Troubleshooting User-ID: Group and User-to-IP Mapping

Printer Friendly Page

Overview

Group mapping and user-IP mapping are two primary functions of User-ID.  Group mapping associates groups with their user members and user-IP (or IP-user) mapping associates IP addresses to users.

The attached document covers troubleshooting tips for common User-ID configuration issues around group mapping and user-IP mapping. The document covers issues such as:

  • Group mapping not pulled from AD/LDAP
  • No user-to-IP mappings present from User-ID agent
  • No user-to-IP mappings present from captive portal
  • IP mappings are created but disappear too soon
  • Incorrect IP mapping for some users with User-ID agent or agentless User-ID
  • Unknown or no users in traffic logs
  • Increased traffic chatter/congestion

A section at the end of the document describes some commonly used CLI commands for User-ID.

Also, links to useful articles in the Palo Alto Networks Support Knowledge Base are provided throughout the document.

owner: sjamaluddin, jteetsel

Comments

Clear and precise description of User ID and what it does and, most importantly, the resources it consumes in operation. Also, helpful considerations about how to manage resource consumption. Worth reading if you're implementing User-ID.

Great consolidated resource for excellent commands and procedures centered around verifying/trouble-shooting user-id

Brilliant! I totaly missed the point turning on user identification for a new network. Spend half an hour understanding what's a difference between old and new users. Thx, sjamaluddin