topic Re: Adding domain to username for user identification in General Topics

Adding domain to username for user identification

SistemasCajamar — Tue, 14 May 2013 15:20:17 GMT

Hello

We are using RSA for user authentication with Global Protect.

We need to identify the LDAP group (Windows Active Directory) the user belongs to, but It doesn't work.

The reason is that the user we use for authentication doesn't include the domain and the LDAP query doen't match the right user:

cscworks@pa-intx.cajamar.int(active)> show user ip-user-mapping all | match mbm60380

10.240.1.24 vsys1 UIA domain\mbm60380 2388 2388

10.240.1.1 vsys1 UIA domain\mbm60380 2101 2101

10.240.250.1 vsys2 GP mbm60380 2590859 2590859

cscworks@pa-intx.cajamar.int(active)> show user group name domain\group1

short name: domain\group1

[1 ] domain\aag60368

[2 ] domain\ced61081

[3 ] domain\jas61669

[4 ] domain\mbm60380

[5 ] domain\pmc61693

[6 ] domain\vcm60984

Is there any way to fix this?

Can the firewall add the domain to the LDAP query?

Re: Adding domain to username for user identification

gswcowboy — Tue, 14 May 2013 15:33:22 GMT

Add 'domain' in domain field within your ldap server profile and test. Here's my setup.

ldap {

amb {

server {

amb {

port 389;

address 172.16.20.23;

}

ldap-type active-directory;

base DC=amb,DC=local;

bind-dn renato@amb.local;

timelimit 30;

bind-timelimit 30;

ssl no;

domain amb;

admin@PA-200> show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

172.16.20.1 vsys1 AD amb\renato 2697 2697

172.100.100.1 vsys1 GP amb\renato 10746 10746

172.16.20.2 vsys1 AD amb\renato 289 289

172.16.20.226 vsys1 CP amb\renato 459 2538

172.16.20.23 vsys1 AD amb\renato 2526 2212

Total: 5 users

Re: Adding domain to username for user identification

gswcowboy — Tue, 14 May 2013 15:35:28 GMT

Without the domain configured:

ldap {

amb {

server {

amb {

port 389;

address 172.16.20.23;

}

ldap-type active-directory;

base DC=amb,DC=local;

bind-dn renato@amb.local;

timelimit 30;

bind-timelimit 30;

ssl no;

admin@PA-200> show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

172.16.20.1 vsys1 AD amb\renato 2695 2695

172.100.100.1 vsys1 GP renato 2592000 2592000

172.16.20.2 vsys1 AD amb\renato 135 135

172.16.20.226 vsys1 CP amb\renato 305 2384

172.16.20.23 vsys1 AD amb\renato 2372 2058

Re: Adding domain to username for user identification

SistemasCajamar — Tue, 14 May 2013 16:19:03 GMT

I've tried with domain but it doesn't work either:

domain.int-PCI-RSA {

server {

esc04.domain.int {

port 636;

address 192.168.66.3;

}

esc15.domain.int {

port 636;

address 192.168.66.15;

}

esc16.domain.int {

port 636;

address 192.168.66.16;

}

esc03.domain.int {

port 636;

address 192.168.66.4;

}

ldap-type active-directory;

bind-dn F5-APM-AD@domain.int;

timelimit 30;

bind-timelimit 30;

retry-interval 60;

bind-password xxxxxxxxxxxxxxxxxxx;

ssl yes;

base dc=domain,dc=int;

domain domain;

}

show user ip-user-mapping all | match mbm60380

10.240.1.24 vsys1 UIA domain\mbm60380 922 922

10.240.1.1 vsys1 UIA domain\mbm60380 2363 2363

10.240.250.1 vsys2 GP mbm60380 2591972 2591972

Thanks for your answer

Re: Adding domain to username for user identification

gswcowboy — Tue, 14 May 2013 16:35:17 GMT

Did you attempt to clear the user cache for the IP in question? Perhaps clearing the group cache as well and resetting the ldap server profile connection.

What PANOS are you running?

Re: Adding domain to username for user identification

SistemasCajamar — Tue, 14 May 2013 21:06:32 GMT

I'm afraid I don't know how to clear the user cache for that IP or the group cache. I don't know how to reset the ldap server profile connection either.

I'm running 5.0.4 version

What authentication method are you using?

Re: Adding domain to username for user identification

mbutt — Tue, 14 May 2013 21:36:28 GMT

You can use the following commands to clear the user ip mapping from the firewall. Just make sure user is logged out before you do this.

clear user-cache ip

clear user-cache-mp ip

Moreover, If you are using AD to authenticate user and have added netbios domain name in the profile that it should be appended to the mapping.

Hope this helps.

Thank you

Re: Adding domain to username for user identification

SistemasCajamar — Wed, 15 May 2013 06:47:14 GMT

Hello

I have cleared both caches but the result is the same.

I'm using RSA SecurID authentication, through a Cisco Secure ACS 4.2 server. It doesn't support domain stripping. At least the version we have

Thanks for you help

Re: Adding domain to username for user identification

SistemasCajamar — Wed, 15 May 2013 07:55:06 GMT

I've tried another thing:

- If I type domain\mbm60380 for GlobalProtect authentication the firewall sends to the Radius Server is mbm60380. It removes the domain.

- Nevertheless, if I type mbm60380@domain the firewall does send that user to the Radius. In that case it doesn't remove the suffix.

Re: Adding domain to username for user identification

SistemasCajamar — Wed, 15 May 2013 15:25:33 GMT

I've been able to solve this issue.

Y use <username>@domain format in the GlobalProtect Client.

Then, I make the domain stripping in the Radius configuration so that the RSA server authenticates just the username without domain

Thank you