PAN-OS 8.1 User-ID problems

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN-OS 8.1 User-ID problems

L1 Bithead

Hi there,

I have some problems with a user-id installation on PAN-OS 8.1.4, scenario:

1) Windows AD Domain Forest, with around 6/7 domains

2) I'm only interested in authenticating users from one of the domains in the forest

3) I've correctly connected the firewall to the local domain controllers and pulled out ip to user mapping

4) I've also correctly connected the firewall to the ldap servers for group mapping, groups are populated correctly

The domain is in the form: my-local-domain.myforest.local

Problem:

Some users are detected as my-local-domain\username while some others are detected as my-local-domain.myforest.local\username and this gives me some problems because only users in the form my-local-domain\username are correctly mapped to groups.

I've already checked all the new documentation on user-id in 8.1 but cannot make it work 😞

Looking at one of the users attributes:
show user user-attributes user my-local-domain\SOMEUSER
Primary: my-local-domain\SOMEUSER        Email: SOMEUSER@mydomain.com
Alt User Names:
1) SOMEUSER@mydomain.com
2) my-local-domain\SOMEUSER.USERNAME
3) my-local-domain\SOMEUSER
4) SOMEUSER@UPN

 

Basically i would like to configure an Alternate username in the form: my-local-domain.myforest.local\SOMEUSER

is it possible using the new "Alternate Username" feature ? if so... how ?

 

thank you!

 

 

 

 

1 accepted solution

Accepted Solutions

L1 Bithead

Hi,

A had few cases related to similar issue. Most of them was related to:

 

a) wrong Group Mapping Domain Name configuration - check help. If you used this option make sure it is netbios.

b) issue described here: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Group-Mapping-in-a-Mult...

c) multidomain configuration - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFnCAK

d) domain-map was created and not refreshed - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVDCA0

 

best 

Jarek

View solution in original post

2 REPLIES 2

L1 Bithead

Hi,

A had few cases related to similar issue. Most of them was related to:

 

a) wrong Group Mapping Domain Name configuration - check help. If you used this option make sure it is netbios.

b) issue described here: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Group-Mapping-in-a-Mult...

c) multidomain configuration - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFnCAK

d) domain-map was created and not refreshed - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVDCA0

 

best 

Jarek

Thank you, with the help of one of the docs you shared I was finally able to solve this. It was the domain-map not woriking well, this doc ( https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFnCAK ) is absolute GOLD!

With some packet captures I was able to troubleshoot a problem related to the retrieval of the partitions from a Domain Controller.

Changed the binding on LDAP of one of the root domain controllers and all started to work !

BTW I already had a group mapping configured on one of the root DCs but i was using the Global Catalog service istead of the normal LDAP.

 

Thank's!

  • 1 accepted solution
  • 3574 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!