How I got a job at Hogwarts using User-ID

L4 Transporter

Bob Williamson, a community member, presented at Ignite yesterday afternoon. His presentation was called "How I got a Job at "Hogwarts" Using User-ID and Scheduling in a Highly Technologically Diverse, Apple-heavy K-12 Environment."


Bob uses a single PA-500 to manage a very unique K-12 environment. It is much different from a college in terms of what needs to be blocked, and it is different from a typical K-8 because the school network he manages has a boarding component and there are different internet requirements on weekends versus weekdays. Many of the boarders are international students who need to communicate with their parents back home using Skype. Bob must maintain a good quality of service so if some students are using Skype, but also needs to keep the internet fast for the other boarders.


The key feature of Palo Alto Networks firewalls that helps him manage his network is User-ID. User-ID is really important in a Mac environment, like this at school.


It was great to hear Bob speak about his work. Any questions or comments about this presentation, feel free to post them here!

L2 Linker


I would like to know how Bob got the User-ID configured specially to identify MAC or Linux/UNIX client systems that don't directly authenticate to Microsoft Active Directory. I know that we can configure User-ID to constantly monitor Microsoft Exchange logon events produced by clients accessing their email but what if the client doesn't use exchange and just use browsing on their mobile device? Did he use captive portal?



L4 Transporter


I use two methods to get UserID from OS/X.

First is I bind the OS/X units to AD.  This is under the user settings.  When the user logs on, they get authenticated against the DCs and the UserID agent picks that up.

Second is I have Captive Portal turned on for each of the zones I am interested in.  The captive portal talks directly to Active Directory and authenticates the user when they type their username/password.

The final piece is to make sure that your group mapping are tied to AD via ldap.

Works pretty darned good, if the users actually logoff and don't just close their lid on their laptop!

Hope that helps,


L2 Linker

Hi Bob,

Thanks for your reply.

To bind the OS/X did you do it on each device manually? Regarding the captive portal i think i have no other choice but  to enable that for our mobile users like Android if they don't use any other authentication method like Exchange/AD.