topic Re: error user in group mapping in General Topics

error user in group mapping

BigPalo — Fri, 13 Nov 2020 11:51:15 GMT

Hello,

After upgrading to 8.1.X > 9.0.X > 9.1.x. we found that some ldap users do not check per user policies, only for ip politicies.

The firewall has no user-id configured, only tree server ldap.

we check that the firewall recognizes the Ldap tree.

Is there any issue of incompatibility with the version?

Thanks.

Re: error user in group mapping

BPry — Sat, 14 Nov 2020 01:09:38 GMT

@BigPalo ,

Can you describe your issue a bit more. I'm not sure exactly what you mean by "some ldap users do not check per user policies, only for ip politicies". Are you trying to get these users to match user based rulebase entries?

Re: error user in group mapping

BigPalo — Mon, 16 Nov 2020 09:24:19 GMT

Hi,

I explain the problem in more detail. After performing a firmware update from 8.1.X to 9.1.X we found the following problem.

From a PC we authenticate by ldap with the user "cafeteria", we observe in the monitor that the traffic machea by IP and not by user, which causes that it does not do mach due to the policies configured by user and this traffic is dropped

From the same PC, we try with another user "egonzalez" authenticates correctly and we verify in the monitor that it registers by user.

They do not have user-id agent configured. LDAP only with all group mapping.

Is there a bug with the version?

Thanks.

Re: error user in group mapping

aleksandar.astardzhiev — Fri, 20 Nov 2020 14:45:40 GMT

Hi @BigPalo,

What do you mean by "From a PC we authenticate by ldap with the user"?

Group mapping provide information for user group membership (which users are part of specific user group). This inforamtion is used if you want to use user groups (not individual users) in configuration.

Firewall still needs information for the actual user-to-ip mapping? What method are you using for to gather this information? If you don't use user-id agent, are you using Captive portal with Authentication policy?

Re: error user in group mapping

OtakarKlier — Fri, 20 Nov 2020 20:33:49 GMT

Hello,

Might want to search the release notes, however I have not seen this before. How are your user-id's getting processed, i.e. pointing at Domain Controllers, exchange, etc.? When the firewalls reboot, the user-id mappings get flushed if using agentless. So if the user-id doesnt see a new login, it will not show the mapping. I have seen a lot and hence I use Exchange logs rather than domain controllers since Outlook is constantly authenticating against the exchange servers.

Regards,

Re: error user in group mapping

BigPalo — Wed, 25 Nov 2020 09:20:34 GMT

Hi Alexander,

I explain you, In the monitor we observe that sometimes the user's mach is observed and other times that of his IP. We have seen the following log when this happens: domain xxxx does not exist in group-mapping

Currently the firewall has agentless user identification configured. The problem appear with the upgrade 9.1.5.

Thanks.

Re: error user in group mapping

BigPalo — Wed, 25 Nov 2020 09:59:54 GMT

hello,

Exactly, that is the problem. The problem appear with the reboot in the upgrade 9.1.5.
The firewall has agentless user identification configured. ¿Does you recommend me change the configuration of the server type Microsoft Active Directory to Microsoft Exchange?

Thanks.