multiple users same machine privileges crossed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

multiple users same machine privileges crossed

L1 Bithead
currently have a customer using radius authentication on the wireless and user-id on the PA. The problem is when two different users use the same machine. Teacher logs in and gets a policy applied to the session going through the firewall and she logs out and a student logs in to the same machine, that student has the same privileges through the PA as the teacher did. It seems like the PA is not releasing the session and applying the correct policy to the new user. Any ideas?
setup is HA-3020's and Aruba wireless. Radius auth is against microsoft 2012 server
Thanks!
1 accepted solution
11 REPLIES 11

L5 Sessionator

dthibodeaux

Do you see the (student) user name in the traffic logs when it hits the policy that you have created for teacher ?

If not, please verify if the ip-user-mapping changes for that IP address after teacher logs out and student logs in.

You can check the ip-user-mapping for an IP using the following command:

show user ip-user-mapping ip <ip/netmask>

L6 Presenter

Hi Dhibodeaux,

Actually this should not happen, because when user logs out, it creates a security log on AD server. Firewall reads it and remove the mapping. We should try to find out why its not happenning.

However, there are two solution for this.

1. Reduce Timeout interval for user-id to ip mapping. - Which means older mappings will expire if there is no activity from them.

2. Or enable WMI probing - User-id agent queries all active users, if they dont respond. Its removed.

Regards,

HArdik Shah:

ok so some more info

This is only happening on wireless users....wired works fine. we are not seeing a user/ip mapping for the wireless users...the source user is blank

Is there some new feature in 6.0 to help with this?

dthibodeaux

Source user field is blank due to the username not being pushed correctly, how are you pushing the usernames from the Aruba wireless  ? Are you using XML API ?

I'm guessing I'm not...:smileyconfused:

L6 Presenter

you have to use api or the new syslog feature as mentioned.

ok so this customer does not have clear pass so I am assuming the xml api solution wont work...as far as the syslog solution, I am trying to set this up in my lab. I have a aruba controller, pa200, and 2008 server. Do I run the syslog server on the same server as the user-id agent is on or do these need to be separate boxes? I am running kiwi syslog server on the same 2008 server as the UID agent is on...think I said that already Smiley Happy

The document keeps referring to a "syslog sender" and I am not sure if that is the controller, the PA, or the 2008 server.

Thanks

David

dthibodeaux

Syslog sender should be aruba controller which should be sending login/logout events to pa200. On pa200 you should have syslog parser profile to parse these logs and extract the User to IP information.

I did finally get this to work using the user-id agent setup on the PA itself but my concern is how taxing this might be to the box in a production environment. I would really like it to work using the user-id agent on the domain controller. For some reason I cannot get the info from the DC to the PA for the wireless users. I have the Aruba pointing at the DC where the agent resides, I have the agent setup with the sender info but never see the user info on the PA in the monitor logs. any ideas?

ok I got it working using the UID agent residing on the DC.

Thanks for all the info!!

  • 1 accepted solution
  • 5077 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!