topic Re: LDAP configuration Using User ID Agent in General Topics

Centralized User ID Agent to All firewalls with AD integration

ymamis — Tue, 18 Jul 2017 07:36:16 GMT

Dear Community,

Kindly note that we would like to achieve AD integration through centralized user id agent ,in that all of the firewalls will have userid agent which is integrated with AD.

So basically userid agent work as a proxy, How this can be achived. I had gone through this link,

https://live.paloaltonetworks.com/t5/Configuration-Articles/User-ID-Agent-as-LDAP-Proxy-for-Group-Mapping-and-Authentication/ta-p/58914

Regarding LDAP configuration part , nothing is mentioned .Appreciate if any body help

Re: LDAP proxy configuration Using User ID Agent

reaper — Tue, 18 Jul 2017 07:10:24 GMT

hi @ymamis

The article you provided shows you how to enable LDAP proxy, what this does is this:

Under normal circumstances if you configure an LDAP server profile and an authentication profile calls for this LDAP server to authenticate someone (captive portal, VPN, admin ,...) the firewall will send out an LDAP connection from the management port (the tcp session will physically source from the management interface)

If you want to change that source for security reasons (eg. you want unencrypted ldap but you don't want a sniffer to be able to pick up your authentication sessions) you can enable ldap proxy on one of your UserID agents.

This setting will 'proxy' your ldap session over the secure user-id connection: the firewall has a permanent encrypted connection with the user-id agent, and an ldap session can be tunneled through that session. this will make the 'physical' source of the ldap, be the socket on the server where the user-id agent is installed (instead of the management interface)

your LDAP configuration does not change

enabling the proxy setting simply tells the firewall to send the tcp session over the user-id link instead of out the management interface

you may want to look into service routes also : Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI

Re: LDAP configuration Using User ID Agent

ymamis — Tue, 18 Jul 2017 07:34:46 GMT

Reaper,

Thanks for your clarification , could you please comment on our requirement . We want to integrate firewall to AD through userid agent, not directly , sounds like a centralized user id agent to all of the firewalls. Will this can be achievable ?

Re: LDAP configuration Using User ID Agent

reaper — Tue, 18 Jul 2017 08:44:38 GMT

can you elaborate on your requirement?

Which aspect do you want to integrate exactly?

have you checked this article: Getting Started: User-ID it outlines everything about User-ID

the User-ID agent itself can only perform 3 functions:

-provide user-to-ip mapping to the firewall by means of reading security logs, server sessions, netbios/WMI probing or API/syslog

-provide NTLM authentication through the AD it is installed on

-proxy LDAP authentication sessions

multiple firewalls can connect to the same user-ID agent

multiple user-ID agents can serve a firewall

Re: LDAP configuration Using User ID Agent

ymamis — Tue, 18 Jul 2017 11:08:39 GMT

Hello Reaper,

Thank you for your comments, and our requirement is this one .

User----Captive portal--> Palo Alto Firewall -->User ID agent --> AD

We are using windows based user id agent and its integrated to AD. And there is no other integration from PA firewall to AD through palo-alto agents. Our target is to achieve browser challenge with NTLM authentication using User ID agent from PA firewall.

Specifically the concerns are

Is this suffice to integrate firewall with user id agent only and through this can we achieve NTLM authentication. That means there is no AD integration in firewall and only user id agent can being communicate to AD.
Do you have any document related to this ?

· The issue is that we have multiple firewalls and we don’t want every firewall to integrate with AD, rather than a centralized user id agent sounds good

Re: LDAP configuration Using User ID Agent

reaper — Tue, 18 Jul 2017 19:12:19 GMT

have you read this article: Getting Started: User-ID ?

it covers all aspects of user-ID including NTLM.

you will need to configure an ldap profile and enable LDAP proxy on the user-id agent, and also enable NTLM on the user-id agent. as soon as those 2 boxes are checked only the agent will communicate with the AD

to tie everything together you'll need to enable Captive Portal with ntlm policies