This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

USER-ID XML API Include Network

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

USER-ID XML API Include Network

rats
L1 Bithead

‎02-24-2022 06:39 AM

Hi,

I'm using two PA-850 in HA, Software Version 8.1.21

For our Wifi, we have a Clearpass server sending XML-API commands to our PaloAlto, to do IP/User Mapping, but the mapping doesn't work.

If I try to call the API directly (using https://myfirewall.com/api), I can send commands this way, and see the result.

Sending In API-> User-id this xml command, to login :


<uid-message>
<version>2.0</version>
<type>update</type>
<payload>
<login>
<entry name="MyDomain\user" ip="10.0.1.1" timeout="0"/>
</login>
</payload>
</uid-message>

I get this Error in return :

<response status="error">
<msg>
<line>
<uid-response>
<version>2.0</version>
<payload>
<login>
<entry name="MyDomain\user" ip="10.0.1.1" message="IP 10.0.1.1 is not in include network"/>
</login>
</payload>
</uid-response>
</line>
</msg>
</response>

While This IP is clearly in a Zone where User-Id is enabled.


For a user already logged (by ActiveDirectory, via the User Agent)
If I try a Logout command :


<uid-message>
<version>2.0</version>
<type>update</type>
<payload>
<logout>
<entry name="MyDomain\User" ip="10.0.1.12"/>
</logout>
</payload>
</uid-message>

No problem, I get this answer :

<response status="success">
<result>
<uid-response>
<version>2.0</version>
<payload>
<logout> </logout>
</payload>
</uid-response>
</result>
</response>


So, did I miss something in my settings, or could this be a bug ?
And If so, should I update to a latest version ?


Thanks by advance for your answers.


Michael

0 Likes Likes
4 REPLIES 4

JimmyHolland
L5 Sessionator

‎02-24-2022 06:50 AM

Hi @rats, the error refers to the "include network" and says 10.0.1.1 is not within this network. How is your include/exclude configured at the moment?

 

Screenshot 2022-02-24 at 14.48.50.png

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂
0 Likes Likes

rats
L1 Bithead
In response to JimmyHolland

‎02-24-2022 07:25 AM

Hi Jimmy, 

 

Thanks for your response.

 

I have only a subnetwork In exclude mode, nothing else.

0 Likes Likes

JimmyHolland
L5 Sessionator
In response to rats

‎02-24-2022 08:06 AM

Hi @rats, if the IP address you are trying to register is outside of the exclude network(s), and/or inside of the include networks, as defined in the User-ID settings and the zone settings too (they also have include/exclude configuration) then this is not expected behaviour. I would suggest raising a case/ticket to have this investigated further, as sharing more details of your specific configuration in a public forum is not advised.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

rats
L1 Bithead
In response to JimmyHolland

‎02-24-2022 11:27 PM

Hi Jimmy, 

 

I'll raise a ticket for this issue, thanks the answers.

 

 

Michael

0 Likes Likes
  • 3007 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks