Internet disconnection when switching from wired to wireless

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Internet disconnection when switching from wired to wireless

L1 Bithead

We have newly implemented PaloAlto in our network. Internet access provided for the user using the AD username. Using User-ID Agent in Active directory. When a user is logged in with wired connection and switched to wireless the internet is getting disconnected.Internet is working if the user logoff and logs in again. Is there anything we can do to avoid this disconnection? Is there any configuration to be done in firewall or User-ID agent to avoid this?

Note: Wired and Wireless connection different subnets. The whole subnet is included in the user-id agent.

Appreciate if anyone can help on this regard

8 REPLIES 8

L7 Applicator

lan disconnect/connect  will cause an event log. perhaps you could invoke a script to map a drive or some other domain activity when the event is logged, this will cause new ip mapping to be registered in AD and user-id will pick this up...

 

FYI.

Event ID: 10000 (Network Connection Established)

Event ID: 10001 (Network Connection Removed)

 

 

Others may prefer a captive portal option but i cannot advise as don't use it.

@Mick_Ball Thanks for the reply.

Is there a way in PaloAlto to provide internet in the basis of windows user logon without considering the IP mapped to user account?

The option Group Mapping in Paloalto, will this can be used to achieve this?

 

well yes and no!

Group Mapping can be used for policies but to be a member of a group you must have a name, you will only have a name if your IP address is logged in windows AD.

 

 

Have a look at captive portal.   it can be used transparently as per comments below.

 

The firewall uses Kerberos single sign-on (SSO) to transparently obtain user credentials. To use this method, your network requires a Kerberos infrastructure, including a key distribution center (KDC) with an authentication server and ticket granting service. The firewall must have a Kerberos account, including a principal name and password.

 

captive portal info here..

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/policies/policies-captive-por...

@Mick_Ball 

The log on event is appearing in the domain controller with new source ip address when user switches network, only when there is a domain activity. Is this normal behavior of the Active Directory logs or the logon event should appear in domain immediately when there is change in the ip address in client machine.

Yes this is normal.

the user agent reads the security log on the AD server, IP change will not populate to this log but when domain activity is registered it will log this along with the user IP for audit purposes.

 

you need to use other ip mapping methods or invoke a script to force domain activity on ip change.

 

 

L6 Presenter

@regahamz wrote:

We have newly implemented PaloAlto in our network. Internet access provided for the user using the AD username. Using User-ID Agent in Active directory. When a user is logged in with wired connection and switched to wireless the internet is getting disconnected.Internet is working if the user logoff and logs in again. Is there anything we can do to avoid this disconnection? Is there any configuration to be done in firewall or User-ID agent to avoid this?

Note: Wired and Wireless connection different subnets. The whole subnet is included in the user-id agent.

Appreciate if anyone can help on this regard


I posted about this back in 2015.  https://live.paloaltonetworks.com/t5/General-Topics/Dual-NIC-IP-Mapping-Issue/m-p/63710#M38291

 

Unfortunately it's not as straight forward as you'd think.  If you have a windows client that has both a wired and wireless NIC Windows will NOT perform authentication against both NICs.  It chooses one or the other.  So "those event IDs" that Palo UIAs need to monitor in order to perform IP to ID association will only happen for one NIC at a time, and it's only going to happen once; until another scenario comes along that requires the authentication.

 

There are ways in Windows to make a particular NIC the "preferred" NIC, so say setting Windows use the wireless NIC over wired, Windows won't always adhere to that.

 

Your best bet is going to be to use the layered authentication mechanism to catch on-the-fly the user mappings you need.  This means using captive portal with NTLM (SSO) authentication.

 

Ultimately Palo will tell you the "fool proof way" to get the user mapping is to deploy Global Protect clients.  Merely using them for user tracking will give you a more reliable way of making sure you always have an IP to ID association.


@Mick_Ball wrote:

Have a look at captive portal.   it can be used transparently as per comments below.

 

The firewall uses Kerberos single sign-on (SSO) to transparently obtain user credentials. To use this method, your network requires a Kerberos infrastructure, including a key distribution center (KDC) with an authentication server and ticket granting service. The firewall must have a Kerberos account, including a principal name and password.

 

captive portal info here..

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface-help/policies/policies-captive-por...


 

Sure Kerberos could be used for SSO, but it's just easier to use the NTLM credential forwarding or sharing from the web browser.  Using CP and NTLM SSO Palo doesn't have a known user association the firewall (I think it's the FW and not the UIAs) will ask the browser via NTLM for the credentials the web browser has.  The FW then takes those creds and asks AD if they're valid.  If they are then that user mapping association is stored in the FW for the configured time period.

 

Using this NTLM method doesn't require anything additional to be setup in anyone's environment.  The draw back here is, it requires the use of a web browser.  So if there's an IP change and a lack of user attribution and the user is only using "thick clients" (Like outlook) this NTLM feature won't work.  The user would need to browse the web for this attribution process to work.

  • 4712 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!