topic Re: User ID WiFi and LAN in General Topics

User ID WiFi and LAN

rjdahav163 — Tue, 06 Jun 2017 14:26:16 GMT

Hello

Our organisation does not use 802.1x authentication in our environment. We have LAN and WiFi for our employees. We want to implement User ID with PA with AD domains and User ID Agent. However I could not find documentation on User ID behaviour in following scenario:

Our users have laptops and they use LAN when laptops are docked into docking stations. But when a user removes a laptop from docking station then he is immediately connected to WiFi and gets another IP. Again when he comes back to his place he will be connected with LAN.

Is there any documentation on how such situation is handled by user id and what are the best practices in such scenario?

Thanks and Regards,

Re: User ID WiFi and LAN

VinceM — Tue, 06 Jun 2017 14:41:49 GMT

Hi rjdahav163,

In this case, maybe you should have a look on deploying GP on all laptop and use GP on both external and internal gateway with transparent authentication.

Switching from wire to wifi auth is really fast.

Ref:

https://www.paloaltonetworks.com/documentation/60/globalprotect/global_protect_6-0/globalprotect-quick-configs/mixed-internal-and-external-gateway-configuration.html

Hope help

Re: User ID WiFi and LAN

BPry — Tue, 06 Jun 2017 14:56:27 GMT

@rjdahav163,

The computer already has an IP and a mapping on your wireless network, but the binding order makes it so that they are using the ethernet connection instead of the wireless connection. The mapping will simply have two IP addresses listed for that user. For example if my laptop is docked I'm mapped to say 10.*.*.* but my wireless connection is listed as 172.16.*.* then the firewall will show my user-id mapping to both 10.191.16.17 and 172.16.1.2 both at the same time, once my laptop is undocked then I simply see the users traffic move the source address to 172.16.1.2 but the mapping doesn't really change.

Re: User ID WiFi and LAN

rjdahav163 — Tue, 06 Jun 2017 15:10:40 GMT

Thanks VinceM for your reply. So if I understand correctly, when internal network is detected GP will not initiate VPN right but only send the IP-Username association to the FW?

Re: User ID WiFi and LAN

rjdahav163 — Tue, 06 Jun 2017 15:14:57 GMT

Thanks BPry for your reply. Your solution looks good. Will try out and post a feedback.

Re: User ID WiFi and LAN

Nick.Chenault — Tue, 06 Jun 2017 15:26:14 GMT

I agree with BPry's solution, we currently have a similar setup in our environment and works just fine between LAN/WLAN.

Re: User ID WiFi and LAN

VinceM — Tue, 06 Jun 2017 15:28:30 GMT

Correct, internally, just use GP on internal gateway for user authent. No Tunnel, just authen.

And if you want to go farther, you can, in futur, use HIP for giving acces to dedicate ressources 🙂

Rgds