topic Re: User ID from eDirectory, multiple IPs per user in General Topics

User ID from eDirectory, multiple IPs per user

StefanSteinert — Mon, 24 Jun 2013 15:28:55 GMT

Hi,

for identifying users on an PA-3020 with PAN-OS 5.0.5 I use a combination of reading the information from eDirectory, XML-API and captive portal.

I am now facing the problem that users which use different computers at the same time with their user account which is authenticated against the eDirectory (for example one at their workplace and another one during a meeting in another room), only the first IP which is known to the eDirectory is authenticated on the firewall (but both IPs are available in the eDirectory if I check for them using a simple LDAP browser or novell console one) and the captive portal is shown to the user (in best case, also got reports that in some cases just the block response page got prompted)

Also I have sometimes entries for source "Unknown" and user "Unknown" if I list the user mappings on the device using "show user ip-user-mapping all".

Is that a known problem or more a kind of feature?

best regards

Stefan Steinert

Re: User ID from eDirectory, multiple IPs per user

kprakash — Mon, 24 Jun 2013 16:29:51 GMT

Hi Stefan,

The firewall gets the ip-user-mapping from either the agent or through the agentless-service, based on the log on events from the DC or from the edirectory. The agent or the service can hold multiple ip-user mappings for the same user, but from different machines (ip addresses). We should also see the multiple entries for the user on the agent or the firewall (agentless service). Can you increase the timeout of the ip-user-mapping on the agent, so that the entries are not cleared at a faster rate.

Its common to see unknowns under the "show user ip-user mapping all" command. This mapping is seen when the firewall does not have information about an IP address from the agent/agentless service, and those users for whom captive portal isnt defined for. You can force the firewall to query the agent/ agentless service to actively probe for these unknown IP addresses using the netbios or wmi probing.

The below documents explains the recommended steps for user identifictaion

https://live.paloaltonetworks.com/docs/DOC-1052

https://live.paloaltonetworks.com/docs/DOC-4534

Re: User ID from eDirectory, multiple IPs per user

StefanSteinert — Mon, 01 Jul 2013 05:58:43 GMT

Thank you for that suggestion. I will try that next week as soon as I have again access to the system.

Re: User ID from eDirectory, multiple IPs per user

StefanSteinert — Fri, 19 Jul 2013 07:04:05 GMT

Ok, played around with the timeout settings of the agentless service of the device but had no success. The device still sees only one IP address from the edirectory.

For testing I have installed the User-ID Agent on one of my clients, which then is able to see both IP addresses, also the device is able to see both IPs if I add the Agent to the device.

I guess that there is an bug in the implementation of the agentless service on the device that it only retrieves one IP from the e-directory