I'm seeing an issue currently where a handful of my hundreds of AD users are being directed to the CP landing page despite their workstations being on our domain, and with valid AD user accounts. They are all on Macs and have the same configuration as every other mac. If I check our DCs for the user security log entries I can see the necessary security logs for a problem user but the PAN agents do not show any user-ip mapping at all.
I'm not sure where to start looking for issues, since it is just a handful of users but it shouldn't be occurring.
Any ideas? (further info available if you need it)
Hi...Maybe these users are not as active as the other Mac users and their credentials have expired on the userID agent. A suggestion is to increase the cache credential timeout (User Identification timeout) to extend the cache period. Typically, I recommend the timeout be set to the DHCP lease period of your network.
Hi - have you got any further on this?
I have a similar issue - a subset of users (inc. me at the moment!) seem to be much less reliable than the vast majority. I can actually see my mapping being created, then removed, within 10 seconds, as if something is over-writing the record.
The one thing I'm looking at the moment is the 'server enumeration' function in the Agent - as the documentation says that this will remove a current map if it does not match what the enumeration returns.
Hi...Which document are you reading the 'server enumeration' function in the agent, and what version of PAN-OS & agent are you running?
At the time your mapping was removed, you can search within the agent on your IP and see if another user was mapped to your IP. Mapping entries are removed only when cache timeout has expired, user logoff, or another user login under the same IP.
Thanks for the reply.
PAN-OS is 4.1.2 and UserID is 4.1.4-3.
The doc was 'User Identification Operations 4.0, and it says:-
"Open Server Sessions
Any connections to a file or print service on the Domain Controller will also be read by the agent. If the user / IP combination for the session does not match the combination that the Agent last learned the mapping will be removed and the user at the IP address will become unknown. The agent will not update user data as a result of information learned from the open server sessions. If the open session confirms the user at the IP address then that mapping will have its lifetime renewed."
I could not see another user mapping to the IP when this occurs for me and, as a test I disabled Server Session tracking, and the problem (appears) to have gone away!
Maybe a service account is used for the file/print connections and the account is different than your login account. Checking the server's log may confirm this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!