11-07-2018 08:20 AM
We have a PA-3050, I have setup LDAP auth and it is working fine, however I have a question/concern. Yesterday we had a user offsite who needed VPN access, he was not in the AD group initially, so I added him to the AD group and sent him instructions on how to download the agent, when he tried to sign in, it would not allow him, ten or so mins passed and it finally authenticated him and he was able to download the agent and get on VPN.
Is there some sort of sync time I can change? My understanding is that it checks local users then passes off to the LDAP profile, so why would it take ten mins?
11-07-2018 08:26 AM
group membership is not dynamic, the palo checks ever 20 mins or so...
you can force the update of group membership with the following command...
debug user-id refresh group mapping all
or replace "all" with the group name to update just one group (CN= etc)
11-07-2018 08:27 AM
Is there anyway to change that? Sometimes last minute things happen and sure we can force it but ideally taking the refresh down to around 2mins or so would work way better.
11-07-2018 08:33 AM
Sure..
device\user identification\group mapping settings.
open your group mapping and modify update interval on top right hand corner...
default is actually 3600 seconds (1 hour)
not sure why i calculated that for you...
11-07-2018 08:34 AM
just bear in mind overheads,,, with some 15k userbase we probably wont be reducing it...
11-07-2018 09:39 AM
Yeah, I saw it right after I hit submit, thanks for following up.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
