topic UIA 8.1 issue in General Topics https://live.paloaltonetworks.com/t5/general-topics/uia-8-1-issue/m-p/231941#M66589 <P>I have two different customers who hits same issue.</P><P>One user is using PAN-OS 8.1.3 and UIA 8.1.3-10,</P><P>another is using PAN-OS 8.0.12 and UIA 8.1.3.-10.</P><P>&nbsp;</P><P>The issue is that UIA detects user info as three types of formats like...</P><P>1) domain\user (this is same as previous version)</P><P>2) domain.local\user</P><P>3) user@domain.local</P><P>&nbsp;</P><P>When PA received these info, "show user ip-user-mapping all" shows following two types as below</P><P>1) domain\user</P><P>2) domain.local\user</P><P>&nbsp;</P><P>admin@hostname(active)&gt; show user ip-user-mapping all</P><P>IP Vsys From User IdleTimeout(s) MaxTimeout(s)<BR />--------------- ------ ------- -------------------------------- -------------- -------------<BR />10.241.73.100 vsys1 UIA domain\user1 Never Never<BR />10.212.136.101 vsys1 UIA domain.local\user1 Never Never<BR />10.224.57.100 vsys1 UIA domain\user1 Never Never<BR />10.128.145.9 vsys1 UIA domain\user2 Never Never<BR />10.128.144.35 vsys1 UIA domain.local\user3 Never Never</P><P>&nbsp;</P><P>The issue is that when PA recognize user format as "domain.local\user" format, the user does not hit to policy which was configured by user group that was pulled from AD.</P><P>The reason is that user group and member was recognized ONLY by "domain\user' format.</P><P>&nbsp;</P><P>admin@hostname(active)&gt; show user group name "cn=domain users,cn=users,dc=domain,dc=local</P><P>short name: domain\domain users</P><P>source type: ldap<BR />source: groupmapping</P><P>[1 ] domain\01<BR />[2 ] domain\21<BR />[3 ] domain\22<BR />[4 ] domain\23<BR />[5 ] domain\24<BR />[6 ] domain\26<BR />[7 ] domain\27<BR />[8 ] domain\29<BR />[9 ] domain\88<BR />[10 ] domain\98<BR />[11 ] domain\administrator<BR />[12 ] domain\agroadmin<BR />[13 ] domain\agrotest<BR />[14 ] domain\alc<BR />[15 ] domain\amano1<BR />[16 ] domain\amano2<BR />..so on</P><P>&nbsp;</P><P>I believe on PAN-OS 8.0 and earlier, "domain\userA" and "domain.local\userA" is NOT same guy, thus it does not hit group members.</P><P>&nbsp;</P><P>Is there any body who hits same issue?</P><P>&nbsp;</P><P>&nbsp;</P><P>Note: I know PAN-OS 8.1 starts supporting multiple formats, though it makes me confusing and hitting this issue.</P><P>&nbsp;</P><P>Regards,</P><P>Emr</P> Sun, 23 Sep 2018 09:31:58 GMT emr_1 2018-09-23T09:31:58Z UIA 8.1 issue https://live.paloaltonetworks.com/t5/general-topics/uia-8-1-issue/m-p/231941#M66589 <P>I have two different customers who hits same issue.</P><P>One user is using PAN-OS 8.1.3 and UIA 8.1.3-10,</P><P>another is using PAN-OS 8.0.12 and UIA 8.1.3.-10.</P><P>&nbsp;</P><P>The issue is that UIA detects user info as three types of formats like...</P><P>1) domain\user (this is same as previous version)</P><P>2) domain.local\user</P><P>3) user@domain.local</P><P>&nbsp;</P><P>When PA received these info, "show user ip-user-mapping all" shows following two types as below</P><P>1) domain\user</P><P>2) domain.local\user</P><P>&nbsp;</P><P>admin@hostname(active)&gt; show user ip-user-mapping all</P><P>IP Vsys From User IdleTimeout(s) MaxTimeout(s)<BR />--------------- ------ ------- -------------------------------- -------------- -------------<BR />10.241.73.100 vsys1 UIA domain\user1 Never Never<BR />10.212.136.101 vsys1 UIA domain.local\user1 Never Never<BR />10.224.57.100 vsys1 UIA domain\user1 Never Never<BR />10.128.145.9 vsys1 UIA domain\user2 Never Never<BR />10.128.144.35 vsys1 UIA domain.local\user3 Never Never</P><P>&nbsp;</P><P>The issue is that when PA recognize user format as "domain.local\user" format, the user does not hit to policy which was configured by user group that was pulled from AD.</P><P>The reason is that user group and member was recognized ONLY by "domain\user' format.</P><P>&nbsp;</P><P>admin@hostname(active)&gt; show user group name "cn=domain users,cn=users,dc=domain,dc=local</P><P>short name: domain\domain users</P><P>source type: ldap<BR />source: groupmapping</P><P>[1 ] domain\01<BR />[2 ] domain\21<BR />[3 ] domain\22<BR />[4 ] domain\23<BR />[5 ] domain\24<BR />[6 ] domain\26<BR />[7 ] domain\27<BR />[8 ] domain\29<BR />[9 ] domain\88<BR />[10 ] domain\98<BR />[11 ] domain\administrator<BR />[12 ] domain\agroadmin<BR />[13 ] domain\agrotest<BR />[14 ] domain\alc<BR />[15 ] domain\amano1<BR />[16 ] domain\amano2<BR />..so on</P><P>&nbsp;</P><P>I believe on PAN-OS 8.0 and earlier, "domain\userA" and "domain.local\userA" is NOT same guy, thus it does not hit group members.</P><P>&nbsp;</P><P>Is there any body who hits same issue?</P><P>&nbsp;</P><P>&nbsp;</P><P>Note: I know PAN-OS 8.1 starts supporting multiple formats, though it makes me confusing and hitting this issue.</P><P>&nbsp;</P><P>Regards,</P><P>Emr</P> Sun, 23 Sep 2018 09:31:58 GMT https://live.paloaltonetworks.com/t5/general-topics/uia-8-1-issue/m-p/231941#M66589 emr_1 2018-09-23T09:31:58Z Re: UIA 8.1 issue https://live.paloaltonetworks.com/t5/general-topics/uia-8-1-issue/m-p/235684#M67556 <P>Reply to myself.</P><P>&nbsp;</P><P>It was&nbsp;<SPAN>WINAGENT-391 issue.</SPAN></P><P>&nbsp;</P><P>Description:<BR /><SPAN>Fixed an issue where the User-ID agent failed to normalize usernames correctly due to a domain map lookup failure.</SPAN></P><P>&nbsp;</P><P><SPAN>This is fixed in UIA 8.1.4.</SPAN></P><P><SPAN>&nbsp;</SPAN></P> Wed, 17 Oct 2018 00:24:37 GMT https://live.paloaltonetworks.com/t5/general-topics/uia-8-1-issue/m-p/235684#M67556 emr_1 2018-10-17T00:24:37Z