XML API user-id timeouts is there a configurable global setting ?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

XML API user-id timeouts is there a configurable global setting ?

L1 Bithead

Can you set a global timeout value for XML API user-id timeouts is there a configurable global timeout ?

We are useing clearpass 6.6 to authenticate our wireless users and using technote v5 clearpass palo alto integration to push user name and ip address via post authentication action via xlmapi. Only after upgrading to 7.1.5 form 7.1.4-h2 we saw that user-id cache timeouts were changed from never to 45 minutes. We didn't realise this before. It would be nice to have a global setting that you can set for xmlapi user-id timoutes in the cache. As there isn't a way to set this in clearpass to pass along to xmlapi as far as we know.


L6 Presenter

I recently had this very issue and there's 2 ways to fix it.  By default Aruba ClearPass doesn't send a timeout value to Panorama for authenticated sessions, it assumes you want to use the locally configured timeout value on Panorama (firewalls) which is in:

Device --> User-Identification --> (Gear/Setting Icon) --> User Mapping --> Cache




If you want the timeout value to be set via XML from Aruba add timeout="XXXX" (where X = number of minutes for the FW to store the user to IP association) string the XML code being sent to the FW.


This KB shows an example:  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXyCAK 

  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!