06-07-2012 07:50 AM
hi,
i have a problem with using groups (from windows active directory) in security rules.
on our windows active directory i have created a new group fw_finance. we use the PAN user-id agent to get the mapping from ip to user. i mapped this group on our PA-500 (user identification - group mapping settings). than i created a new security rule, that all users in this group can use port 3048 outgoing. so far so good. but if the users in this group try to connect the port 3048 outside, they will be dropped. on CLI i see the following:
tettrich@fw003> show user ip-user-mapping ip 10.50.2.97
IP address: 10.50.2.97User: assona\cheXXX
Ident. By: AD
Idle Timeout: 2417s
Max. TTL: 2417s
Groups that the user belongs to (used in policy)
no group is shown!
tettrich@fw003> show user group name assona.local\fw_finance
group short name: assona.local\fw_finance[1 ] assona.local\cheiXXX
[2 ] assona.local\XXXXX
[3 ] assona.local\XXXXXXX
[4 ] assona.local\XXXXXX
[5 ] assona.local\XXXXXXX
all users of this group are shown right!
and with show user user-IDs i get also the right information, that user cheiXXX is in the group fw_finance.
PA-500 with software version 4.1.6
User-ID Agent Version 4.1.4-3
can anyone help me?
thanks
tom
06-07-2012 10:33 AM
Hi Tom,
From the output provided I would guess the domain is set to 'assona.local' when it should be set to NETBIOS name 'assona'.
The output should show as follows:
tettrich@fw003> show user ip-user-mapping ip 10.50.2.97
IP address: 10.50.2.97
User: assona\cheXXX
Ident. By: AD
Idle Timeout: 2417s
Max. TTL: 2417s
Groups that the user belongs to (used in policy)tettrich@fw003> show user group name assona\fw_financegroup short name: assona\fw_finance [1 ] assona\cheiXXX [2 ] assona\XXXXX [3 ] assona\XXXXXXX [4 ] assona\XXXXXX [5 ] assona\XXXXXXX
Please let me know if this helps.
- Stefan
06-07-2012 10:33 AM
Hi Tom,
From the output provided I would guess the domain is set to 'assona.local' when it should be set to NETBIOS name 'assona'.
The output should show as follows:
tettrich@fw003> show user ip-user-mapping ip 10.50.2.97
IP address: 10.50.2.97
User: assona\cheXXX
Ident. By: AD
Idle Timeout: 2417s
Max. TTL: 2417s
Groups that the user belongs to (used in policy)tettrich@fw003> show user group name assona\fw_financegroup short name: assona\fw_finance [1 ] assona\cheiXXX [2 ] assona\XXXXX [3 ] assona\XXXXXXX [4 ] assona\XXXXXX [5 ] assona\XXXXXXX
Please let me know if this helps.
- Stefan
06-11-2012 05:42 AM
hi stefan,
thanks! i renamed the domain from assona.local to assona and it works. 
cheers
tom
10-17-2012 09:56 PM
Hi,
We have a PA-500 in a single forest single domain environment and have installed UIA on one of our DCs.
Problem is user-id is not working in Security policies and the PA box does not recognise group membership.
Thing I would like to check with you guys are:
-Port number for LDAP server profile which is 389
-User-id agent port; we are using 5007. Should we use another port?
Also show user group name "domain\domain admins" results in the following message:
User group 'domain\domain admins' does not exist or does not have members
Any idea?
10-18-2012 02:50 PM
Using port 5007 should be fine.
A common mistake when using port 389 is to forget to uncheck 'SSL'. Since ldap port 389 does not use ssl, please verify that 'SSL' is unchecked.
Hope this helps.
-Stefan
10-22-2012 08:21 PM
Hi Stefan,
SSL is unchecked.
It was all working good before we updated from PAN-OS 4.1.6 to 4.1.7 then it stopped working.
Have updated to 4.1.8 but still no luck.
Next I'm going to try is to create new Global Security groups and apply rules to those new groups and see how it goes.
Have tried with both Universal and Global groups but ....no change.
Thanks
Vaughan
07-22-2013 05:11 PM
That just helped me out too! Thanks for the info.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
