We recently installed two 3020s in active-passive and connected them to our LDAP. We see some users are mapping, but not all.
Is there a way for unknown users to authenticate to the Palo Alto so they are given the correct policy? This was a very simple procedure in our previous Lightspeed filter.
A local user agent would be ideal!
are the userID agents connected to every DC or do you only have one? It could be possible that some user are authenticated on a DC which is not monitored from your userID agents. If the users are not mapped and userID is activated for the zone the agents will try to resolve the user with WMI requests. If this doesn't work you can activate captive portal so every connection with an unkown user will have to authenticate through captive portal.
If you want to use the Gobal Protect Client it's free if you only use one portal and external gateway.
If you don't want to install Global Protect, you could configure captive portal to kick in for unknown users.
Overview and procedure:
Minor updates in PAN-OS 5:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!