10-13-2016 11:47 PM
Can you set a global timeout value for XML API user-id timeouts is there a configurable global timeout ?
We are useing clearpass 6.6 to authenticate our wireless users and using technote v5 clearpass palo alto integration to push user name and ip address via post authentication action via xlmapi. Only after upgrading to 7.1.5 form 7.1.4-h2 we saw that user-id cache timeouts were changed from never to 45 minutes. We didn't realise this before. It would be nice to have a global setting that you can set for xmlapi user-id timoutes in the cache. As there isn't a way to set this in clearpass to pass along to xmlapi as far as we know.
06-27-2023 06:02 AM
I recently had this very issue and there's 2 ways to fix it. By default Aruba ClearPass doesn't send a timeout value to Panorama for authenticated sessions, it assumes you want to use the locally configured timeout value on Panorama (firewalls) which is in:
Device --> User-Identification --> (Gear/Setting Icon) --> User Mapping --> Cache
Or
If you want the timeout value to be set via XML from Aruba add timeout="XXXX" (where X = number of minutes for the FW to store the user to IP association) string the XML code being sent to the FW.
This KB shows an example: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXyCAK
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
