User-ID mapping

Reply

User-ID mapping

1512392827715.png

 

Hello. We have such kind of problem. This user has allowed privilege to visit this category and the other one, but PA very frequently identify it by ip, not the username (with User-ID). we use agentless client for mapping between PA and our AD.

The problem happens very often with a small amount of users (for example exactly with this one). Maybe some of you  have already faced with this?

Thanks in advance.

L7 Applicator

Re: User-ID mapping

@AzerbaijanSupermarkets,

Could you send a screenshot of your User Mapping settings, specifically what your User Identification Timeout is set to. The biggest cause for this type of issue is inproper Log Monitor Frequency or having the User Identification Timeout set to low to actually keep the user mapped to the IP. 

Re: User-ID mapping

print.jpg

 

BPry,

you think that I should set this timeout higher than 45 minutes?

 

L7 Applicator

Re: User-ID mapping

@AzerbaijanSupermarkets,

Most definitively this is what's causing your issue. If the user does not generate an authentication event on the server within the 45 minute time period you are losing the mapping. Most office workers, esspecially on Windows, will not be generating any events on the AD server for the agent to read within a 45 minute time period. 

Re: User-ID mapping

@BPry

I changed this time to 3 hours. Right now this problem happens only at one user. Hope this is going to help me.
Thank you.

L3 Networker

Re: User-ID mapping

Sorry for hijacking this thread, but I have been looking for a recommendation when it comes to user-id timeout value. We have a few thousand users logging in and out of Citrix throughout the day, but others work only locally on their laptops. We have user-id agents on all domain controllers and TS agents on all Citrix servers. In addition we have loads of users with BYOD devices on a wireless network where we get IP-user-mappings from the wireless controllers (Syslog events).

L7 Applicator

Re: User-ID mapping

@TerjeLundbo,

The timeout value really depends on the enviroment. In an active enviroment where people will be generating logging events throughout the day, such as Citrix, the time can be set relatively low. When employees are working on one machine throughout the day I would generally set the timeout to equal your average work period, for example 480 mins for a total of an 8 hour ageout period. 

The only thing to really remember is that setting a higher ageout period could cause users to maintain the last user mapping longer than intended. In the majority of rulebases this wouldn't really be a big concern, but that would be dependant on what your configuration actually looks like. 

L3 Networker

Re: User-ID mapping

Thanks @BPry

My worry is that by setting the timeout value low to keep user-id from Citrix updated we risk timing out users working on thick clients that do not generate security log events frequently. Would adding our Exchange servers to the userid agents help with that? Our desktop/laptop users generally have Outlook open all the time.

L7 Applicator

Re: User-ID mapping

@TerjeLundbo,

What do you currently have your ageout value set to? You generally would not want to get any info from your Exchange servers.

L3 Networker

Re: User-ID mapping

@BPry

 

45 minutes.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!