error user in group mapping

Reply
Highlighted
L4 Transporter

error user in group mapping

Hello, 

 

After upgrading to 8.1.X > 9.0.X > 9.1.x. we found that some ldap users do not check per user policies, only for ip politicies.  

 
The firewall has no user-id configured, only tree server ldap.
 
we check that the firewall recognizes the Ldap tree. 
 
Is there any issue of incompatibility with the version?
 
Thanks. 
Highlighted
Cyber Elite

@jesuscano ,

Can you describe your issue a bit more. I'm not sure exactly what you mean by "some ldap users do not check per user policies, only for ip politicies". Are you trying to get these users to match user based rulebase entries? 

Highlighted
L4 Transporter

Hi,

I explain the problem in more detail. After performing a firmware update from 8.1.X to 9.1.X we found the following problem.

From a PC we authenticate by ldap with the user "cafeteria", we observe in the monitor that the traffic machea by IP and not by user, which causes that it does not do mach due to the policies configured by user and this traffic is dropped

From the same PC, we try with another user "egonzalez" authenticates correctly and we verify in the monitor that it registers by user.

They do not have user-id agent configured. LDAP only with all group mapping.

 

Is there a bug with the version?

 

Thanks.

Highlighted
L4 Transporter

Hi @jesuscano,

 

What do you mean by "From a PC we authenticate by ldap with the user"?

 

Group mapping provide information for user group membership (which users are part of specific user group). This inforamtion is used if you want to use user groups (not individual users) in configuration.

 

Firewall still needs information for the actual user-to-ip mapping? What method are you using for to gather this information? If you don't use user-id agent, are you using Captive portal with Authentication policy?

Highlighted
Cyber Elite

Hello,

Might want to search the release notes, however I have not seen this before. How are your user-id's getting processed, i.e. pointing at Domain Controllers, exchange, etc.? When the firewalls reboot, the user-id mappings get flushed if using agentless. So if the user-id doesnt see a new login, it will not show the mapping. I have seen a lot and hence I use Exchange logs rather than domain controllers since Outlook is constantly authenticating against the exchange servers.

 

Regards,

Highlighted
L4 Transporter

Hi Alexander, 

 

I explain you, In the monitor we observe that sometimes the user's mach is observed and other times that of his IP.  We have seen the following log when this happens:  domain xxxx does not exist in group-mapping

 

Currently the firewall has agentless user identification configured. The problem appear with the upgrade 9.1.5.

 

Thanks.

Highlighted
L4 Transporter


hello, 

 

Exactly, that is the problem. The problem appear with the reboot in the upgrade 9.1.5. 
The firewall has agentless user identification configured.  ¿Does you recommend me change the configuration of the server type  Microsoft Active Directory to Microsoft Exchange?

 

Thanks.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!