topic Re: Source user not found in General Topics

Source user not found

JRussell — Fri, 26 Oct 2012 15:19:48 GMT

Hi there,

I have a random issue occur whereby one or two of my users seem to loose access to their internet privileges. I check on PA and it shows the traffic but no source user, which is what the rule for their internet access is based on. If we reboot their pc then it is fine again, but I just wondered what could be causing this to all of a sudden and randomally not identify their user.

I have checked and they are not running any applications with elevated permissions. So just wondered if this is something anyone else has come across or knows how to resolve?

Oh, I have a PA 2020 box and 2 User identification servers running. Both online.

Re: Source user not found

mikand — Fri, 26 Oct 2012 21:00:10 GMT

What is your settings of the pan-agent installations you run?

Everything from TTL's to if serverlogs are being followed along with wmi query of the clients?

Re: Source user not found

JRussell — Tue, 30 Oct 2012 09:00:44 GMT

Hi Mikand,

My settings on my PAN-Agents are as follows.

Enabled Security Log monitor. 1 Sec

Enable Server Session Read Frequency was off but I now have it on as 10.

Enabled WMI probing

Enabled NetBIOS Probing. 1 minute Interval

Enabled User Identification Timeout 45 min

And Use SSL is the only other option ticked in my settings.

Re: Source user not found

jdelio — Tue, 30 Oct 2012 19:27:22 GMT

If you are using an Agent, like User-ID agent, the agent has a "timeout" period where it will timeout the user who is logged in.. (I think 45 min default), might be longer.

After this timeout, the user's ID will be unknown, and at that time you can reboot/login again, this action should tell the AD server that the account has logged back in, thus updating the user information, thus Identifying the user. But there are really 2 answers:

1. Extend the user timeout, so the user's information will be in the cache longer and they will no be logged "out".

2. Setup and configure Captive Portal, so when users who are "unknown" are then prompted.

I hope this helps.

If this does not help, please open a case with support and we can assist that way.

Have a Great Day!

Re: Source user not found

JRussell — Wed, 31 Oct 2012 08:33:06 GMT

I will try increase the timeout to see if that resolves it. Is there any harm in turning off that timeout? Ie: if someone logs on with a user with extended privileges and then logs off, then someone logs onto that pc locally, if I have turned the timeout off will they get the previous users web permissions?

As with Captive Portal, this was in use previously, but we are trying to move away from that in lieu of running our rules based on domain credentials. Hence my captive portal is currently disabled.

Re: Source user not found

jdelio — Wed, 31 Oct 2012 13:06:16 GMT

Your question:

"if someone logs on with a user with extended privileges and then logs off, then someone logs onto that pc locally, if I have turned the timeout off will they get the previous users web permissions?"

If the first user does not log off, then yes.

If the first logs out, then someone else logs in, there should be a system log that indicates that someone is logging in, and adjust the user info as needed.

If this is traffic on a Terminal server, where multiple people are logged into the same machine, then you would need to think about using the Terminal Services Agent.

Either way, You always want to have some level of "timeout".. be it 3-4-5 hours.. but the longer that you keep someone in the system.. As you would never want someone to be

logged into a machine for "infinity".

I can understand about Captive Portal. It makes sense.

I hope this helps!

Re: Source user not found

mikand — Thu, 01 Nov 2012 07:15:03 GMT

Another situation can be that userX is logged in but needs assistence from the support.

Support logins using RDP (through SCOM or such) as userY to remotely assist userX.

Now userY is the latest logged in to this device and suddently userX lost all its credentials in the network until the userX relogins.

Or is this handled some way today (because one ip can only have one user if im not mistaken in the userid-db)?

Re: Source user not found

JRussell — Thu, 01 Nov 2012 09:03:13 GMT

Yes, I have noticed that with the multi remote and when another userY logs on the currently logged on User X gets their permissions. Although I have made my own support team aware of this.

But I thought having the Client Probing set to 1 minute it means that they wouldn't have those extended permissions for very log after the userY logs off.