topic problem with groups in user-id mapping in General Topics

problem with groups in user-id mapping

assona — Thu, 07 Jun 2012 14:50:50 GMT

hi,

i have a problem with using groups (from windows active directory) in security rules.

on our windows active directory i have created a new group fw_finance. we use the PAN user-id agent to get the mapping from ip to user. i mapped this group on our PA-500 (user identification - group mapping settings). than i created a new security rule, that all users in this group can use port 3048 outgoing. so far so good. but if the users in this group try to connect the port 3048 outside, they will be dropped. on CLI i see the following:

tettrich@fw003> show user ip-user-mapping ip 10.50.2.97

IP address: 10.50.2.97

User: assona\cheXXX

Ident. By: AD

Idle Timeout: 2417s

Max. TTL: 2417s

Groups that the user belongs to (used in policy)

no group is shown!

tettrich@fw003> show user group name assona.local\fw_finance

group short name: assona.local\fw_finance
[1     ] assona.local\cheiXXX
[2     ] assona.local\XXXXX
[3     ] assona.local\XXXXXXX
[4     ] assona.local\XXXXXX
[5     ] assona.local\XXXXXXX

all users of this group are shown right!

and with show user user-IDs i get also the right information, that user cheiXXX is in the group fw_finance.

PA-500 with software version 4.1.6

User-ID Agent Version 4.1.4-3

can anyone help me?

thanks

tom

Re: problem with groups in user-id mapping

sspringer — Thu, 07 Jun 2012 17:33:39 GMT

Hi Tom,

From the output provided I would guess the domain is set to 'assona.local' when it should be set to NETBIOS name 'assona'.

The output should show as follows:

tettrich@fw003> show user ip-user-mapping ip 10.50.2.97

IP address:  10.50.2.97
User:        assona\cheXXX
Ident. By:   AD
Idle Timeout: 2417s
Max. TTL:    2417s
Groups that the user belongs to (used in policy)

tettrich@fw003> show user group name assona\fw_finance


group short name: assona\fw_finance
[1     ] assona\cheiXXX
[2     ] assona\XXXXX
[3     ] assona\XXXXXXX
[4     ] assona\XXXXXX
[5     ] assona\XXXXXXX

Please let me know if this helps.

- Stefan

Re: problem with groups in user-id mapping

assona — Mon, 11 Jun 2012 12:42:34 GMT

hi stefan,

thanks! i renamed the domain from assona.local to assona and it works.

cheers

tom

Re: problem with groups in user-id mapping

sthscadmin — Thu, 18 Oct 2012 04:56:18 GMT

Hi,

We have a PA-500 in a single forest single domain environment and have installed UIA on one of our DCs.

Problem is user-id is not working in Security policies and the PA box does not recognise group membership.

Thing I would like to check with you guys are:

-Port number for LDAP server profile which is 389

-User-id agent port; we are using 5007. Should we use another port?

Also show user group name "domain\domain admins" results in the following message:

User group 'domain\domain admins' does not exist or does not have members

Any idea?

Re: problem with groups in user-id mapping

sspringer — Thu, 18 Oct 2012 21:50:53 GMT

Using port 5007 should be fine.

A common mistake when using port 389 is to forget to uncheck 'SSL'. Since ldap port 389 does not use ssl, please verify that 'SSL' is unchecked.

Hope this helps.

-Stefan

Re: problem with groups in user-id mapping

sthscadmin — Tue, 23 Oct 2012 03:21:47 GMT

Hi Stefan,

SSL is unchecked.

It was all working good before we updated from PAN-OS 4.1.6 to 4.1.7 then it stopped working.

Have updated to 4.1.8 but still no luck.

Next I'm going to try is to create new Global Security groups and apply rules to those new groups and see how it goes.

Have tried with both Universal and Global groups but ....no change.

Thanks

Vaughan

Re: problem with groups in user-id mapping

SDorsey — Tue, 23 Jul 2013 00:11:19 GMT

That just helped me out too! Thanks for the info.