USER-ID XML API Include Network

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

USER-ID XML API Include Network

L1 Bithead

Hi,

I'm using two PA-850 in HA, Software Version 8.1.21

For our Wifi, we have a Clearpass server sending XML-API commands to our PaloAlto, to do IP/User Mapping, but the mapping doesn't work.

If I try to call the API directly (using https://myfirewall.com/api), I can send commands this way, and see the result.

Sending In API-> User-id this xml command, to login :


<uid-message>
<version>2.0</version>
<type>update</type>
<payload>
<login>
<entry name="MyDomain\user" ip="10.0.1.1" timeout="0"/>
</login>
</payload>
</uid-message>

I get this Error in return :

<response status="error">
<msg>
<line>
<uid-response>
<version>2.0</version>
<payload>
<login>
<entry name="MyDomain\user" ip="10.0.1.1" message="IP 10.0.1.1 is not in include network"/>
</login>
</payload>
</uid-response>
</line>
</msg>
</response>

While This IP is clearly in a Zone where User-Id is enabled.


For a user already logged (by ActiveDirectory, via the User Agent)
If I try a Logout command :


<uid-message>
<version>2.0</version>
<type>update</type>
<payload>
<logout>
<entry name="MyDomain\User" ip="10.0.1.12"/>
</logout>
</payload>
</uid-message>

No problem, I get this answer :

<response status="success">
<result>
<uid-response>
<version>2.0</version>
<payload>
<logout> </logout>
</payload>
</uid-response>
</result>
</response>


So, did I miss something in my settings, or could this be a bug ?
And If so, should I update to a latest version ?


Thanks by advance for your answers.


Michael

4 REPLIES 4

L5 Sessionator

Hi @infradsi, the error refers to the "include network" and says 10.0.1.1 is not within this network. How is your include/exclude configured at the moment?

 

Screenshot 2022-02-24 at 14.48.50.png

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi Jimmy, 

 

Thanks for your response.

 

I have only a subnetwork In exclude mode, nothing else.

Hi @infradsi, if the IP address you are trying to register is outside of the exclude network(s), and/or inside of the include networks, as defined in the User-ID settings and the zone settings too (they also have include/exclude configuration) then this is not expected behaviour. I would suggest raising a case/ticket to have this investigated further, as sharing more details of your specific configuration in a public forum is not advised.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi Jimmy, 

 

I'll raise a ticket for this issue, thanks the answers.

 

 

Michael

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!