User ID WiFi and LAN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User ID WiFi and LAN

L3 Networker

Hello

 

Our organisation does not use 802.1x authentication in our environment. We have LAN and WiFi for our employees. We want to implement User ID with PA with AD domains and User ID Agent. However I could not find documentation on User ID behaviour in following scenario:

Our users have laptops and they use LAN when laptops are docked into docking stations. But when a user removes a laptop from docking station then he is immediately connected to WiFi and gets another IP. Again when he comes back to his place he will be connected with LAN.

 

Is there any documentation on how such situation is handled by user id and what are the best practices in such scenario?

 

Thanks and Regards,

R

6 REPLIES 6

L5 Sessionator

Hi rjdahav163,

 

In this case, maybe you should have a look on deploying GP on all laptop and use GP on both external and internal gateway with transparent authentication.

Switching from wire to wifi auth is really fast.

 

Ref:

https://www.paloaltonetworks.com/documentation/60/globalprotect/global_protect_6-0/globalprotect-qui...

 

Hope help

Cyber Elite
Cyber Elite

@rjdahav163,

The computer already has an IP and a mapping on your wireless network, but the binding order makes it so that they are using the ethernet connection instead of the wireless connection. The mapping will simply have two IP addresses listed for that user. For example if my laptop is docked I'm mapped to say 10.*.*.* but my wireless connection is listed as 172.16.*.* then the firewall will show my user-id mapping to both 10.191.16.17 and 172.16.1.2 both at the same time, once my laptop is undocked then I simply see the users traffic move the source address to 172.16.1.2 but the mapping doesn't really change. 

Thanks VinceM for your reply. So if I understand correctly, when internal network is detected GP will not initiate VPN right but only send the IP-Username association to the FW?

 

Thanks BPry for your reply. Your solution looks good. Will try out and post a feedback.

I agree with BPry's solution, we currently have a similar setup in our environment and works just fine between LAN/WLAN.

Correct, internally, just use GP on internal gateway for user authent. No Tunnel, just authen.

And if you want to go farther, you can, in futur, use HIP for giving acces to dedicate ressources 🙂

 

Rgds

 

V.

  • 4478 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!