User-ID using Cloud identity engine with Azure AD

BFC — Tue, 26 Sep 2023 01:47:23 GMT

Hello All,

We are in the process of configuring the Cloud Identity Engine with the directory sync features with Azure-AD to pool the users and the groups in order to applying role/group-based access control. Despite successfully completing several steps of the configuration process, we are experiencing difficulties with the application of policies to the specified users and groups.

Here is a summary of the steps we have completed thus far:

1. Activation of the Cloud Identity Engine in the hub.
2. Configuration of a cloud-based directory for (Azure AD) to establish communication with the Cloud Identity Engine.
3. Setting up Azure as an IdP within the Cloud Identity Engine for user authentication.
4. Creation of an Authentication Profile in the Cloud Identity Engine.
5. Configuration of Cloud Identity Engine Authentication on our PaloAlto Firewall.
6. Setup of the Cloud Identity Engine as a Mapping Source on our PaloAlto Firewall.

Following the aforementioned setup, we linked the Cloud Identity Engine with Azure AD and pooled the users and the groups. We proceeded to map a Cloud Identity Engine profile in the User Identification sub-menu. During policy creation, we can view our groups and users, however, it seems that the policies are not being applied to these users or groups as expected.

Re: User-ID using Cloud identity engine with Azure AD

TomYoung — Wed, 27 Sep 2023 18:55:03 GMT

Hi @BFC ,

I wish the PANW CIE documentation was more clear. From my understanding, the CIE does NOT map users to IP addresses. It maps users to groups.

Look at the last command in this doc -> https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/authenticate-users-with-the-cloud-identity-engine/configure-the-cloud-identity-engine-as-a-mapping-source-on-the-firewall. "On the firewall, use the show user ip-user-mapping all command to verify that the mapping information is available to the firewall." My guess is that you have no user-to-IP mappings. What is the ouput of that command on your NGFW?

Notice the 2nd to the last paragraph on this doc -> https://docs.paloaltonetworks.com/cloud-identity/cloud-identity-engine-getting-started/get-started-with-the-cloud-identity-engine/learn-about-the-cloud-identity-engine#id3f7f173a-ab4b-4040-b82e-86944d8b769b. “On the firewall, configure an Authentication policy that requires users to log in using Authentication Portal to access resources such as the internet.” It is this Authentication Policy (not to be confused with the CIE Authentication Profile) that actually captures the user IP addresses when they successfully authenticate. The web page used for logins is called the Authentication Portal or Captive Portal. Without this piece, AAD or CIE has no idea what the user's IP address is.

That's a huge part of the solution that is rarely mentioned! Authentication Portal takes quite a few steps to configure. Plus, your users now have an extra login. They good news is that once you configure User-ID for user-to-IP mappings, you can do some cool stuff. You also are not limited to the Authentication Portal. You can use any method in the diagram here -> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/user-id-overview as long as the username format matches.

Are your users logging into the network already, such as WiFi 802.1x? You can forward that info to the NGFW using syslog. Do your users already have GlobalProtect? You can set it up with Internal Host Detection.

Thanks,

Tom

topic Re: User-ID using Cloud identity engine with Azure AD in Cloud Identity Engine Discussions

User-ID using Cloud identity engine with Azure AD

Re: User-ID using Cloud identity engine with Azure AD