- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-10-2012 06:23 PM
Hi all,
I got a problem when I use captive portal authenticated by user AD
- First, I install Palo Alto User Agent on AD machine, this job worked fine. On the traffic log of PA, I saw User AD.
- After that, I configure captive portal on PA and it works too, the user AD no need to login to Captive Portal (CP) and user not in AD must login via CP to use network resources. But after 30 mins, the problem occur some of users already in AD must login via CP to use network resources too. And after one day, all of users AD must login via CP.
- The PAN OS that I used is 4.1.7 and the User Agent version 4.1.4-3
Anyone met this issue? Any advise? Please help, thank so much.
10-11-2012 06:09 AM
Did you ever changed timeout settings on User-id client? If not, then go ahead and change the value to 120 from 45, then commit on user-id client. Reset the connection one more time "debug user-id reset user-id-agent <name>". And see if mapping is stable.
10-10-2012 07:12 PM
Seems like there is some issue with user to ip-mapping. First check user-id agent status :
show user user-id-agent state all
Agent: usr_id(vsys: vsys1) Host: <agent-ip>:5007
Status : conn:idle(Connected to <agent-ip>(source: mgt-ip))
It should say "connected". Also on the agent, check if you are seeing users and also make sure user-id agent service is running.
One of the option that you can try is to reset the connection between user-id agent and firewall :
debug user-id reset user-id-agent <name>
After above, run "show user ip-user-mapping all". You should all your users. This should resolve your issue. Thanks.
10-10-2012 10:11 PM
Thank for your reply,
I already checked the agent status, it shows "connected". I also reset the connection, it can help but after a period of time, it happen again although the agent status still "connected". I think this is OS bug. Any advise?
10-11-2012 06:09 AM
Did you ever changed timeout settings on User-id client? If not, then go ahead and change the value to 120 from 45, then commit on user-id client. Reset the connection one more time "debug user-id reset user-id-agent <name>". And see if mapping is stable.
10-11-2012 07:07 AM
Thank you very much for your help. I think it stable now
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!