https://live.paloaltonetworks.com/t5/general-topics/user-id-non-domain-windows-systems-not-being-logged/m-p/340993#M85558 <P>Hi</P><P>&nbsp;</P><P>User-ID works by monitoring the security event log for logon events (Event ID 4624 and a few others). Non-domain computers will not have such an event, so no mapping. For these cases the easiest method is for you to set up Captive Portal. Put simply: when they try to open a web page it reaches the firewall which does not see a IP-to-User mapping and redirects the browser to a landing page on the firewall requesting credentials, these in turn get authenticated via your LDAP profile to a DC and added to the mapping table.</P><P>&nbsp;</P><P>Some notes:</P><P>1. IP's instead of usernames usually means no IP-to-User mapping for that IP address.</P><P>2. Use this command in SSH to the firewall 'show user ip-user-mapping all'. It will help debugging as this is the current known IP-to-User mapping</P><P>3. In the User-Identification window increase the cache timeout. The default is 45 minutes and is too short in my opinion. I use 300 minutes. This controls when a record is removed from the mapping table if no more updates from that IP address.</P><P>4. You can add Security policies with user type 'unknown' and also Authentication Policies to handle unknown users and what they can or cannot reach in your network.</P><P>5. You can also user Exchange Monitoring instead of, or in addition to, Captive Portal. Outlook keeps a connection to Exchange and this might be even easier to set up and detect that Captive Portal.</P><P>&nbsp;</P><P>Hope this helps,</P><P>&nbsp;</P> Tue, 28 Jul 2020 06:29:47 GMT ShaiW 2020-07-28T06:29:47Z https://live.paloaltonetworks.com/t5/general-topics/user-id-non-domain-windows-systems-not-being-logged/m-p/340986#M85556 <P>Hello PAN community,<BR /><BR />I have setup user-ID with Active Directory and the hostnames and user names for domain joined systems are being logged in the firewall's monitor.</P><P>Some systems have their hostnames resolved, but others are just showing IP addresses. Does anyone know why?</P><P>Second, I'm also trying to see if user-ID can pick up source names and hostnames IF the systems they're on is not windows joined domain, but just in a workgroup.&nbsp; These non-domain systems, the users also use AD credentials to access network shares if that's relevant.<BR /><BR />Thank you and appreciate the any feedback.</P> Tue, 28 Jul 2020 04:57:20 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-non-domain-windows-systems-not-being-logged/m-p/340986#M85556 mrmrtechky 2020-07-28T04:57:20Z https://live.paloaltonetworks.com/t5/general-topics/user-id-non-domain-windows-systems-not-being-logged/m-p/340993#M85558 <P>Hi</P><P>&nbsp;</P><P>User-ID works by monitoring the security event log for logon events (Event ID 4624 and a few others). Non-domain computers will not have such an event, so no mapping. For these cases the easiest method is for you to set up Captive Portal. Put simply: when they try to open a web page it reaches the firewall which does not see a IP-to-User mapping and redirects the browser to a landing page on the firewall requesting credentials, these in turn get authenticated via your LDAP profile to a DC and added to the mapping table.</P><P>&nbsp;</P><P>Some notes:</P><P>1. IP's instead of usernames usually means no IP-to-User mapping for that IP address.</P><P>2. Use this command in SSH to the firewall 'show user ip-user-mapping all'. It will help debugging as this is the current known IP-to-User mapping</P><P>3. In the User-Identification window increase the cache timeout. The default is 45 minutes and is too short in my opinion. I use 300 minutes. This controls when a record is removed from the mapping table if no more updates from that IP address.</P><P>4. You can add Security policies with user type 'unknown' and also Authentication Policies to handle unknown users and what they can or cannot reach in your network.</P><P>5. You can also user Exchange Monitoring instead of, or in addition to, Captive Portal. Outlook keeps a connection to Exchange and this might be even easier to set up and detect that Captive Portal.</P><P>&nbsp;</P><P>Hope this helps,</P><P>&nbsp;</P> Tue, 28 Jul 2020 06:29:47 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-non-domain-windows-systems-not-being-logged/m-p/340993#M85558 ShaiW 2020-07-28T06:29:47Z https://live.paloaltonetworks.com/t5/general-topics/user-id-non-domain-windows-systems-not-being-logged/m-p/341016#M85564 <P>If you use network authentication (802.1x) you can setup integration between your Radius server and Palo Alto to establish IP-user mappings for non-domain clients. We use Aruba ClearPass, but there are integration guides for other products also.</P> Tue, 28 Jul 2020 09:45:52 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-non-domain-windows-systems-not-being-logged/m-p/341016#M85564 TerjeLundbo 2020-07-28T09:45:52Z https://live.paloaltonetworks.com/t5/general-topics/user-id-non-domain-windows-systems-not-being-logged/m-p/341909#M85745 <P>Hi ShaiW,<BR /><BR />Thank you for your time in providing your feedback.&nbsp; For the captive portal, does that mean every time the non-domain clients</P><P>logon, they must open up a webpage to authenticate to the firewall in order for the IP-to-User mapping to happen?<BR />If the client does not need to use a browser that day, then the mapping will not happen, correct?<BR />How does the initial authentication happen, do the users need a firewall local account too?</P><P>&nbsp;</P><P>Thank you,<BR />Mrmrtechky</P> Mon, 03 Aug 2020 22:56:24 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-non-domain-windows-systems-not-being-logged/m-p/341909#M85745 mrmrtechky 2020-08-03T22:56:24Z https://live.paloaltonetworks.com/t5/general-topics/user-id-non-domain-windows-systems-not-being-logged/m-p/341910#M85746 <P>Hi Terje,</P><P>&nbsp;</P><P>Thank you for your reply.&nbsp; Can you help me to understand a bit more?&nbsp; Are you saying that the Aruba&nbsp;</P><P>is the RADIUS server?&nbsp; The non-domain client would first send the authentication request to the Aruba and then pass</P><P>those creds to the Windows DC and then which the Palo accepts the authentication?<BR /><BR />Thank you,<BR />Mrmrtechky</P> Mon, 03 Aug 2020 23:04:07 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-non-domain-windows-systems-not-being-logged/m-p/341910#M85746 mrmrtechky 2020-08-03T23:04:07Z https://live.paloaltonetworks.com/t5/general-topics/user-id-non-domain-windows-systems-not-being-logged/m-p/541468#M110984 <P>I'm connecting to GlobalProtect VPN using a non-domain joined Windows 11 machine. The behavior I'm seeing is my User-ID is registered with the firewall containing the GlobalProtect gateway, but not in AD--so no data is picked up by the User-ID Agent for distribution (so username/group-based firewall rules work locally, but not on remote firewalls). If I log into a domain controller using RDP, that picks up my credentials and GlobalProtect IP address and then shows up in User-ID Agent (allowing the remote user/group-based rules to work). Is captive portal the best way to handle this or is there a better way? Thank you.</P> Mon, 08 May 2023 18:27:34 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-non-domain-windows-systems-not-being-logged/m-p/541468#M110984 John_Pinegar 2023-05-08T18:27:34Z https://live.paloaltonetworks.com/t5/general-topics/user-id-non-domain-windows-systems-not-being-logged/m-p/548429#M111975 <P>I would also like to know if captive portal is best method for securing connection from a non-domain machine.&nbsp;</P> Thu, 06 Jul 2023 15:27:26 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-non-domain-windows-systems-not-being-logged/m-p/548429#M111975 tshooter 2023-07-06T15:27:26Z