Dual NIC - IP Mapping Issue

Reply
Cyber Elite

Dual NIC - IP Mapping Issue

This appears to happen at random to a random subset of users.

Environment:

> 160 AD DCs

4x UIAs (2 - 80 DCs / 2 - other 80 DCs)

Assume:

All possible DCs that a user would authenticate to are being monitored by the agents.

Scenario:

When users with laptops come into work in the morning, dock and start their computer up.  Their computers (Win7) have both a wired and wireless connection.  Users while docked log into the domain for the first time.  Once they've logged in they open up a web browsers and are presented with the Palo authentication pop-up.

I look through the UIA logs and the agents see the wired IP to user mapping but no wireless IP mapping.  I have the user turn their wireless off, re-open their browser and the auth pop-up doesn't happen.  I have them turn wireless back on, un-dock, log-off, then log back in via only their wireless connection.  They successfully log in, open a web browser and do not get the authentication pop-up box.

Can anyone explain why the PC/DC wouldn't log both IP/users IDs?  Also of note this doesn't happen to everyone just to random people, some more frequently that others.  Is there some setting within the AD environment that needs to be set?

L5 Sessionator

Hi,

IP to user mapping is based on security logs then if session is opened through the wire, user is linked to the wired IP.

After that, you will need to configure WMI. With WMI, palo will make some request (a lot :-() for trying to see if something change on knwon laptop.

Or you can try to configure captiv portal with NTLM authentification (if your users are windows based.

V.

Cyber Elite

I had WMI enabled previously, but had a bunch of error logs.  I don't remember specifically but was told from TAC/SE to not WMI, so that's been disabled.  I've gone ahead and enabled it on 2 of the 4.  We'll see what happens there.

We've got NTLM/CP enabled but we're doing CP in transparent mode so we should never actually see a true CP auth.

Hopefully the WMI query fixes the pop-ups.

Cyber Elite

So with WMI on it doesn't appear to resolve the auth pop-up issue.

L0 Member


Can anyone explain why the PC/DC wouldn't log both IP/users IDs?  Also of note this doesn't happen to everyone just to random people, some more frequently that others.  Is there some setting within the AD environment that needs to be set?


 

I'm having the same problem. We've got a cisco controller using enterprise authentication via RADIUS aganist our DC's. When I look at the DC security logs for the wireless users I can see that there is no source IP in the log, like there is from a wired user. I'm thinking that's the problem.

 

So I assume I'm either going to have to figure out to get the controller to pass along the IP with the RADIUS auth (if that's even possible) or configure the controller to send login events via syslog to the agent directly. 

 

I'll be interested to hear if you get that working! 

 

 

Cyber Elite

Not sure who marked this as a solution, but it's not.  (As evident by my posts indicating so)

L4 Transporter

Could be a lot of things:

You need to check if their logins are generating security logs in the AD monitored servers*. Also make sure you're monitoring all your AD servers,  verify network connectivity between the wireless networks and your AD servers. If you're using DHCP in your AP make sure you're sending the correct DNS server and domain name (If the machines can't locate any AD they'll use they local cached password).

 

Workarounds:

If your wireless AP is authenticating users you can try to configured it as a syslong sender

And you can also deploy global protect to auth internal users using internal gateway (without an extra license starting from PANOS 7.0)

Also it's recommended to enable the 'redirect' mode in the CP, so if you're in vWire you can use a loopback interface.

 

 

*The Agent looks for any of the following Microsoft event IDs:
On Windows 2003 DCs:
• 540 (Network Log On)
• 672 (Authentication Ticket Granted, which occurs on the logon moment),
• 673 (Service Ticket Granted)
• 674 (Ticket Granted Renewed which may happen several times during the logon
session)

On Windows 2008 DCs:

4624 (Account Log On)
• 4768 (Authentication Ticket Granted)
• 4769 (Service Ticket Granted)
• 4770 (Ticket Granted Renewed)

 

Regards,

Gerardo

L4 Transporter

we also had some experience with that.

 

Clients were connected on both networks and the client was sending kerberos tickets with the wrong ip but using the other interface for traffic. To solve that issue we set our laptops to disable WLAN when connected to wire/docking station.

Cyber Elite

One of our desktop guys suggested this as well.  Though this doesn't actually solve the problem it might be a solution.  One thing I can't quite think through is how would it solve the problem?  Wouldn't the client still get the auth pop-up, since they're merely undocking and not actually generating the required DC event IDs?

L4 Transporter

the thing is:

 

the user id agent is reading kerberos(authentication) tickets logs on the DC/AD generated by every client. If the client has two NICs connected, it could happen (as explained) that the generated kerberos ticket includes the wrong IP of the client. But the client is using the other NIC for commuication --> Fail, because the user is unknown for the PA.

 

If only one NIC is connected, the client is sending just kerberos(authentication) tickets of this IP. So the User-ID will get for sure the correct IP-User mapping.

 

Just try it out.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!