Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-06-2012 11:10 AM
I opened a case in this regard, but in the meantime I would like to know if anyone has the same problem as me.
-I'm using version 4.1.8 of PA, the PA-2050 appliance.
-User ID agent v.4.1.4.3 is use for authen users.
- ad windows, on server 2008, for LDAP.
I regularly lose the link between a user and the group associated with that user.
Result: I have several rules that give special access, for example, social networks or personal web storage. At the beginning, when creating the rule, it works, but after about a week they stop working.
The user is authenticated, in the "MONITOR" I can see the user in the USER column. But I still see a bad rule that is applied to that person. This is the last rule is applied, which provides access to the Internet by default.
When this happens, here's what I see in the CLI:
- Show user group name domain \ group-1
[1] domain \ user01
[2] domain \ user02
Then I demand groups that are associated with the user "user02" and I get no group.
show user-IDs match user-user domain \ user02:
User Name VSYS Groups
-------------------------------------------------- ----------------
When it works, the CLI command "show user-IDs match user-user" returns me the right groups associated with the user.
11-07-2012 06:36 AM
Hi Dennis,
How are you doing?
This has been a known issue on 4.1.8. Engineering worked on it and proposed a fix in 4.1.9. If you see this problem on 4.1.8 what you can do is go to user identification and delete the group-mapping and do a commit and then re add the group-mapping and commit again and the issue will go away.
Thanks,
Syed Hasnain
11-07-2012 01:34 AM
We have the same problem here, It happens from time to time without a clear pattern. We have opened a case but the support engineers couldn't reproduce the issue. You could try to use the user id-agent as a ldap proxy.
11-07-2012 02:41 AM
Same here, we're also running 4.1.8 (on a PA-5050 cluster). In my case it seems to happen most after we add or remove groups from the Include group list in the user identification config on the PA.
The only way to get it running again is to execute "debug software restart user-id" on the CLI
We also tried using the User-ID agent as a proxy but it made no difference for us
11-07-2012 06:36 AM
Hi Dennis,
How are you doing?
This has been a known issue on 4.1.8. Engineering worked on it and proposed a fix in 4.1.9. If you see this problem on 4.1.8 what you can do is go to user identification and delete the group-mapping and do a commit and then re add the group-mapping and commit again and the issue will go away.
Thanks,
Syed Hasnain
11-07-2012 06:57 AM
4.1.9 is showing as being avail on my system now. Has anyone tried it?
The list of fixes is rather large and looks to address specifically the problems that we have had.
11-07-2012 07:10 AM
Experienced same issues here. 4.1.8H3 resolved the group issue for us. Have not tried 4.1.9 yet as hotfix 3 got us going again.
11-08-2012 04:47 AM
I have finaly do what you say, i have remove group mapping, commit, create a new GM and commit, all working good for now.
This weekend i will upgrade to 4.1.9, to see if that resolv completly the problem or if its return.
I will add somes comment here if i got the problem back or not.
11-08-2012 06:21 PM
I Had a similar issue and turning on the ldap proxy option on the client seemed to fix it for me. that've since upgraded to 5 and have yet to have an issue.
Bob
11-16-2012 04:43 AM
so far so good, i have applied 4.1.9. Since 7 days all working fine now.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
