topic User-id agent timeout integration with dhcp lease timeout in General Topics

User-id agent timeout integration with dhcp lease timeout

N2Z2 — Wed, 27 Apr 2022 15:39:27 GMT

Hi all,

let's suppose these conditions:

- interface with dhcp enabled, 24 hours lease timeout, ip range (for example) 192.168.3.0/24

- user-id agent enabled with 45 minutes timeout

- virtual machine environment with non persistent vm, so when a machine is powered off it will be destroyed and recreated with a new mac address

- a machine cannot do web-browsing without user-id

An example:

26/04/2022 11:03:49 -> machine MACHINE1 got ip from dhcp, 192.168.3.1

27/04/2022 11:00:00 -> user USER1 log into MACHINE1, so a user-id mapping will be created between 192.168.3.1 and USER1

27/04/2022 11:02:00 -> user USER1 log off from MACHINE1

27/04/2022 11:02:30 -> machine MACHINE1 will be recreated with a new mac address and got 192.68.3.100 from dhcp

27/04/2022 11:03:00 -> machine MACHINE1 release dhcp address got 24 hours ago

27/04/2022 11:20:00 -> a user with a pc connect his machine to the network and he got 192.168.3.1

Between 11:20:00 and 11:45:00 the user "unknown" with his pc can do web-browsing with ip 192.168.3.1 because he's recognized as USER1

27/04/2022 11:45:00 -> the user-id mapping between USER1 and 192.168.3.1 will be deleted, the "unknown" user can't web-browsing anymore

This could cause

- unknown user do web-browsing without having rights

- unknown user could visit sites as USER1, so the logs are not consistent

- unknown user can have access to other network segment due to the fact that he is presenting as USER1

- and so on..

Any hint on this, other that reducing dhcp timeout that could mitigate a bit the problem, but it doesn't resolve it?

Obviously the ideal could be that the dhcp does not assign an ip if there is already a user-id agent associated to the same ip with a different mac address, but I think I'm asking too much..

Thanks

Re: User-id agent timeout integration with dhcp lease timeout

OtakarKlier — Wed, 27 Apr 2022 20:08:41 GMT

Hello,

If you have an AD or other radius system, I would use those logs instead of DHCP for user-id.. I had other issues in the past with user -id not being quick enough with AD so I started using Exchange logs, however there are issues with this as well, i.e. need to have outlook open, etc. You could install global protect on these VM's as the base image and have it update the PAN, e.g. internal gateway?

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH1CAK

Just some thoughts.

Re: User-id agent timeout integration with dhcp lease timeout

BPry — Thu, 28 Apr 2022 00:44:10 GMT

@N2Z2,

Anytime you have a situation like this, I really recommend using GlobalProtect and user certificates to handle the User-ID portion of things if you have an internal PKI infrastructure setup. It's the best experience that essentially eliminates the capability for a user to get an IP address with stale User-ID information associated with it.

If that isn't an option for you, then I would recommend following @OtakarKlier's advice and using AD/Radius for user-id information so that the user logging into the VM will update the ip-user-mapping and overwrite the stale User-ID information.

I ran into one instance a while back that the environment was doing essentially what you are doing now. The solution in that case was a lot of scripting and log scrubbing and using the API to update user information manually. It wasn't an elegant solution, but it got them through until a proper GlobalProtect installation could be configured and deployed in their environment.

Re: User-id agent timeout integration with dhcp lease timeout

N2Z2 — Thu, 28 Apr 2022 08:58:04 GMT

Hi,

I've an AD domain connected for user-id agent, but in the example in the first post, the user "unknown" connects his MacBook to the network and he doesn't do login to AD domain (for example, it could do web-browsing with an ip based policy and a static dhcp lease for his mac address, I can't see the user but I'm 100% sure that the ip is his ip address, without considering mac spoofing).

The perfect solution will be "connect your MacBook to another vlan to get the address from another subnet" and usually this is the way, but there are a couple of case in which I cannot do that.

Maybe I could put a logoff script via gpo (yet another not elegant solution, as you said) that could use an API to invalidate the mapping?

Maybe something like

curl -F key=<mykey> --form file=@<myfile> "https://myfirewallip/api/?type=user-id

using this as <myfile>

<uid-message>
<payload>
<logout>
<entry user="domain\user1" ip="<local_ip_go_from_script>">
</logout>
</payload>
<type>update</type>
<version>1.0</version>
</uid-message>

Thanks again

Re: User-id agent timeout integration with dhcp lease timeout

OtakarKlier — Thu, 28 Apr 2022 15:41:01 GMT

Hello,

So if you have a user, ie a guest, on your network, you can use the captive portal to capture their user name.

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/user-id/user-id-concepts/user-mapping/captive-portal

Just a thought.

Re: User-id agent timeout integration with dhcp lease timeout

N2Z2 — Fri, 29 Apr 2022 08:07:19 GMT

Hi,

yes, it could be a solution.

Thanks for the hint