After upgrading to 8.1.X > 9.0.X > 9.1.x. we found that some ldap users do not check per user policies, only for ip politicies.
I explain the problem in more detail. After performing a firmware update from 8.1.X to 9.1.X we found the following problem.
From a PC we authenticate by ldap with the user "cafeteria", we observe in the monitor that the traffic machea by IP and not by user, which causes that it does not do mach due to the policies configured by user and this traffic is dropped
From the same PC, we try with another user "egonzalez" authenticates correctly and we verify in the monitor that it registers by user.
They do not have user-id agent configured. LDAP only with all group mapping.
Is there a bug with the version?
What do you mean by "From a PC we authenticate by ldap with the user"?
Group mapping provide information for user group membership (which users are part of specific user group). This inforamtion is used if you want to use user groups (not individual users) in configuration.
Firewall still needs information for the actual user-to-ip mapping? What method are you using for to gather this information? If you don't use user-id agent, are you using Captive portal with Authentication policy?
Might want to search the release notes, however I have not seen this before. How are your user-id's getting processed, i.e. pointing at Domain Controllers, exchange, etc.? When the firewalls reboot, the user-id mappings get flushed if using agentless. So if the user-id doesnt see a new login, it will not show the mapping. I have seen a lot and hence I use Exchange logs rather than domain controllers since Outlook is constantly authenticating against the exchange servers.
I explain you, In the monitor we observe that sometimes the user's mach is observed and other times that of his IP. We have seen the following log when this happens: domain xxxx does not exist in group-mapping
Currently the firewall has agentless user identification configured. The problem appear with the upgrade 9.1.5.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!