topic Re: User-ID in General Topics

User-ID

jdprovine — Wed, 29 Nov 2017 11:14:23 GMT

When enabling user-id where does it check against to get the information to identify the users? I have it turned on for serveral zones and it only seems to work on the VPN user-id's.

Re: User-ID

Sjoerd — Wed, 29 Nov 2017 12:14:41 GMT

You can use the security log of you’re domain controllers.

Check device, User Identification. I prefer using the User ID Agent and point the Palo Alto to this agent.

There are also scripts available to get the users from a radius log.

Good luck!

Re: User-ID

kiwi — Wed, 29 Nov 2017 13:42:01 GMT

Hi @jdprovine,

This guide should be very helpful :

Getting Started User-ID

Cheers !

-Kiwi.

Re: User-ID

Mick_Ball — Wed, 29 Nov 2017 15:24:18 GMT

chances are that your user-id is not working at all.

the user ID is only showing for GP connections as learned via authentication.

Re: User-ID

jdprovine — Fri, 01 Dec 2017 13:28:59 GMT

@Mick_Ball

That is what I was thinking too Mick, we authenticate against LDAP instead of AD and I was wondering if the PA only does the userid against AD

Re: User-ID

Mick_Ball — Fri, 01 Dec 2017 13:40:28 GMT

i have never tried with LDAP but i'm sure its something to do with the PA being only able to read LDAP groups and not LDAP attributes that some LDAP admins use instead of groups.

below is a link explaining this issue and a possible workaround.

it may not help you but at least give you a better understanding of whats going on.

Mick.

https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Work-with-User-ID-and-OpenLDAP-Dynamic-Groups/ta-p/58811?attachment-id=505

Re: User-ID

jdprovine — Fri, 01 Dec 2017 14:09:30 GMT

@Mick_Ball

So the PA does do it userid queries only against AD

Re: User-ID

reaper — Fri, 01 Dec 2017 15:04:53 GMT

Hi @jdprovine

There are many methods to collect User id information: reading Active Directory authentication logs, server sessions (drive maps), API scripts, Captive portal, syslog collection, TerminalServer sessions, GlobalProtect authentication,...

Please check out this article that highlights most of the main ways to collect user identification information and how to set it all up:

Getting Started: User-ID

Re: User-ID

Mick_Ball — Fri, 01 Dec 2017 15:09:15 GMT

well i have only briefly browsed the document but my assumptions are as follows.

if your PA identifies its users via authentication, such as your VPN then you can use LDAP groups against those users for policies etc.

the previous link explains how to do this. but...

if your users do not auth via AD then you will not be able to map IP's to users as the LDAP server will not hold a database of user related IP's.

The PA user-id reads the security log on AD as this records users addresses when they use domain services, email, logon etc.

so I would say yes to your previous post.. But.. (again)

the user-AD agent installed seperately has config settings for EDirectory.. as wll as AD.

Mick.

oops! someone has just posted previous to me so may be of better use.

Re: User-ID

Mick_Ball — Fri, 01 Dec 2017 15:11:15 GMT

@reaper & @jdprovine

the document I refer to is the one i posted earlier, not the one from @reaper.

sorry for the confusion....

Re: User-ID

OtakarKlier — Fri, 01 Dec 2017 17:11:01 GMT

Hello,

Also check to make sure that the User-ID is enabled on the zone. Its burned me a few times over the years.

Cheers!

Re: User-ID

jdprovine — Mon, 04 Dec 2017 13:34:20 GMT

@Mick_Ball

Yes i got the one you sent thanks

Re: User-ID

jdprovine — Tue, 05 Dec 2017 17:45:16 GMT

@kiwi

Do you have to have a certain version of the userid agent for different OS's of the PA? I don't want to have to upgrage the agents every other month unless it does it automagically

Re: User-ID

Mick_Ball — Tue, 05 Dec 2017 18:32:07 GMT

No, i have used same agent for all 7.x versions, only had to upgrade when moved to v8. As requires a device cert.

however v8 had other issues so rolled back to v7 and original agent.

we have 2 agents so upgrading (if required) can be pretty seemless.

Re: User-ID

jdprovine — Tue, 05 Dec 2017 19:09:23 GMT

@Mick_Ball

good to know thanks for the info

Re: User-ID

jdprovine — Tue, 05 Dec 2017 21:52:53 GMT

@OtakarKlier

Yes it is enabled on the zones but apparently I don't have everything it needs set up because its still not working. I can see how that would be annoying LOL 😉

Re: User-ID

jdprovine — Mon, 18 Dec 2017 15:58:18 GMT

I see that there is a userid agent method and a clientless userid method. What are people using the most? I know that the clientless method will cause more load on my firewall but i am not sure how to gage how much it will add. Also we do mostly LDAP on a unbuntu box all I saw was what looked like one compatible with active directory and window

Re: User-ID

jdprovine — Wed, 20 Dec 2017 16:14:50 GMT

@Mick_Ball

I have read over this a couple times and this is no small udertaking, we have a mix of authentication methods active directory, ad-ldap, open ldap and radius. I may try puttin the agent on the AD domain controller and see how much info I get from that. Unfortunately alot of the users are not a part of our domain since they are college student and connect using their own devices

Re: User-ID

BPry — Wed, 20 Dec 2017 16:27:11 GMT

@jdprovine,

Do you seperate your students into a 'student' VLAN? It's possible to simply include IP ranges that you would actually expect to see the user-id information, and you could simply ignore your student BYOD devices.

Re: User-ID

jdprovine — Wed, 20 Dec 2017 16:33:44 GMT

@BPry

Yes we do separate them into their own vlans as well as a separate zone on the PA. A majority of our students use wireless for everything and we authenticate against radius to let them on the wireless(we have more than one wireless). Is it possible to get userid information from Radius?