topic Re: Problem w/ user ID in General Topics

Problem w/ user ID

Jean-Christophe — Fri, 22 Dec 2017 10:28:33 GMT

Hi Gurus,

I'm trying to implement user id agentless.

The LDAP & User Identification are created correctly.

Below is the output:

J-C.Valiere.da@PA_Ecore_Master> show user group list

cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com
cn=vpn ecore consultant,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com

J-C.Valiere.da@PA_Ecore_Master> show user user-ids

User Name Vsys Groups
------------------------------------------------------------------
corp\tests5 vsys1 cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com

corp\j-c.valiere.da vsys1 cn=vpn ecore consultant,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com

Also, the source zone on which I apply my policy has User-ID enabled.

So I can see that tests5 user is member of 'vpn ecore employee'.

I created the 3 following policy:

"VPN Remote Ecore Employee" {
to TRUST;
from REMOTE_VPN_USERS;
source Pool_VPN_Remote_Users;
destination VM_Safewalk;
source-user "cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com";
category any;
application ssl;
service TCP_8443;
hip-profiles any;
action allow;
log-start yes;
tag REMOTE_VPN_USERS;
}
"VPN Remote Ecore Consultant" {
to TRUST;
from REMOTE_VPN_USERS;
source Pool_VPN_Remote_Users;
destination VM_Safewalk;
source-user "cn=vpn ecore consultant,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com";
category any;
application ssl;
service TCP_8443;
hip-profiles any;
action allow;
log-start yes;
tag REMOTE_VPN_USERS;
}
VPN_Remote_PoolVPN-Safewalk {
to TRUST;
from REMOTE_VPN_USERS;
source Pool_VPN_Remote_Users;
destination VM_Safewalk;
source-user any;
category any;
application ssl;
service TCP_8443;
hip-profiles any;
action allow;
log-start yes;
tag REMOTE_VPN_USERS;
}

And when trying to access the VM_Safewalk on port TCP_8443 with the user tests5, the 3rd policy matches instead of the first one.

Can anyone tell me what I forgot, or what is wrong in my configuration ?

Thanks & Best Regards,

Jean-Christophe

Re: Problem w/ user ID

Mick_Ball — Fri, 22 Dec 2017 12:22:45 GMT

If you run the following command...

show user group name “cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com”

is tests5 displayed in the output?

Re: Problem w/ user ID

Mick_Ball — Fri, 22 Dec 2017 13:09:47 GMT

Also...

when adding source-user to your policy just type vpn to see if the usergroup self populates.

You may have already done this but wort a try rather than manually entering the fqdn.

Re: Problem w/ user ID

Jean-Christophe — Fri, 22 Dec 2017 13:10:38 GMT

Below is the result:

J-C.Valiere.da@PA_Ecore_Master> show user group name "cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com"

short name: corp\vpn ecore employee

source type: ldap
source: VPN Ecore Employees

[1 ] corp\j-c.valiere.da
[2 ] corp\tests5

So looks like everything is fine or ?

Thx

Re: Problem w/ user ID

Mick_Ball — Fri, 22 Dec 2017 13:13:31 GMT

Try my previous as the policy may need to be...

corp\vpn ecore employee

Re: Problem w/ user ID

Jean-Christophe — Fri, 22 Dec 2017 13:27:41 GMT

I can confirm that it is self populated

Thx.

Re: Problem w/ user ID

Mick_Ball — Fri, 22 Dec 2017 13:36:35 GMT

Does you authentication include user-domain=corp.

perhaps a print screen of the successful authentication for tests5 would help.

Re: Problem w/ user ID

Mick_Ball — Fri, 22 Dec 2017 13:37:12 GMT

Sorry... authentication profile

Re: Problem w/ user ID

Jean-Christophe — Fri, 22 Dec 2017 15:30:21 GMT

Source user in policy applies to "corp\vpn ecore employee"

Regards.

Jean-Christophe Valiere

Re: Problem w/ user ID

Jean-Christophe — Fri, 22 Dec 2017 16:11:12 GMT

Ok,

I got a really weird thing (Note that I switched tests5 user to vpn ecore consultant):

J-C.Valiere.da@PA_Ecore_Master> show user group name "cn=vpn ecore consultant,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com"

short name: corp\vpn ecore consultant

source type: ldap
source: VPN Ecore Group Mapping

[1 ] corp\tests5

J-C.Valiere.da@PA_Ecore_Master> show user group name "cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com"

short name: corp\vpn ecore employee

source type: ldap
source: VPN Ecore Group Mapping

[1 ] corp\j-c.valiere.da

J-C.Valiere.da@PA_Ecore_Master> show user user-ids match-user tests5

User Name Vsys Groups
------------------------------------------------------------------
corp\tests5 vsys1 cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com
cn=vpn ecore consultant,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com

So,

Group "vpn ecore employee" contains j-c.valiere.da

Group "vpn ecore consultant" contains tests5

user tests5 belongs to both "vpn ecore employee" and "vpn ecore consultant"

Also, note that I temporarly disabled the cache in the user identification settings.

Really, really strange.

Re: Problem w/ user ID

Mick_Ball — Fri, 22 Dec 2017 16:39:37 GMT

Wow that is strange, maybe remembered from previous session.

could you post a screen shot of monitor/system for the users authentication success. For tests5.