- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-22-2017 02:28 AM
Hi Gurus,
I'm trying to implement user id agentless.
The LDAP & User Identification are created correctly.
Below is the output:
J-C.Valiere.da@PA_Ecore_Master> show user group list
cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com
cn=vpn ecore consultant,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com
J-C.Valiere.da@PA_Ecore_Master> show user user-ids
User Name Vsys Groups
------------------------------------------------------------------
corp\tests5 vsys1 cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com
corp\j-c.valiere.da vsys1 cn=vpn ecore consultant,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com
Also, the source zone on which I apply my policy has User-ID enabled.
So I can see that tests5 user is member of 'vpn ecore employee'.
I created the 3 following policy:
"VPN Remote Ecore Employee" {
to TRUST;
from REMOTE_VPN_USERS;
source Pool_VPN_Remote_Users;
destination VM_Safewalk;
source-user "cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com";
category any;
application ssl;
service TCP_8443;
hip-profiles any;
action allow;
log-start yes;
tag REMOTE_VPN_USERS;
}
"VPN Remote Ecore Consultant" {
to TRUST;
from REMOTE_VPN_USERS;
source Pool_VPN_Remote_Users;
destination VM_Safewalk;
source-user "cn=vpn ecore consultant,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com";
category any;
application ssl;
service TCP_8443;
hip-profiles any;
action allow;
log-start yes;
tag REMOTE_VPN_USERS;
}
VPN_Remote_PoolVPN-Safewalk {
to TRUST;
from REMOTE_VPN_USERS;
source Pool_VPN_Remote_Users;
destination VM_Safewalk;
source-user any;
category any;
application ssl;
service TCP_8443;
hip-profiles any;
action allow;
log-start yes;
tag REMOTE_VPN_USERS;
}
And when trying to access the VM_Safewalk on port TCP_8443 with the user tests5, the 3rd policy matches instead of the first one.
Can anyone tell me what I forgot, or what is wrong in my configuration ?
Thanks & Best Regards,
Jean-Christophe
12-22-2017 05:09 AM
Also...
when adding source-user to your policy just type vpn to see if the usergroup self populates.
You may have already done this but wort a try rather than manually entering the fqdn.
12-22-2017 05:10 AM
Below is the result:
J-C.Valiere.da@PA_Ecore_Master> show user group name "cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com"
short name: corp\vpn ecore employee
source type: ldap
source: VPN Ecore Employees
[1 ] corp\j-c.valiere.da
[2 ] corp\tests5
So looks like everything is fine or ?
Thx
12-22-2017 05:13 AM
Try my previous as the policy may need to be...
corp\vpn ecore employee
12-22-2017 05:27 AM
I can confirm that it is self populated
Thx.
12-22-2017 05:36 AM
Does you authentication include user-domain=corp.
perhaps a print screen of the successful authentication for tests5 would help.
12-22-2017 05:37 AM
Sorry... authentication profile
12-22-2017 07:30 AM
Source user in policy applies to "corp\vpn ecore employee"
Regards.
Jean-Christophe Valiere
12-22-2017 08:11 AM
Ok,
I got a really weird thing (Note that I switched tests5 user to vpn ecore consultant):
J-C.Valiere.da@PA_Ecore_Master> show user group name "cn=vpn ecore consultant,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com"
short name: corp\vpn ecore consultant
source type: ldap
source: VPN Ecore Group Mapping
[1 ] corp\tests5
J-C.Valiere.da@PA_Ecore_Master> show user group name "cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com"
short name: corp\vpn ecore employee
source type: ldap
source: VPN Ecore Group Mapping
[1 ] corp\j-c.valiere.da
J-C.Valiere.da@PA_Ecore_Master> show user user-ids match-user tests5
User Name Vsys Groups
------------------------------------------------------------------
corp\tests5 vsys1 cn=vpn ecore employee,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com
cn=vpn ecore consultant,ou=roles,ou=global,ou=organization,dc=corp,dc=ecore,dc=com
So,
Group "vpn ecore employee" contains j-c.valiere.da
Group "vpn ecore consultant" contains tests5
user tests5 belongs to both "vpn ecore employee" and "vpn ecore consultant"
Also, note that I temporarly disabled the cache in the user identification settings.
Really, really strange.
12-22-2017 08:39 AM
Wow that is strange, maybe remembered from previous session.
could you post a screen shot of monitor/system for the users authentication success. For tests5.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!