Is User-ID Agent Appv5 compatibility with PAN-OS V6?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Is User-ID Agent Appv5 compatibility with PAN-OS V6?

L2 Linker

We have a new PA-3020 running on version 6 and I'm using our old Windows User-ID agent running on version 5 that are currently operational in our environment. I've configured PA-3020 to connect with the User-ID agent but I'm having an authentication issue

PAN-3020> show user user-id-agent state all

Agent: ad-agent(vsys: vsys1) Host: 10.2.2.2 (10.2.2.2):5007
        Status                                            : conn:idle
        Version                                           : 0x5
        num of connection tried                           : 4
        num of connection succeeded                       : 2
        num of connection failed                          : 2
        num of status msgs rcvd                           : 192179
        num of request of status msgs sent                : 192191
        num of request of ip mapping msgs sent            : 2013
        num of request of new ip mapping msgs sent        : 0
        num of request of all ip mapping msgs sent        : 292
        num of user ip mapping msgs rcvd                  : 0
        num of ip msgs rcvd but failed to proc            : 0
        num of user ip mapping add entries rcvd           : 0
        num of user ip mapping del entries rcvd           : 0
        num of request of group msgs sent                 : 0
        num of group msgs rcvd                            : 0
        num of group msgs recvd buf fail to proc          : 0
        num of xml data msgs rcvd                         : 0
        num of xml data msgs rcvd but failed to proc      : 0
        Last heard(seconds ago)                           : 3
        Messages State:
          Job ID                                          : 0
          Sent messages                                   : 210810
          Rcvd messages                                   : 207229
          Lost messages                                   : 0
          Failed to send messages                         : 0
          Queued sending msgs with priority 0             : 0
          Queued sending msgs with priority 1             : 0
          Queued rcvring msgs with priority 0             : 0
          Queued rcvring msgs with priority 1             : 0

PAN-3020> show user user-id-agent statistics

Name             Host            Port  Vsys    State             Ver Usage
---------------------------------------------------------------------------
ad-agent         10.2.2.2   5007  vsys1   conn:idle         5   P N

Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, '*' Currently Used

The error that I got is authentication failure and it says user is not in allow-list even though I've configured the groups based on LDAP group mapping.

Does anyone encountered this issue?

Thanks,

Erwin

5 REPLIES 5

L3 Networker

Hello Erwin,

The user-id agent is independent of the PAN-OS version , with the only restriction of you at least running User-ID 3.1.0. However we recommend that you run latest User-ID version on your environment for now.

If you see authentication failure with reason user is not in allow list

- can you try using a domain name in the LDAP server profile, use a netbios domain name under domain field of LDAP server profile.

- If group is in question please run CLI command to show that the users are part of the group:

> show user group name <name>

If the users are part of the group read and group is referenced in the drop down for the Authentication Profile, the user fails authentication can please leave allow list to " all" and test authentication again.

Regards,

Jahnavi.

L4 Transporter

You can also check to see if the LDAP authentication profile being used has attribute "sAMAccountName" configured.

Sometimes failing to configure the attribute in the LDAP authentication profile can also lead to the error message you have seen.

Thanks

L6 Presenter

Hi ErwinBuena,

To eliminate possible software issue, allow "any" in allow-list. Check if that works. If that doesnt work than its a software bug.

Lets say if it works than its something to do with group mapping.

Regards,

Hardik Shah

L2 Linker

We have found the issue with the active directory is not configured to send security logs to the firewall that causing USER-ID not to work in version 6. The old box that we're using are running on version 5 and USER-ID agent is running on windows 2003 that is not compatible the way PA version 6 handles security logs from active directory (AD) 

Thanks for posting the issue for us.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 2591 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!