topic User-ID Agent - Domain Override? in General Topics

User-ID Agent - Domain Override?

BLazarov — Fri, 25 Sep 2015 09:36:27 GMT

Hello All,

I deseprately need an option to override the domain name for user-IP-mappings collected from an User-ID Agent.

I've found that the Terminal Server User-ID agent has that option (https://live.paloaltonetworks.com/t5/Management-Articles/Domain-Override-Functionality-on-Terminal-Server-Agent/ta-p/63107) which is very handy for multi-domain environments, but unfortunately i couldnt find that option for the AD User-ID Agent.

I hope that there is some hidden switch or configuration that could make me to the job.

To give an example - i have a working User-ID Agent collecting and parsing the Event Logs from few DCs that are serving users in multiple domains in a single forest.

Domains:

dom1.world.contoso.com

dom2.world.contoso.com

dom3.world.contoso.com

Users are mapped perfectly fine such as:

dom1\jdoe

dom2\owilde

dom3\tom

In the same time Group Mapping via LDAP also works fine generally and users are mapped to the correct groups

The problem is that i want to enable Captive portal with Client Certificate Authentication which gives me no option to get the correct user domain. I am mapping the CN attribute of the user certificate for username, therefore all users are authenticated like this:

jdoe

owilde

tom

As a result group mapping does not work.

I've found a nice workaround for that to set domain override in the group mapping to, for example contoso.com.

Then set in the certificate profile domain contoso.com as well.

Then all users get authenticated as:

contoso.com\jdoe

contoso.com\owilde

contoso.com\tom

and they are being populated in the group mapping also in the same manner, therefore everything works fine.

Unfortunately there is no similar option for the User-ID agent and when i implement this workaround to make certificate authentcation on CP working, i lose group mapping for the User-ID because on User-ID users are automatically mapped to their corresponding domain.

That is why i am looking for option to statically override the user domain in User-ID Agent. I can see that there is such option in the TS agent (https://live.paloaltonetworks.com/t5/Management-Articles/Domain-Override-Functionality-on-Terminal-Server-Agent/ta-p/63107), but i can not find it in the original User-ID agent.

Does anybody have an idea?

Re: User-ID Agent - Domain Override?

OtakarKlier — Fri, 25 Sep 2015 14:29:23 GMT

Not sure if its an 'override' however if you enter the domain in the server profile (radius or LDAP) it should populate like you are wanting to. I have Global PRotect setup this way and use radius, so I just enter the 'domain' in the radius profile and the users diplay properly in the losg as domain\username.

Re: User-ID Agent - Domain Override?

andreip — Fri, 25 Sep 2015 16:55:03 GMT

Tested w. UID Agent 7.0.2, PANOS 7.0.2 VM-100:

In the configuration file UserIDAgentConfig.xml, for each auth source (server), there is a default-domain variable, which does not have a value by default. I tested by filling in the desired domain name to be prepended and sending via XML API usernames with and without domains and checking on firewall:

UserIDAgentConfig.xml:

<server-settings>

<server-entry name="xxx" type="active-directory" address="xxx" port="" syslog-profile="" default-domain="xxx"/>

</server-settings>

In the following snippets, 10.1.1.1 is the firewall, 10.1.1.201 is the domain controller with UID Agent installed

XML file sent via curl:

<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<login>
<entry name="uid" ip="10.1.1.121" timeout="20"/>
</login>

File was sent via:

curl -vk --form file=@uid.xml https://10.1.1.201:5006

UID Agent displays username exactly how it was sent, without interpreting the separator (@ and \ tried):

and the firewall is updated:

admin@pavm-7> show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.1.1.124 vsys1 UIA gamma\uid4 222 222
10.1.1.201 vsys1 UIA alpha\panwagent 901 901
10.1.1.121 vsys1 UIA uid 397 397
10.1.1.125 vsys1 UIA uid5@delta 1127 1127

So the default-domain variable in UID Agent configuration file doesn't seem to append or overwrite a domain name to users without domain, to get something usable for user-group mapping.

Certificate used in CP is just a method to validate an identity - since it's not correlated natively to an auth server/sequence, I doubt you can extract fields from cert (e. g. UPN) to check user-group mapping.

If you are not trying to control internet access, but access to internal resources, Kerberos challenge introduced in PANOS 7.0 (works with browser-challenge method) might help.