Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

loosing link between an user and is AD groups

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

loosing link between an user and is AD groups

Not applicable

I opened a case in this regard, but in the meantime I would like to know if anyone has the same problem as me.

-I'm using version 4.1.8 of PA, the PA-2050 appliance.

-User ID agent v.4.1.4.3 is use for authen users.

- ad windows, on server 2008, for LDAP.

I regularly lose the link between a user and the group associated with that user.

Result: I have several rules that give special access, for example, social networks or personal web storage. At the beginning, when creating the rule, it works, but after about a week they stop working.

The user is authenticated, in the "MONITOR" I can see the user in the USER column. But I still see a bad rule that is applied to that person. This is the last rule is applied, which provides access to the Internet by default.

When this happens, here's what I see in the CLI:

- Show user group name domain \ group-1

[1] domain \ user01

[2] domain \ user02

Then I demand groups that are associated with the user "user02" and I get no group.

show user-IDs match user-user domain \ user02:

User Name VSYS Groups

-------------------------------------------------- ----------------

When it works, the CLI command "show user-IDs match user-user" returns me the right groups associated with the user.

1 accepted solution

Accepted Solutions

Hi Dennis,

How are you doing?

This has been a known issue on 4.1.8. Engineering worked on it and proposed a fix in 4.1.9. If you see this problem on 4.1.8 what you can do is go to user identification and delete the group-mapping and do a commit and then re add the group-mapping and commit again and the issue will go away.

Thanks,

Syed Hasnain

View solution in original post

8 REPLIES 8

L2 Linker

We have the same problem here, It happens from time to time without a clear pattern. We have opened a case but the support engineers couldn't reproduce the issue. You could try to use the user id-agent as a ldap proxy.

L1 Bithead

Same here, we're also running 4.1.8 (on a PA-5050 cluster). In my case it seems to happen most after we add or remove groups from the Include group list in the user identification config on the PA.

The only way to get it running again is to execute "debug software restart user-id" on the CLI

We also tried using the User-ID agent as a proxy but it made no difference for us

Hi Dennis,

How are you doing?

This has been a known issue on 4.1.8. Engineering worked on it and proposed a fix in 4.1.9. If you see this problem on 4.1.8 what you can do is go to user identification and delete the group-mapping and do a commit and then re add the group-mapping and commit again and the issue will go away.

Thanks,

Syed Hasnain

4.1.9 is showing as being avail on my system now.   Has anyone tried it?

The list of fixes is rather large and looks to address specifically the problems that we have had.

Experienced same issues here.  4.1.8H3 resolved the group issue for us.  Have not tried 4.1.9 yet as hotfix 3 got us going again.

I have finaly do what you say, i have remove group mapping,  commit, create a new GM and commit, all working good for now.

This weekend i will upgrade to 4.1.9, to see if that resolv completly the problem or if its return.

I will add somes comment here if i got the problem back or not.

I Had a similar issue and turning on the ldap proxy option on the client seemed to fix it for me.  that've since upgraded to 5 and have yet to have an issue.

Bob

so far so good, i have applied 4.1.9. Since 7 days all working fine now.

  • 1 accepted solution
  • 4789 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!