User-ID Agent for Active Directory won't transfer mappings

NinthShot — Tue, 11 Oct 2011 23:45:50 GMT

Hello-

I have a new PA500 (running 4.0.4) that I've set up and am now trying to tie to Active Directory in order to create user-based policies. I have everything configured to my knowledge, but I'm not getting any user-IP mappings on the firewall.

I installed what I believe to be the latest AD agent, 3.1.2 (filename PanAgent-3.1.2.msi), on my server and configured it as follows (using made-up IP addresses and domains for this example):

Domain Name: mydomain.com

Port Number: 31200

Domain Controller Address: 1.1.1.1

Allow List: 1.1.1.0/24

Filter Group: mydomain\users

I am able to successfully view the user-ip mappings and groups through the configuration program.

I have also configured the agent settings on the PA500 as follows:

Agent Type: userid-agent

Name: userid-AD

IP Address: 1.1.1.1

Port: 31200

Furthermore, I've enabled the agent on the trusted zone through the following settings:

Enable User Identification: Yes

Include List: addr-localnet (1.1.1.0/24)

I believe that this is all I have to do to get the user-IP mappings to work but I am not seeing any such mappings on the firewall. If I consult the PA500's logs I find:

UserID connected to agent userid-AD(1.1.1.1) version 3, initiated by 1.1.1.2

and

Pan-Agent connected: IP 1.1.1.1 port 31200, initiated by 1.1.1.2

However, if I consult the agent's logs on the server I find it filled with the following error:

New Connection(1.1.1.2:<port>) Socket(<socket>)
SSL read error in pan_host_agent_rcv_data -2-16-0
Connection(1) is closed!

If I run show user userid-agent statistics on the CLI I get an output like follows:

Server: userid-AD(vsys: vsys1) Address: 1.1.1.1:31200
        Connection                                        : Not Connected
        Version                                           : <Unknown>
        number of connection tried                        : 5295
        number of connection succeeded                    : 5224
        number of connection failed                       : 71
        number of user ip mapping messages received       : 0
        number of user ip mapping add entries received    : 0
        number of user ip mapping del entries received    : 0
        number of ip msgs rcvd but failed to process      : 0
        number of status messages received                : 0
        number of request of ip mapping messages sent     : 0
        number of request of all ip mapping messages sent : 0
        number of request of status messages sent         : 0

I'm at a loss here and hope that this is enough information for somebody to help me out. Does anybody have any ideas on why my mappings aren't working? I don't know whether this is applicable at all, but my Web GUI gives me a certificate error when I attempt to access it.

Thanks for any help you can provide.

Re: User-ID Agent for Active Directory won't transfer mappings

gswcowboy — Wed, 12 Oct 2011 04:34:02 GMT

Agent type on the PAN configuration should be pan agent as opposed to userid-agent. Change it and commit and you should see the PAN communicate successfully. Userid-agent is for eDir whereas pan-agent is for AD environment.

Re: User-ID Agent for Active Directory won't transfer mappings

NinthShot — Sun, 30 Oct 2011 21:43:27 GMT

Well, that was simple. Thanks for the help.

topic Re: User-ID Agent for Active Directory won't transfer mappings in General Topics

User-ID Agent for Active Directory won't transfer mappings

Re: User-ID Agent for Active Directory won't transfer mappings

Re: User-ID Agent for Active Directory won't transfer mappings