topic Re: Internet disconnection when switching from wired to wireless in General Topics

Internet disconnection when switching from wired to wireless

regahamz — Thu, 17 Oct 2019 06:36:45 GMT

We have newly implemented PaloAlto in our network. Internet access provided for the user using the AD username. Using User-ID Agent in Active directory. When a user is logged in with wired connection and switched to wireless the internet is getting disconnected.Internet is working if the user logoff and logs in again. Is there anything we can do to avoid this disconnection? Is there any configuration to be done in firewall or User-ID agent to avoid this?

Note: Wired and Wireless connection different subnets. The whole subnet is included in the user-id agent.

Appreciate if anyone can help on this regard

Re: Internet disconnection when switching from wired to wireless

Mick_Ball — Thu, 17 Oct 2019 08:04:34 GMT

lan disconnect/connect will cause an event log. perhaps you could invoke a script to map a drive or some other domain activity when the event is logged, this will cause new ip mapping to be registered in AD and user-id will pick this up...

FYI.

Event ID: 10000 (Network Connection Established)

Event ID: 10001 (Network Connection Removed)

Others may prefer a captive portal option but i cannot advise as don't use it.

Re: Internet disconnection when switching from wired to wireless

regahamz — Thu, 17 Oct 2019 09:46:55 GMT

@Mick_Ball Thanks for the reply.

Is there a way in PaloAlto to provide internet in the basis of windows user logon without considering the IP mapped to user account?

The option Group Mapping in Paloalto, will this can be used to achieve this?

Re: Internet disconnection when switching from wired to wireless

Mick_Ball — Thu, 17 Oct 2019 09:51:47 GMT

well yes and no!

Group Mapping can be used for policies but to be a member of a group you must have a name, you will only have a name if your IP address is logged in windows AD.

Re: Internet disconnection when switching from wired to wireless

Mick_Ball — Thu, 17 Oct 2019 10:00:19 GMT

Have a look at captive portal. it can be used transparently as per comments below.

The firewall uses Kerberos single sign-on (SSO) to transparently obtain user credentials. To use this method, your network requires a Kerberos infrastructure, including a key distribution center (KDC) with an authentication server and ticket granting service. The firewall must have a Kerberos account, including a principal name and password.

captive portal info here..

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/policies/policies-captive-portal

Re: Internet disconnection when switching from wired to wireless

regahamz — Tue, 05 Nov 2019 06:33:44 GMT

@Mick_Ball

The log on event is appearing in the domain controller with new source ip address when user switches network, only when there is a domain activity. Is this normal behavior of the Active Directory logs or the logon event should appear in domain immediately when there is change in the ip address in client machine.

Re: Internet disconnection when switching from wired to wireless

Mick_Ball — Tue, 05 Nov 2019 06:58:38 GMT

Yes this is normal.

the user agent reads the security log on the AD server, IP change will not populate to this log but when domain activity is registered it will log this along with the user IP for audit purposes.

you need to use other ip mapping methods or invoke a script to force domain activity on ip change.

Re: Internet disconnection when switching from wired to wireless

Brandon_Wertz — Tue, 05 Nov 2019 13:19:18 GMT

@regahamz wrote:
We have newly implemented PaloAlto in our network. Internet access provided for the user using the AD username. Using User-ID Agent in Active directory. When a user is logged in with wired connection and switched to wireless the internet is getting disconnected.Internet is working if the user logoff and logs in again. Is there anything we can do to avoid this disconnection? Is there any configuration to be done in firewall or User-ID agent to avoid this?
Note: Wired and Wireless connection different subnets. The whole subnet is included in the user-id agent.
Appreciate if anyone can help on this regard

I posted about this back in 2015. https://live.paloaltonetworks.com/t5/General-Topics/Dual-NIC-IP-Mapping-Issue/m-p/63710#M38291

Unfortunately it's not as straight forward as you'd think. If you have a windows client that has both a wired and wireless NIC Windows will NOT perform authentication against both NICs. It chooses one or the other. So "those event IDs" that Palo UIAs need to monitor in order to perform IP to ID association will only happen for one NIC at a time, and it's only going to happen once; until another scenario comes along that requires the authentication.

There are ways in Windows to make a particular NIC the "preferred" NIC, so say setting Windows use the wireless NIC over wired, Windows won't always adhere to that.

Your best bet is going to be to use the layered authentication mechanism to catch on-the-fly the user mappings you need. This means using captive portal with NTLM (SSO) authentication.

Ultimately Palo will tell you the "fool proof way" to get the user mapping is to deploy Global Protect clients. Merely using them for user tracking will give you a more reliable way of making sure you always have an IP to ID association.

Re: Internet disconnection when switching from wired to wireless

Brandon_Wertz — Tue, 05 Nov 2019 13:28:58 GMT

@Mick_Ball wrote:
Have a look at captive portal. it can be used transparently as per comments below.

The firewall uses Kerberos single sign-on (SSO) to transparently obtain user credentials. To use this method, your network requires a Kerberos infrastructure, including a key distribution center (KDC) with an authentication server and ticket granting service. The firewall must have a Kerberos account, including a principal name and password.

captive portal info here..
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/policies/policies-captive-portal

Sure Kerberos could be used for SSO, but it's just easier to use the NTLM credential forwarding or sharing from the web browser. Using CP and NTLM SSO Palo doesn't have a known user association the firewall (I think it's the FW and not the UIAs) will ask the browser via NTLM for the credentials the web browser has. The FW then takes those creds and asks AD if they're valid. If they are then that user mapping association is stored in the FW for the configured time period.

Using this NTLM method doesn't require anything additional to be setup in anyone's environment. The draw back here is, it requires the use of a web browser. So if there's an IP change and a lack of user attribution and the user is only using "thick clients" (Like outlook) this NTLM feature won't work. The user would need to browse the web for this attribution process to work.