nbsp;</P><P>I do have uia in play which works well for domain machines, but i have the problem when both are in play sometimes the xmlapi mapping from clearpass overides the uia mapping.</P><P>&nbsp;</P><P>Hope that makes sense</P><P>Kind Regards</P><P>Paul</P><P>My thought was to set a ignore list &nbsp;as all computers that get authenticated via xmlapi appear domain\computername$</P><P>&nbsp;</P><P>show user ip-user-mapping all | match $</P><P>it returns 1026 results so using set vsys vsys1 user-id-collector ignore-user domain\*$&nbsp;&nbsp;&nbsp; ?</P><P>however this brings all users back will ignore 1026</P><P>&nbsp;</P><P>and thats were i am stuck.</P><P>&nbsp;</P> Thu, 10 Nov 2016 23:30:17 GMT https://live.paloaltonetworks.com/t5/general-topics/ignore-all-computers-from-xmlapi-mappings/m-p/125706#M46453 PaulBrock 2016-11-10T23:30:17Z https://live.paloaltonetworks.com/t5/general-topics/ignore-all-computers-from-xmlapi-mappings/m-p/125772#M46458 <P>Can you change the script which sends user info from Clearpass to PA? That would be the best point where to filter which info is sent.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 11 Nov 2016 07:23:02 GMT https://live.paloaltonetworks.com/t5/general-topics/ignore-all-computers-from-xmlapi-mappings/m-p/125772#M46458 santonic 2016-11-11T07:23:02Z https://live.paloaltonetworks.com/t5/general-topics/ignore-all-computers-from-xmlapi-mappings/m-p/195369#M58368 <P>Do you have the following set?</P><P>CPPM &gt; Administration &gt; External Servers &gt; Endpoint Context Servers &gt; (Your PANs) &gt; Username Transformation = Prefix NETBIOS name</P><P>&nbsp;</P><P>I have users connecting with Computer Authentication and they show up as:</P><P>(domain)/(computer host name)$&nbsp;</P><P>example:&nbsp; abc/my-host$</P> Tue, 16 Jan 2018 19:55:23 GMT https://live.paloaltonetworks.com/t5/general-topics/ignore-all-computers-from-xmlapi-mappings/m-p/195369#M58368 etnerual 2018-01-16T19:55:23Z