topic Re: Removed user from a AD group still given the access in General Topics

Removed user from a AD group still given the access

denisgaron — Mon, 01 Oct 2012 17:32:17 GMT

So here my problem.

I have create a new rule with a new AD group. I have added 4 users in the group, including myself.

I have open a new custom URL group there. All work fine so far.

Here my problem. I try to remove myself from the group. After applied many time rules, i still have an access to this rule.

- I have remove myself from that AD group.

- then i do the command CLI : show user group name "the_group". Its show 3 users (myself remove from the list).

So by apply rule its should remove my access. But when i check "MONITOR" i still see i get access for that rule. PA CLI no see me in the group but PA still have me listed in the AD GROUP.

I have not use "Group Mapping Settings" in "Device>User identification"

Instead i have list the AD group right in the policies, in USER TAB.

Any clue? how many time PA will take to sync the AD groups?

Re: Removed user from a AD group still given the access

Quinton — Mon, 01 Oct 2012 20:29:51 GMT

Just for interest sake try flushing the session table and retest - "clear session all"

Re: Removed user from a AD group still given the access

sdurga — Mon, 01 Oct 2012 22:11:59 GMT

As said above you can try clearing sessions. You can clear the sessions belonging to your PC by command "clear session all filter source 'PC IP address' " that way you do not interrupt other sessions.

Thanks,

Sandeep T

Re: Removed user from a AD group still given the access

denisgaron — Wed, 03 Oct 2012 14:39:13 GMT

so far i have try what sdurga say, because clear all session can have some behvior to others users. But i will try tonight to clear all sessions.

But that not solve the problem. I still have access since 2 days even is im not in the AD group.

Just one command have have remove me access just for like 1 minute :

- clear session all filter rule "The_rule_that_give_me_wrong_access"

After that clear, my sessions wasnt authentificated.

In Monitor i was seeing myself access with an IP. Its take like 1 minute before see authentificated access back with my username.

Right after, i get by my back my wrong access like before.

So clear the users cache not seam to remove my access.

Re: Removed user from a AD group still given the access

denisgaron — Fri, 05 Oct 2012 14:29:20 GMT

I have done a scheduled CLI for "clear session all", and that not solve my problem.

Last things i can test is reboot PA or i will open a ticket.