12-24-2012 08:45 AM
Hi,
I am playing with my little PA-200 and wanted to try user based policies. I added a couple of users to the local user database and grouped them into user groups. Now when I create a new policy (or modify an existing one), the source-user field stays empty, my users don't show up so I can't add them. Even when I start typing (for autocomplete) I don't get any results.
Captive Portal, auth profile etc. are all configured as per documentation, and the interface is configured for UserID.
What am I missing here?
Thanks
Sascha
12-24-2012 09:58 AM
HI Sascha,
I can replicate the same but i believe/confirmed that you can manually type the local users/groups in the policy and it works fine. One important thing to note is you can use these local user db only for ssl vpn users and captive port users.
Thank you.
Subijith Raghunandan.
12-24-2012 10:36 AM
Hi,
thanks. But I can't confirm this. I type in the full user/group name but it still doesn't work (I am using captive portal for this). By the way, this is PanOS 5.0.
Sascha
12-24-2012 10:41 AM
Hi Sascha,
Can you try with users only and the authentication profile for CP has local db selected right.
Thank you,
Subijith Raghunandan.
12-24-2012 10:45 AM
It has local DB selected. I tried with users only, but to no avail. If enabled with a typed in user and generate traffic, I don't get a captive portal page and traffic is denied (confirmed via traffic log).
12-24-2012 10:53 AM
Hi Sascha,
Firstly the local db users can be used only after you get the captive portal page (once you get the cp page enter the username that when we get the user to ip mapping ) i.e once the auth is successful that when you can have the policies using the local db users.So i would suggest you to have a sec policy allowing unknown users under the user field select unknown or leave it to any and set the application to web browsing,dns. Then you can have a policy below it with the local user specified and then regulate it accordingly.
Thank you.
Subijith Raghunandan.
12-24-2012 12:18 PM
Looks like we're getting closer 
So why two policies? Can't I put this in one policy? Destination server is HTTP, but operates on port 10001.
Thanks
Sascha
12-24-2012 12:52 PM
Hello Sascha,
The user is not identified until and unless we have him login to the cp page so in order to get there we need a policy allowing it, and later on once we are identified (ie user to mapping is formed) then the second rules comes in to play.
We always look at the ip of the incoming traffic first and then look to see if there is a mapping for it.
The second policy with the user in can have the dest set to the http server and the port 10001.
Thank you.
Subijith Raghunandan.
12-24-2012 01:04 PM
Thanks. I am still puzzeled by the first policy you mention. My understanding was that the captive portal is transparent. So if I set up a rule that requires a user to authenticate, shouldn't captive portal page show up transparently and thus only one policy necessary?
Anyways... so the first policy is set to unknown user to get the captive portal page to show up. But what do I allow in the first rule and to which destination? If my actual matching rule is supposed to be the second one, what do I put in the first? Sorry, but this kind of evades my logic :smileygrin:
Cheers
Sascha
12-24-2012 01:10 PM
Hello Sascha,
The traffic flow is as follows :-
Broswer--type in an url--the traffic hits the pa (at this moment the user is not known to the fw ) it looks at the dest ip and its relevant zone. so first and foremost we need a policy to allow this, once this is allowed the traffic hits the cp policy and the page shows up.
Thank you.
Subijith Raghunandan.
12-24-2012 01:33 PM
Ok, say I have two rules:
1. src: any, src-user: unknown, dst: webserver-a, app:web-browsing
2. src: any, src-user: my_users, dst: webserver-a, app:web-browsing, port 10001
Now the first thing the user does is open http://webserver-a:10001
In that case, the first rule would not match and he would never see CP. Did I get that right? If so, the user always has to do something first that is allowed by another rule (in this case rule nr. 1) to be able to trigger CP?
Confusing. Or I still don't get it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
