topic Implementing User Identification via AD in General Topics

Implementing User Identification via AD

damir_porobic — Wed, 18 Jul 2012 08:18:18 GMT

Hi everybody,

I'm trying to implement user identification via active directory on PA-200. I've added the AD server under Device -> LDAP and added group mapping under Device -> User Identification.Now I guess I need to install user-ID agent on a local machine but I can't find a download link for this app.

Is it possible to implement user identification without this user-id agent?

Can anyone provide a simple guide for this whole process? I'm using few documents but wasn't able to find a single document that explains this procedure from start to end on a simple example.

Regards,

Damir

Re: Implementing User Identification via AD

BlackfenSchool — Wed, 18 Jul 2012 09:48:14 GMT

Hi Damir

I'm not much help, as I'm trying to figure this out too. But I did find the User ID Agent software here;

Palo Alto Networks</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <meta http-equiv="X-UA-Compatible" content="IE=edge"><title>Palo Alto Networks

Re: Implementing User Identification via AD

zarina — Wed, 18 Jul 2012 17:25:09 GMT

Damir,

You need the agent to get ip to user mapping. You can download the agent from the support portal:

Palo Alto Networks</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <meta http-equiv="X-UA-Compatible" content="IE=edge"><title>Palo Alto Networks

This document walks you through the installation procedure for the PANOS 4.1.

https://live.paloaltonetworks.com/docs/DOC-2132

Thanks,

Sri

Re: Implementing User Identification via AD

BlackfenSchool — Wed, 18 Jul 2012 17:54:55 GMT

Don't forget to enable user identification on your trusted zone. I missed that tick box, and spent over an hour trying to figure out why it wasn't working.

Re: Implementing User Identification via AD

damir_porobic — Wed, 18 Jul 2012 18:10:20 GMT

Thanks Shaun, I'll try it with this guide, it's actually what I was looking for...

Re: Implementing User Identification via AD

damir_porobic — Thu, 19 Jul 2012 07:17:44 GMT

OK, this was the first step, now I need to configure the User-ID Agent and PA Firewall.

I have configured an User-id agent under Device -> User Identification -> User-ID Agents but its Connected Status is Red. And yes, I have enabled user identification on the trusted zone.

Another interesting thing is that I can't see any logs on the User-ID Agent. I see all users that are active one the network under the Monitoring option but no logs.

Solution:

It looks like I forgot to add the PA-200 to the list of allowed devices to access the User-ID agent. Now it works fine as far as I can see.

Regards,

Damir

Message was edited by: Damir Porobic

Re: Implementing User Identification via AD

kwj — Fri, 19 Apr 2013 15:33:27 GMT

THIS ^. I did not know that checkbox was there under the zone config. Would have been here all day...