I'am using the PAN agent with AD to indentifie users, and i noticed that whene users chage there ip adresses (going on wifi or vpn...) the agent is not able to establish the new mapping. Is there any solution to this issue. Is there any évolution of the agent in the 3.1 version of PAN-OS. And if it will be some solutions, is it working for linux users?
Thank you in advance.
when users use vpn or wi fy, there is actually a radius request made to AD rather than rather than a logon even that the Paloalto user id logs. That is why the user id does not pick up the change. Currently there isn't a future plan for this. Also, currently the only solution we have for linux users is captive portal. In 3.1, there may be a plan for a static mapping on the Paloalto device for non AD users.
In our network, we could have a similar problem. We have users in Active Directory, but the access method could be different. That means that one user could be logged in his corporate PC with an IP address (internal) at 9:00 a.m. and after this, could be logged from his tablet-PC or a PDA via UMTS which another IP at 11:00 a.m.
The user in A.D. will be the same, but the associated IP will be different and the PanAgent should be capable of detecting this change.
Is this your issue?
Not exactly, whene the user logs in from différent locations he is always seen by the agent. My issue is whene the user disconnect his pc from the network without loosing his windows session and re-connect from another location (différent subnet, wifi or vpn...), because this kind of action dont request AD login to function, the new user-IP mapping is not detected by the agent. So i'am trying to find a solution, may be an AD events or a connection wich trigger the mapping establishment on the agent.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!