Authorization failure when Aruba clearpass is trying to create userip mapping via xmlapi

Authorization failure when Aruba clearpass is trying to create userip mapping via xmlapi

218
Created On 03/23/26 09:45 AM - Last Modified 03/23/26 09:51 AM


Symptom


• User authentication information from Aruba ClearPass via API works on a firewall but not on Panorama using the same settings.
• Panorama terminates the connection with a TCP Reset after ClearPass sends a Client Hello.
• User-ID logs on Panorama do not show any XML API requests.
• Authentication for the user on Panorama succeeds, but authorization fails.
• Changing the API user's role-based profile to superuser did not immediately resolve the authorization failure.
• A dummy User-ID mapping was successfully created on Panorama using a curl command, indicating Panorama's general API functionality.


ERROR_LOGS
• Failed in get_pwchange_required for user clearpassuser

2026/03/02 01:09:26 2026-03-02 01:09:26.396 +0300 debug: pan_auth_request_process(pan_auth_state_engine.c:3619): Receive request: msg type PAN_AUTH_REQ_GET_PW_CHANGE_REQUIRED, conv id 66457, body length 64
2026/03/02 01:09:26 2026-03-02 01:09:26.396 +0300 debug: pan_db_funcs_request_process(pan_auth_state_engine.c:1661): Authd: Get PW Change Requred
2026/03/02 01:09:26 2026-03-02 01:09:26.396 +0300 Error: pan_authd_handle_get_pwchange_required(pan_auth_clt_requests.c:532): Failed in get_pwchange_required for user clearpassuser



LOG_SIGNATURES
• No TLS handshake-related events logged in sslmgr.log despite debug being enabled
• TCP Reset (RST) sent by Panorama after receiving Client Hello
• Absence of User-ID login events for ClearPass IP in user-id_csv.log from Panorama
• debug: pan_auth_request_process(pan_auth_state_engine.c:3619): Receive request: msg type PAN_AUTH_REQ_GET_PW_CHANGE_REQUIRED
• Error: pan_authd_handle_get_pwchange_required(pan_auth_clt_requests.c:532): Failed in get_pwchange_required

Environment


Product_versions
• PAN-OS: 11.1.10-hx
• Palo Alto Networks Panorama
Network Config
• XML API integration
• TCP port 443
• TLS handshake process
• Aruba ClearPass

Cause


The primary root cause was Panorama's authd process rejecting XML API authentication requests from Aruba ClearPass. This rejection stemmed from an internal check for password change requirements (PAN_AUTH_REQ_GET_PW_CHANGE_REQUIRED). For API users who have never logged in interactively via CLI or GUI, their record does not exist in the login history database, causing this check to fail and subsequently rejecting the API request before User-ID mapping processing could occur. An initial TLS handshake failure was observed due to this underlying authentication problem.

Resolution


REMEDIATION_PLAN
1. Create a dedicated user account on Panorama for Aruba ClearPass XML API integration.
2. Perform an initial interactive login (e.g., via web UI or CLI) with the newly created user account on Panorama to establish a login history entry.
3. Configure Aruba ClearPass to use the credentials of this interactively logged-in and confirmed user for XML API calls to Panorama.

PREVENTIVE_MEASURES
1. For any user account intended for XML API integration on Panorama, ensure that an initial interactive login (via web UI or CLI) is performed to establish a login history. This prevents the authd process from failing API requests due to a missing password change requirement history.

Additional Information


N/A
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000sYRxKAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail