We have a new PA-3020 running on version 6 and I'm using our old Windows User-ID agent running on version 5 that are currently operational in our environment. I've configured PA-3020 to connect with the User-ID agent but I'm having an authentication issue
PAN-3020> show user user-id-agent state all
Agent: ad-agent(vsys: vsys1) Host: 10.2.2.2 (10.2.2.2):5007
Status : conn:idle
Version : 0x5
num of connection tried : 4
num of connection succeeded : 2
num of connection failed : 2
num of status msgs rcvd : 192179
num of request of status msgs sent : 192191
num of request of ip mapping msgs sent : 2013
num of request of new ip mapping msgs sent : 0
num of request of all ip mapping msgs sent : 292
num of user ip mapping msgs rcvd : 0
num of ip msgs rcvd but failed to proc : 0
num of user ip mapping add entries rcvd : 0
num of user ip mapping del entries rcvd : 0
num of request of group msgs sent : 0
num of group msgs rcvd : 0
num of group msgs recvd buf fail to proc : 0
num of xml data msgs rcvd : 0
num of xml data msgs rcvd but failed to proc : 0
Last heard(seconds ago) : 3
Job ID : 0
Sent messages : 210810
Rcvd messages : 207229
Lost messages : 0
Failed to send messages : 0
Queued sending msgs with priority 0 : 0
Queued sending msgs with priority 1 : 0
Queued rcvring msgs with priority 0 : 0
Queued rcvring msgs with priority 1 : 0
PAN-3020> show user user-id-agent statistics
Name Host Port Vsys State Ver Usage
ad-agent 10.2.2.2 5007 vsys1 conn:idle 5 P N
Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, '*' Currently Used
The error that I got is authentication failure and it says user is not in allow-list even though I've configured the groups based on LDAP group mapping.
Does anyone encountered this issue?
The user-id agent is independent of the PAN-OS version , with the only restriction of you at least running User-ID 3.1.0. However we recommend that you run latest User-ID version on your environment for now.
If you see authentication failure with reason user is not in allow list
- can you try using a domain name in the LDAP server profile, use a netbios domain name under domain field of LDAP server profile.
- If group is in question please run CLI command to show that the users are part of the group:
> show user group name <name>
If the users are part of the group read and group is referenced in the drop down for the Authentication Profile, the user fails authentication can please leave allow list to " all" and test authentication again.
We have found the issue with the active directory is not configured to send security logs to the firewall that causing USER-ID not to work in version 6. The old box that we're using are running on version 5 and USER-ID agent is running on windows 2003 that is not compatible the way PA version 6 handles security logs from active directory (AD)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!