topic Re: User Authentication Profile update for VPN User-ID mapping in General Topics

User Authentication Profile update for VPN User-ID mapping PANOS 7.0.x

gabriel.simatupang — Mon, 18 Jul 2016 06:04:18 GMT

Dear All,

i have problem in my VPN user Identification (they cannot login to portal) after there's update/change in my AD server group. I already doing this https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Force-User-Group-Mapping-Refresh/ta-p/62597 to force user group mapping refresh. It's work to update my User-ID in my policy but my VPN User mapping still not updated untill almost 60 minutes. There is any way to refresh/tunning or Query it faster to update VPN user mapping?

Re: User Authentication Profile update for VPN User-ID mapping

reaper — Fri, 11 Dec 2015 11:39:57 GMT

Hi Gabriel

Have you set an allow list in the authentication profile itself? If not the issue may be a connectivity issue between the firewall and the ldap server instead of group mapping

you can change the group mapping update interval in the group mapping object :

Device > User Identification> Group Mapping Settings > Server Profile > Update Interval

If you're aware a change was made you can also trigger a manual update from the CLI:

> debug user-id refresh group-mapping all

hope this helps

Tom

Re: User Authentication Profile update for VPN User-ID mapping

Brandon_Wertz — Fri, 11 Dec 2015 16:28:49 GMT

@gabriel.simatupang The "Value" threshold of 60-86400 is in seconds I believe. Your request to have the group refreshed more quickly than 60 minutes just means set this value below 3600 seconds, down to as low as 60 seconds. Although, I'm not sure how much of an impact setting the refresh to 60 seconds would have on your firewall.

Re: User Authentication Profile update for VPN User-ID mapping

gabriel.simatupang — Sat, 12 Dec 2015 04:17:41 GMT

I already tunning update interval to 60 Second and it's works for my user-id group in security policy but somehow it's not working in my user-id group on Global Protect. There is another way ?

Re: User Authentication Profile update for VPN User-ID mapping

reaper — Thu, 17 Dec 2015 11:21:04 GMT

The group mapping for the security policies and the authentication in GP should be identical, since they both come from the same profile that is updated

Unless ... are you using multiple ldap profiles ? (maybe one is being updated properly and the other isnt)

if you increase debugging and tail the logs during authentication, does anything interesting pop up:

> debug authentication on debug
> tail follow yes mp-log authd.log

you can try to take a look at the logging for user-id as well to see if anything might be failing:

> debug user-id on debug
> less mp-log authd.log

Re: User Authentication Profile update for VPN User-ID mapping

gabriel.simatupang — Mon, 18 Jul 2016 06:03:36 GMT

thanks @reaper for your help. but after i open case to tac they said:

Engineering team has decided that this fix will not be added to 7.0 or 7.1 code versions due to the significant design changes involved in the fix. These design changes will be handled in 8.0 releases.

The workaround is to use "all" or individual users in the allow list.

so i must wait PANOS 8 release. Do you have any idea when PANOS 8 release?

Re: User Authentication Profile update for VPN User-ID mapping

reaper — Mon, 18 Jul 2016 06:57:15 GMT

I would guess, based on previous release timeframes of about 8-10 months between major releases, that PAN-OS 8.0 is likely to appear around the end of this year. But currently there's nothing out yet so I'd advise you to keep checking in regularly. Once 8.0 is about to be released you should see announcements popping up