topic Re: User ID (with Windows Agent) not working in Next-Generation Firewall Discussions

User ID (with Windows Agent) not working

FloriReus — Thu, 02 Mar 2023 07:28:34 GMT

Hi,

we set up User ID based on these docs:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRyCAK

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-user-id-agent

Konfiguration and installation is working:

- the agent installed on server 2019 DC is getting infos

- the firewall (PA-220 9.1) is getting infos from the agent

- the users are displayed in monitoring

but:

- we can not select users in security policies

- we can manually add users in the policies - then the policies never matches.

Any ideas?

Re: User ID (with Windows Agent) not working

PavelK — Fri, 03 Mar 2023 21:24:26 GMT

Hello @FloriReus

based on what you described, the only thing coming to my mind is missing inclusion of "Domain Users" group under: Device > User Identification > Group Mapping > [Name] > Group Include List > add: "Domain Name\Domain Users". This should cover all AD users. Could you make sure this is in the place?

Kind Regards

Pavel

Re: User ID (with Windows Agent) not working

TomYoung — Sat, 04 Mar 2023 04:12:27 GMT

Hi @FloriReus ,

The security policy drop down only shows groups. You need to manually type in users. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXWCA0 (It will also show previously typed in users.)

Could you add the user in the security policy exactly how you see it in the Monitoring tab, lan\user1, and let us know if that works?

Thanks,

Tom

Re: User ID (with Windows Agent) not working

FloriReus — Mon, 06 Mar 2023 09:31:57 GMT

Ah, thank you!
I already got this hint.
This brought me to a next issue - I can not add groups as the firewall can not read the DC. There is just no group in the list to add. (it seems reachable in general, if I shut it off I get a real error).

Re: User ID (with Windows Agent) not working

FloriReus — Mon, 06 Mar 2023 09:33:36 GMT

I tried this already (see attached screenshots). seems not top work.
but thanks for the link!

Re: User ID (with Windows Agent) not working

PavelK — Mon, 06 Mar 2023 12:07:21 GMT

Hello @FloriReus

thank you for reply.

To make sure there is no mis-understanding please replace: "Domain Name" with your organization's real AD domain name.

Regarding the issue you described, when you configure LDAP profile under: Device > Server Profiles > LDAP > [LDAP Profile Name], make sure that under Server Settings you configure Base DN that covers your entire domain. You can find that information from Windows CMD by issuing: dsquery *

The Base DN is first returned entry on the top. The Base DN is the starting point an LDAP server uses when searching for users authentication within your Active Directory and if this is configured correctly this is what you will see under "Available Groups" in Group Mapping Settings. You should be able to type AD group name and press search button, then "+" button to add it to include list:

Kind Regards

Pavel

Re: User ID (with Windows Agent) not working

FloriReus — Mon, 06 Mar 2023 12:33:44 GMT

yes, you are right!
I missed the baseDN; now it's working!

Re: User ID (with Windows Agent) not working

PavelK — Tue, 07 Mar 2023 04:27:28 GMT

Hello @FloriReus

thank you for getting back to me. Based on your screen shot, there are 2 additional things I would suggest:

- Enable LDAPS by selecting: "Require SSL/TLS secured connection" if possible to secure LDAP traffic.

- Add an additional LDAP server for redundancy to avoid single point of failure.

Kind Regards

Pavel