problem with groups in user-id mapping

Reply
Highlighted
L0 Member

problem with groups in user-id mapping

hi,

i have a problem with using groups (from windows active directory) in security rules.

on our windows active directory i have created a new group fw_finance. we use the PAN user-id agent to get the mapping from ip to user. i mapped this group on our PA-500 (user identification - group mapping settings). than i created a new security rule, that all users in this group can use port 3048 outgoing. so far so good. but if the users in this group try to connect the port 3048 outside, they will be dropped. on CLI i see the following:

tettrich@fw003> show user ip-user-mapping ip 10.50.2.97


IP address:  10.50.2.97

User:        assona\cheXXX

Ident. By:   AD

Idle Timeout: 2417s

Max. TTL:    2417s

Groups that the user belongs to (used in policy)

no group is shown!

tettrich@fw003> show user group name assona.local\fw_finance


group short name: assona.local\fw_finance

[1     ] assona.local\cheiXXX

[2     ] assona.local\XXXXX

[3     ] assona.local\XXXXXXX

[4     ] assona.local\XXXXXX

[5     ] assona.local\XXXXXXX

all users of this group are shown right!

and with show user user-IDs i get also the right information, that user cheiXXX is in the group fw_finance.

PA-500 with software version 4.1.6

User-ID Agent Version 4.1.4-3

can anyone help me?

thanks

tom

L4 Transporter

Re: problem with groups in user-id mapping

Hi Tom,

From the output provided I would guess the domain is set to 'assona.local' when it should be set to NETBIOS name 'assona'.

The output should show as follows:

tettrich@fw003> show user ip-user-mapping ip 10.50.2.97

IP address:  10.50.2.97
User:        assona\cheXXX
Ident. By:   AD
Idle Timeout: 2417s
Max. TTL:    2417s
Groups that the user belongs to (used in policy)
tettrich@fw003> show user group name assona\fw_finance

group short name: assona\fw_finance
[1     ] assona\cheiXXX
[2     ] assona\XXXXX
[3     ] assona\XXXXXXX
[4     ] assona\XXXXXX
[5     ] assona\XXXXXXX

Please let me know if this helps.

- Stefan

L0 Member

Re: problem with groups in user-id mapping

hi stefan,

thanks! i renamed the domain from assona.local to assona and it works. :smileyhappy:

cheers

tom

L0 Member

Re: problem with groups in user-id mapping

Hi,

We have a PA-500 in a single forest single domain environment and have installed UIA on one of our DCs.

Problem is user-id is not working in Security policies and the PA box does not recognise group membership.

Thing I would like to check with you guys are:

-Port number for LDAP server profile which is 389

-User-id agent port; we are using 5007. Should we use another port?

Also show user group name "domain\domain admins" results in the following message:

User group 'domain\domain admins' does not exist or does not have members

Any idea?

L4 Transporter

Re: problem with groups in user-id mapping

Using port 5007 should be fine.

A common mistake when using port 389 is to forget to uncheck 'SSL'. Since ldap port 389 does not use ssl, please verify that 'SSL' is unchecked.

Hope this helps.

-Stefan

L0 Member

Re: problem with groups in user-id mapping

Hi Stefan,

SSL is unchecked.

It was all working good before we updated from PAN-OS 4.1.6 to 4.1.7 then it stopped working.

Have updated to 4.1.8 but still no luck.

Next I'm going to try is to create new Global Security groups and apply rules to those new groups and see how it goes.

Have tried with both Universal and Global groups but ....no change.

Thanks

Vaughan

L4 Transporter

Re: problem with groups in user-id mapping

That just helped me out too! Thanks for the info.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!