topic Re: Palo Alto 2020 doesn't close session when using AD authentication in General Topics

Palo Alto 2020 doesn't close session when using AD authentication

slawek.kunach — Fri, 01 Jun 2012 09:28:38 GMT

Hi,

This might be a really easy thing I have missed but when we try to authenticate against our AD users instead of strictly by IP and zone it works fine the first person to log on. But then if you log off and someone else with less privilages logs on they get whatever access the previous person had, which could be a problem especially if the last person to log on was the domain admin for instance.

Any suggestions as to why this might be?

Re: Palo Alto 2020 doesn't close session when using AD authentication

npare — Fri, 01 Jun 2012 14:37:12 GMT

Is it possible that the second user doesn't logon to the domain? The agent monitors logins but is not aware of logouts, so if user "A" logins, then logs out, and then user "B" from the same workstation logs in locally, the agent will not see a new login for that same workstation and thus assume user "A" is still using that IP address.

Re: Palo Alto 2020 doesn't close session when using AD authentication

slawek.kunach — Fri, 01 Jun 2012 15:46:13 GMT

No, they are definatly both domain users.

One thing that might help. I have 2 DC's in my forest. Perhaps my Palo Alto box only picks up logons that have authenticated with DC1?

But the only way I could have seen that happening if it was a one off as DC2 is just there as a fail over in case DC1 becomes unavailable.

Any other suggestions?

Re: Palo Alto 2020 doesn't close session when using AD authentication

rmonvon — Fri, 01 Jun 2012 16:17:22 GMT

Please check the userID agent and confirm that it's monitoring both DC's. Also, check the agent's log to ensure that the agent has the permission to read the security log of both DC's. As long as the 2nd user logs into the AD domain, the agent will detect the 2nd user and update the PA device. Thanks.

Re: Palo Alto 2020 doesn't close session when using AD authentication

mikand — Fri, 01 Jun 2012 18:30:53 GMT

What are the default settings regarding TTL's for the user-cache in the pan-agent?

And how will enabling WMI improve the hitrate?

Re: Palo Alto 2020 doesn't close session when using AD authentication

slawek.kunach — Tue, 12 Jun 2012 14:00:46 GMT

Hi,

I have checked and yes the 2nd DC is set in the Palo Alto and yes they have permissions to read the security logs.

Also the default User TTL is 60 min under User idenfication in the ID agent

Re: Palo Alto 2020 doesn't close session when using AD authentication

rmonvon — Tue, 12 Jun 2012 14:33:55 GMT

I would recommend opening a case with Support. Thanks.