Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

UIA 8.1 issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

UIA 8.1 issue

L5 Sessionator

I have two different customers who hits same issue.

One user is using PAN-OS 8.1.3 and UIA 8.1.3-10,

another is using PAN-OS 8.0.12 and UIA 8.1.3.-10.

 

The issue is that UIA detects user info as three types of formats like...

1) domain\user (this is same as previous version)

2) domain.local\user

3) user@domain.local

 

When PA received these info, "show user ip-user-mapping all" shows following two types as below

1) domain\user

2) domain.local\user

 

admin@hostname(active)> show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.241.73.100 vsys1 UIA domain\user1 Never Never
10.212.136.101 vsys1 UIA domain.local\user1 Never Never
10.224.57.100 vsys1 UIA domain\user1 Never Never
10.128.145.9 vsys1 UIA domain\user2 Never Never
10.128.144.35 vsys1 UIA domain.local\user3 Never Never

 

The issue is that when PA recognize user format as "domain.local\user" format, the user does not hit to policy which was configured by user group that was pulled from AD.

The reason is that user group and member was recognized ONLY by "domain\user' format.

 

admin@hostname(active)> show user group name "cn=domain users,cn=users,dc=domain,dc=local

short name: domain\domain users

source type: ldap
source: groupmapping

[1 ] domain\01
[2 ] domain\21
[3 ] domain\22
[4 ] domain\23
[5 ] domain\24
[6 ] domain\26
[7 ] domain\27
[8 ] domain\29
[9 ] domain\88
[10 ] domain\98
[11 ] domain\administrator
[12 ] domain\agroadmin
[13 ] domain\agrotest
[14 ] domain\alc
[15 ] domain\amano1
[16 ] domain\amano2
..so on

 

I believe on PAN-OS 8.0 and earlier, "domain\userA" and "domain.local\userA" is NOT same guy, thus it does not hit group members.

 

Is there any body who hits same issue?

 

 

Note: I know PAN-OS 8.1 starts supporting multiple formats, though it makes me confusing and hitting this issue.

 

Regards,

Emr

1 accepted solution

Accepted Solutions

L5 Sessionator

Reply to myself.

 

It was WINAGENT-391 issue.

 

Description:
Fixed an issue where the User-ID agent failed to normalize usernames correctly due to a domain map lookup failure.

 

This is fixed in UIA 8.1.4.

 

View solution in original post

1 REPLY 1

L5 Sessionator

Reply to myself.

 

It was WINAGENT-391 issue.

 

Description:
Fixed an issue where the User-ID agent failed to normalize usernames correctly due to a domain map lookup failure.

 

This is fixed in UIA 8.1.4.

 

  • 1 accepted solution
  • 2548 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!