https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47226#M34709 <HTML><HEAD></HEAD><BODY><P>ok so some more info</P><P>This is only happening on wireless users....wired works fine. we are not seeing a user/ip mapping for the wireless users...the source user is blank</P><P>Is there some new feature in 6.0 to help with this?</P></BODY></HTML> Mon, 06 Oct 2014 17:46:40 GMT dthibodeaux 2014-10-06T17:46:40Z https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47223#M34706 <HTML><HEAD></HEAD><BODY><BLOCKQUOTE class="jive-quote" style="color: #000000; font-family: Calibri; font-size: medium;">currently have a customer using radius authentication on the wireless and user-id on the PA. The problem is when two different users use the same machine. Teacher logs in and gets a policy applied to the session going through the firewall and she logs out and a student logs in to the same machine, that student has the same privileges through the PA as the teacher did. It seems like the PA is not releasing the session and applying the correct policy to the new user. Any ideas?</BLOCKQUOTE><BLOCKQUOTE class="jive-quote" style="color: #000000; font-family: Calibri; font-size: medium;">setup is HA-3020's and Aruba wireless. Radius auth is against microsoft 2012 server</BLOCKQUOTE><BLOCKQUOTE class="jive-quote" style="color: #000000; font-family: Calibri; font-size: medium;">Thanks!</BLOCKQUOTE></BODY></HTML> Mon, 06 Oct 2014 17:11:58 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47223#M34706 dthibodeaux 2014-10-06T17:11:58Z https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47224#M34707 <HTML><HEAD></HEAD><BODY><P><A href="https://live.paloaltonetworks.com/u1/8702">dthibodeaux</A></P><P></P><P>Do you see the (student) user name in the traffic logs when it hits the policy that you have created for teacher ?</P><P></P><P>If not, please verify if the ip-user-mapping changes for that IP address after teacher logs out and student logs in.</P><P></P><P>You can check the ip-user-mapping for an IP using the following command:</P><P>show user ip-user-mapping ip &lt;ip/netmask&gt;</P></BODY></HTML> Mon, 06 Oct 2014 17:16:20 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47224#M34707 bat 2014-10-06T17:16:20Z https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47225#M34708 <HTML><HEAD></HEAD><BODY><P>Hi Dhibodeaux,</P><P></P><P>Actually this should not happen, because when user logs out, it creates a security log on AD server. Firewall reads it and remove the mapping. We should try to find out why its not happenning.</P><P></P><P>However, there are two solution for this.</P><P>1. Reduce Timeout interval for user-id to ip mapping. - Which means older mappings will expire if there is no activity from them.</P><P>2. Or enable WMI probing - User-id agent queries all active users, if they dont respond. Its removed.</P><P></P><P>Regards,</P><P>HArdik Shah: </P></BODY></HTML> Mon, 06 Oct 2014 17:17:20 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47225#M34708 hshah 2014-10-06T17:17:20Z https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47226#M34709 <HTML><HEAD></HEAD><BODY><P>ok so some more info</P><P>This is only happening on wireless users....wired works fine. we are not seeing a user/ip mapping for the wireless users...the source user is blank</P><P>Is there some new feature in 6.0 to help with this?</P></BODY></HTML> Mon, 06 Oct 2014 17:46:40 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47226#M34709 dthibodeaux 2014-10-06T17:46:40Z https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47227#M34710 <HTML><HEAD></HEAD><BODY><P><A href="https://live.paloaltonetworks.com/u1/8702">dthibodeaux</A></P><P></P><P>Source user field is blank due to the username not being pushed correctly, how are you pushing the usernames from the Aruba wireless&nbsp; ? Are you using XML API ?</P></BODY></HTML> Mon, 06 Oct 2014 17:56:44 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47227#M34710 bat 2014-10-06T17:56:44Z https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47228#M34711 <HTML><HEAD></HEAD><BODY><P>I'm guessing I'm not...:smileyconfused:</P></BODY></HTML> Mon, 06 Oct 2014 17:58:31 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47228#M34711 dthibodeaux 2014-10-06T17:58:31Z https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47229#M34712 <HTML><HEAD></HEAD><BODY><P>There are multiple methods to push user ip mappings:</P><P>--Using a syslog parser profile:</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-6727">How to Collect the User-IP Mappings from a Syslog Sender Using an User-ID Agent</A></P><P></P><P>--Using XML API:</P><P><A href="https://paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/technology-solutions-briefs/aruba.pdf" title="https://paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/technology-solutions-briefs/aruba.pdf">https://paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/technology-solutions-briefs/aruba.pdf</A></P><P><A href="http://www.arubanetworks.com/wp-content/uploads/TechNote_ArubaAndPaloAltoNetworksIntegration.pdf" title="http://www.arubanetworks.com/wp-content/uploads/TechNote_ArubaAndPaloAltoNetworksIntegration.pdf">http://www.arubanetworks.com/wp-content/uploads/TechNote_ArubaAndPaloAltoNetworksIntegration.pdf</A></P><P></P><P>Hope it helps !</P></BODY></HTML> Mon, 06 Oct 2014 18:18:41 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47229#M34712 bat 2014-10-06T18:18:41Z https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47230#M34713 <HTML><HEAD></HEAD><BODY><P>you have to use api or the new syslog feature as mentioned.</P></BODY></HTML> Mon, 06 Oct 2014 18:48:45 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47230#M34713 Retired Member 2014-10-06T18:48:45Z https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47231#M34714 <HTML><HEAD></HEAD><BODY><P>ok so this customer does not have clear pass so I am assuming the xml api solution wont work...as far as the syslog solution, I am trying to set this up in my lab. I have a aruba controller, pa200, and 2008 server. Do I run the syslog server on the same server as the user-id agent is on or do these need to be separate boxes? I am running kiwi syslog server on the same 2008 server as the UID agent is on...think I said that already <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P><P>The document keeps referring to a "syslog sender" and I am not sure if that is the controller, the PA, or the 2008 server.</P><P></P><P>Thanks</P><P>David </P></BODY></HTML> Wed, 08 Oct 2014 15:04:31 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47231#M34714 dthibodeaux 2014-10-08T15:04:31Z https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47232#M34715 <HTML><HEAD></HEAD><BODY><P><A href="https://live.paloaltonetworks.com/u1/8702">dthibodeaux</A></P><P></P><P>Syslog sender should be aruba controller which should be sending login/logout events to pa200. On pa200 you should have syslog parser profile to parse these logs and extract the User to IP information.</P></BODY></HTML> Wed, 08 Oct 2014 16:23:54 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47232#M34715 bat 2014-10-08T16:23:54Z https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47233#M34716 <HTML><HEAD></HEAD><BODY><P>I did finally get this to work using the user-id agent setup on the PA itself but my concern is how taxing this might be to the box in a production environment. I would really like it to work using the user-id agent on the domain controller. For some reason I cannot get the info from the DC to the PA for the wireless users. I have the Aruba pointing at the DC where the agent resides, I have the agent setup with the sender info but never see the user info on the PA in the monitor logs. any ideas?</P></BODY></HTML> Wed, 08 Oct 2014 18:22:11 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47233#M34716 dthibodeaux 2014-10-08T18:22:11Z https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47234#M34717 <HTML><HEAD></HEAD><BODY><P>ok I got it working using the UID agent residing on the DC.</P><P>Thanks for all the info!!</P></BODY></HTML> Fri, 10 Oct 2014 13:59:07 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-users-same-machine-privileges-crossed/m-p/47234#M34717 dthibodeaux 2014-10-10T13:59:07Z