topic Re: Can't select users in policy in General Topics

Can't select users in policy

cryptochrome — Mon, 24 Dec 2012 16:45:24 GMT

Hi,

I am playing with my little PA-200 and wanted to try user based policies. I added a couple of users to the local user database and grouped them into user groups. Now when I create a new policy (or modify an existing one), the source-user field stays empty, my users don't show up so I can't add them. Even when I start typing (for autocomplete) I don't get any results.

Captive Portal, auth profile etc. are all configured as per documentation, and the interface is configured for UserID.

What am I missing here?

Thanks

Sascha

Re: Can't select users in policy

sraghunandan — Mon, 24 Dec 2012 17:58:01 GMT

HI Sascha,

I can replicate the same but i believe/confirmed that you can manually type the local users/groups in the policy and it works fine. One important thing to note is you can use these local user db only for ssl vpn users and captive port users.

Thank you.

Subijith Raghunandan.

Re: Can't select users in policy

cryptochrome — Mon, 24 Dec 2012 18:36:51 GMT

Hi,

thanks. But I can't confirm this. I type in the full user/group name but it still doesn't work (I am using captive portal for this). By the way, this is PanOS 5.0.

Sascha

Re: Can't select users in policy

sraghunandan — Mon, 24 Dec 2012 18:41:06 GMT

Hi Sascha,

Can you try with users only and the authentication profile for CP has local db selected right.

Thank you,

Subijith Raghunandan.

Re: Can't select users in policy

cryptochrome — Mon, 24 Dec 2012 18:45:55 GMT

It has local DB selected. I tried with users only, but to no avail. If enabled with a typed in user and generate traffic, I don't get a captive portal page and traffic is denied (confirmed via traffic log).

Re: Can't select users in policy

sraghunandan — Mon, 24 Dec 2012 18:53:56 GMT

Hi Sascha,

Firstly the local db users can be used only after you get the captive portal page (once you get the cp page enter the username that when we get the user to ip mapping ) i.e once the auth is successful that when you can have the policies using the local db users.So i would suggest you to have a sec policy allowing unknown users under the user field select unknown or leave it to any and set the application to web browsing,dns. Then you can have a policy below it with the local user specified and then regulate it accordingly.

Thank you.

Subijith Raghunandan.

Re: Can't select users in policy

cryptochrome — Mon, 24 Dec 2012 20:18:07 GMT

Looks like we're getting closer So why two policies? Can't I put this in one policy? Destination server is HTTP, but operates on port 10001.

Thanks

Sascha

Re: Can't select users in policy

sraghunandan — Mon, 24 Dec 2012 20:52:47 GMT

Hello Sascha,

The user is not identified until and unless we have him login to the cp page so in order to get there we need a policy allowing it, and later on once we are identified (ie user to mapping is formed) then the second rules comes in to play.

We always look at the ip of the incoming traffic first and then look to see if there is a mapping for it.

The second policy with the user in can have the dest set to the http server and the port 10001.

Thank you.

Subijith Raghunandan.

Re: Can't select users in policy

cryptochrome — Mon, 24 Dec 2012 21:04:43 GMT

Thanks. I am still puzzeled by the first policy you mention. My understanding was that the captive portal is transparent. So if I set up a rule that requires a user to authenticate, shouldn't captive portal page show up transparently and thus only one policy necessary?

Anyways... so the first policy is set to unknown user to get the captive portal page to show up. But what do I allow in the first rule and to which destination? If my actual matching rule is supposed to be the second one, what do I put in the first? Sorry, but this kind of evades my logic :smileygrin:

Cheers

Sascha

Re: Can't select users in policy

sraghunandan — Mon, 24 Dec 2012 21:10:48 GMT

Hello Sascha,

The traffic flow is as follows :-

Broswer--type in an url--the traffic hits the pa (at this moment the user is not known to the fw ) it looks at the dest ip and its relevant zone. so first and foremost we need a policy to allow this, once this is allowed the traffic hits the cp policy and the page shows up.

Thank you.

Subijith Raghunandan.

Re: Can't select users in policy

cryptochrome — Mon, 24 Dec 2012 21:33:48 GMT

Ok, say I have two rules:

1. src: any, src-user: unknown, dst: webserver-a, app:web-browsing

2. src: any, src-user: my_users, dst: webserver-a, app:web-browsing, port 10001

Now the first thing the user does is open http://webserver-a:10001

In that case, the first rule would not match and he would never see CP. Did I get that right? If so, the user always has to do something first that is allowed by another rule (in this case rule nr. 1) to be able to trigger CP?

Confusing. Or I still don't get it.