Implementing User Identification via AD

Reply
Highlighted
Not applicable

Implementing User Identification via AD

Hi everybody,

I'm trying to implement user identification via active directory on PA-200. I've added the AD server under Device -> LDAP and added group mapping under Device -> User Identification.Now I guess I need to install user-ID agent on a local machine but I can't find a download link for this app.

Is it possible to implement user identification without this user-id agent?

Can anyone provide a simple guide for this whole process? I'm using few documents but wasn't able to find a single document that explains this procedure from start to end on a simple example.

Regards,

Damir

Highlighted
Not applicable

Re: Implementing User Identification via AD


Hi Damir

I'm not much help, as I'm trying to figure this out too.  But I did find the User ID Agent software here;

Palo Alto Networks</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /...

Highlighted
L5 Sessionator

Re: Implementing User Identification via AD

Damir,

You need  the agent to get ip to user mapping. You can download the agent from the support portal:

Palo Alto Networks</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /...

This document walks you through the installation procedure for the PANOS 4.1.

https://live.paloaltonetworks.com/docs/DOC-2132

Thanks,

Sri

Highlighted
Not applicable

Re: Implementing User Identification via AD

Don't forget to enable user identification on your trusted zone.  I missed that tick box, and spent over an hour trying to figure out why it wasn't working.

Highlighted
Not applicable

Re: Implementing User Identification via AD

Thanks Shaun, I'll try it with this guide, it's actually what I was looking for...

Highlighted
Not applicable

Re: Implementing User Identification via AD

OK, this was the first step, now I need to configure the User-ID Agent and PA Firewall.

I have configured an User-id agent under Device -> User Identification -> User-ID Agents but its Connected Status is Red. And yes, I have enabled user identification on the trusted zone.

Another interesting thing is that I can't see any logs on the User-ID Agent. I see all users that are active one the network under the Monitoring option but no logs.

Solution:

It looks like I forgot to add the PA-200 to the list of allowed devices to access the User-ID agent. Now it works fine as far as I can see.

Regards,

Damir

Message was edited by: Damir Porobic

Highlighted
Not applicable

Re: Implementing User Identification via AD

THIS ^. I did not know that checkbox was there under the zone config. Would have been here all day...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!