https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-identifies-local-pc-users-so-captive-portal-never/m-p/21457#M15666 <HTML><HEAD></HEAD><BODY><P>Thanks, but I don't see anything in those that leaps out as being applicable here?</P><P></P><P>We're not even seeing the portal - the PAN seems to assume the username is "<STRONG>LOCALPC\localaccount</STRONG>" so simply blocks access because it doesn't match any rule.</P></BODY></HTML> Wed, 29 Jan 2014 18:56:01 GMT networkadmin 2014-01-29T18:56:01Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-identifies-local-pc-users-so-captive-portal-never/m-p/21455#M15664 <HTML><HEAD></HEAD><BODY><P>I upgraded our PAN from 4.1.x to 5.0.10 and also upgraded the User-ID agent from 3.x to the latest 5.x.</P><P></P><P>We have some rules configured with groups specified and we have captive portal in place and what used to happen was if you came along on a domain joined laptop but were logged on as a local account (so <EM><STRONG>LAPTOPNAME\LocalAccount</STRONG></EM>) you'd get the portal and would have to authenticate using a domain account (standard Kerberos auth against the DCs).</P><P></P><P>What's happening now is that the request is blocked because it's hitting the last whitelist rule which blocks all URL Categories other than the allow whitelist.</P><P></P><P>The block page is showing the user as <EM><STRONG>LAPTOPNAME\LocalAccount</STRONG></EM> so the firewall must be picking up the local logon name from the User-ID agent - looking at the mapping list on the User-ID agent on the DCs confirms this.</P><P></P><P>So I'm assuming we don't get the captive portal because the user is always known so the portal never needs to kick in?</P><P></P><P>How can I make it so that the firewall won't see any usernames other than <STRONG><EM>DOMAIN\Username</EM></STRONG> from the User-ID agent please, so that in the situation above the portal would kick in like it used to?</P><P></P><P>I've looked everywhere I can think of and I'm drawing a blank.</P></BODY></HTML> Wed, 29 Jan 2014 16:47:28 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-identifies-local-pc-users-so-captive-portal-never/m-p/21455#M15664 networkadmin 2014-01-29T16:47:28Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-identifies-local-pc-users-so-captive-portal-never/m-p/21456#M15665 <HTML><HEAD></HEAD><BODY><P>Related discussions:</P><P><A href="https://live.paloaltonetworks.com/message/5140">password</A></P><P><A href="https://live.paloaltonetworks.com/message/21970">Re: Captive Portal to Internal Servers</A></P><P></P><P>Thanks</P></BODY></HTML> Wed, 29 Jan 2014 18:37:39 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-identifies-local-pc-users-so-captive-portal-never/m-p/21456#M15665 HULK 2014-01-29T18:37:39Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-identifies-local-pc-users-so-captive-portal-never/m-p/21457#M15666 <HTML><HEAD></HEAD><BODY><P>Thanks, but I don't see anything in those that leaps out as being applicable here?</P><P></P><P>We're not even seeing the portal - the PAN seems to assume the username is "<STRONG>LOCALPC\localaccount</STRONG>" so simply blocks access because it doesn't match any rule.</P></BODY></HTML> Wed, 29 Jan 2014 18:56:01 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-identifies-local-pc-users-so-captive-portal-never/m-p/21457#M15666 networkadmin 2014-01-29T18:56:01Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-identifies-local-pc-users-so-captive-portal-never/m-p/21458#M15667 <HTML><HEAD></HEAD><BODY><P>Following docs will help:-</P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/message/20368#20368">https://live.paloaltonetworks.com/message/20368#20368</A></P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-3629">https://live.paloaltonetworks.com/docs/DOC-3629</A></P></BODY></HTML> Wed, 29 Jan 2014 20:17:12 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-identifies-local-pc-users-so-captive-portal-never/m-p/21458#M15667 sraghunandan 2014-01-29T20:17:12Z https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-identifies-local-pc-users-so-captive-portal-never/m-p/21459#M15668 <HTML><HEAD></HEAD><BODY><P>It looks similar to the second issue.&nbsp; We have a standard AD though at 2003 Functional Level - nothing unusual or custom so this seems bizarre behaviour.</P></BODY></HTML> Thu, 30 Jan 2014 11:08:01 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-agent-identifies-local-pc-users-so-captive-portal-never/m-p/21459#M15668 networkadmin 2014-01-30T11:08:01Z