topic Re: GlobalProtect ip-user-mapping issue in General Topics

GlobalProtect ip-user-mapping issue

errevisystem — Fri, 22 Feb 2013 10:36:40 GMT

PA-500

PAN-OS 5.0.2

Hello, we've deployed GlobalProtect with local user authentication (authentication profile = local database), user identification is enabled both on trust and vpnclient zones.

Also, user mapping is enabled with UID Agent directly from the firewall.

Everything's working fine with vpn authentication, once connected the client shows up as the LOCAL user as expected:

IP address: 10.1.253.10 (vsys1) <<<<<<<<<<<<< assigned ip address range is 10.1.253.0/24

User: abcde <<<<<<<<<<<<<<<<<< this is in the local user database

From: GP

Idle Timeout: 2591965s

Max. TTL: 2591965s

Groups that the user belongs to (used in policy)

When the vpn client starts to generate traffic to/from internal lan accessing active directory resources (i.e. remote desktop or network shares) it has to authenticate towards Active Directory with domain credentials.

This obviously also generates security logs on the DCs, which are read by onboard UID agents causing ip-user-mapping to change from LOCAL user to AD user for the same ip address:

IP address: 10.1.253.10 (vsys1)

User: testdomain\testuser <<<<<<<<<<<<<<<<< this is the AD account used to authenticate when accessing internal lan resources

From: AD

Idle Timeout: 2699s

Max. TTL: 2696s

Groups that the user belongs to (used in policy)

Group(s): cn=vpn_users-all,ou=vpn,dc=testdomain,dc=local

This is causing issues since security policies for vpn clients are setup with LOCAL users and not AD users, as obviuos.

I'm aware that using AD authentication for GlobalProtect would be advisable, but now we have to keep on with local user authentication.

Haw can we prevent AD user-ip-mapping from overwriting the initial (correct) GlobalProtect mapping for vpn client network range 10.1.253.0/24?

ps: I've tried the Include/Exclude Network option in Use Mapping section by entering the exclusion for 10.1.253.0/24, but with no success.

Thank You

Re: GlobalProtect ip-user-mapping issue

gafrol — Fri, 22 Feb 2013 13:10:57 GMT

Maybe you could use the CLI command set user-id-collector include-exclude-network in order to exclude GP IP Pool 10.1.253.0/24 from AD IP usermapping ?

rgds

Roland

Re: GlobalProtect ip-user-mapping issue

sdurga — Fri, 22 Feb 2013 18:03:47 GMT

I have done a quick test on 5.0.1 on my PA and I do see the same behavior. I have excluded the network 10.101.101.0/24 as shown below in the running configuration from the CLI

But User-IP-Mappings for the IP of the GP client 10.101.101.125 are still mapped if I access an AD inside my network as shown below

This is not working a expected. I would suggest you to open a ticket with support for further help.

Thanks,

Sandeep T

Re: GlobalProtect ip-user-mapping issue

minow — Tue, 28 Jan 2014 07:05:22 GMT

hey

did you managed with this?

we are having almost the same issues.

what have you done?

thanks

Re: GlobalProtect ip-user-mapping issue

_slv_ — Tue, 28 Jan 2014 18:20:46 GMT

Hi minov

This topis is near one year old. What version of PAN do you have installed?

Please upgarde to 5.0.9, I'm on 5.0.9 and I haven't such problems.

Regards

Slawek

Re: GlobalProtect ip-user-mapping issue

minow — Wed, 29 Jan 2014 17:54:14 GMT

5.0.9 i have a user authenticate through Radius, and then RDP to a server and some shares then the user-ip-mapping changes to the AD user which have different policy