Problem w/ user ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Problem w/ user ID

L1 Bithead

Hi Gurus,

 

I'm trying to implement user id agentless.

The LDAP & User Identification are created correctly.

 

Below is the output:

J-C.Valiere.da@PA_Ecore_Master> show user group list

cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com
cn=vpn ecore consultant,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com

 

J-C.Valiere.da@PA_Ecore_Master> show user user-ids

User Name Vsys Groups
------------------------------------------------------------------
corp\tests5 vsys1 cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com

corp\j-c.valiere.da vsys1 cn=vpn ecore consultant,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com

 

Also, the source zone on which I apply my policy has User-ID enabled.

 

So I can see that tests5 user is member of 'vpn ecore employee'.

 

I created the 3 following policy:

"VPN Remote Ecore Employee" {
to TRUST;
from REMOTE_VPN_USERS;
source Pool_VPN_Remote_Users;
destination VM_Safewalk;
source-user "cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com";
category any;
application ssl;
service TCP_8443;
hip-profiles any;
action allow;
log-start yes;
tag REMOTE_VPN_USERS;
}
"VPN Remote Ecore Consultant" {
to TRUST;
from REMOTE_VPN_USERS;
source Pool_VPN_Remote_Users;
destination VM_Safewalk;
source-user "cn=vpn ecore consultant,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com";
category any;
application ssl;
service TCP_8443;
hip-profiles any;
action allow;
log-start yes;
tag REMOTE_VPN_USERS;
}
VPN_Remote_PoolVPN-Safewalk {
to TRUST;
from REMOTE_VPN_USERS;
source Pool_VPN_Remote_Users;
destination VM_Safewalk;
source-user any;
category any;
application ssl;
service TCP_8443;
hip-profiles any;
action allow;
log-start yes;
tag REMOTE_VPN_USERS;
}

 

And when trying to access the VM_Safewalk on port TCP_8443 with the user tests5, the 3rd policy matches instead of the first one.

 

Can anyone tell me what I forgot, or what is wrong in my configuration ?

 

Thanks & Best Regards,

Jean-Christophe

10 REPLIES 10

L7 Applicator

If you run the following command...

 

show user group name “cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com”

 

is tests5 displayed in the output?

L7 Applicator

Also...

 

when adding source-user to your policy just type vpn to see if the usergroup self populates. 

You may have already done this but wort a try rather than manually entering the fqdn.

Below is the result:

J-C.Valiere.da@PA_Ecore_Master> show user group name "cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com"


short name: corp\vpn ecore employee

source type: ldap
source: VPN Ecore Employees

[1 ] corp\j-c.valiere.da
[2 ] corp\tests5

 

So looks like everything is fine or ?

 

Thx

Try my previous as the policy may need to be...

 

corp\vpn ecore employee

I can confirm that it is self populated

 

Thx.

Does you authentication include user-domain=corp.

 

perhaps a print screen of the successful authentication for tests5 would help.

Sorry... authentication profile

Source user in policy applies to "corp\vpn ecore employee"

 

Regards.

Jean-Christophe Valiere

Ok,

I got a really weird thing (Note that I switched tests5 user to vpn ecore consultant):

 

J-C.Valiere.da@PA_Ecore_Master> show user group name "cn=vpn ecore consultant,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com"

short name: corp\vpn ecore consultant

source type: ldap
source: VPN Ecore Group Mapping

[1 ] corp\tests5

 

J-C.Valiere.da@PA_Ecore_Master> show user group name "cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com"

short name: corp\vpn ecore employee

source type: ldap
source: VPN Ecore Group Mapping

[1 ] corp\j-c.valiere.da

 

J-C.Valiere.da@PA_Ecore_Master> show user user-ids match-user tests5

User Name Vsys Groups
------------------------------------------------------------------
corp\tests5 vsys1 cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com
cn=vpn ecore consultant,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com

 

So,

Group "vpn ecore employee" contains j-c.valiere.da

Group "vpn ecore consultant" contains tests5

user tests5 belongs to both "vpn ecore employee" and "vpn ecore consultant"

 

Also, note that I temporarly disabled the cache in the user identification settings.

 

Really, really strange.

Wow that is strange, maybe remembered from previous session.

could you post a screen shot of monitor/system for the users authentication success. For tests5.

  • 3327 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!