I deseprately need an option to override the domain name for user-IP-mappings collected from an User-ID Agent.
I've found that the Terminal Server User-ID agent has that option (https://live.paloaltonetworks.com/t5/Management-Articles/Domain-Override-Functionality-on-Terminal-S... which is very handy for multi-domain environments, but unfortunately i couldnt find that option for the AD User-ID Agent.
I hope that there is some hidden switch or configuration that could make me to the job.
To give an example - i have a working User-ID Agent collecting and parsing the Event Logs from few DCs that are serving users in multiple domains in a single forest.
Users are mapped perfectly fine such as:
In the same time Group Mapping via LDAP also works fine generally and users are mapped to the correct groups
The problem is that i want to enable Captive portal with Client Certificate Authentication which gives me no option to get the correct user domain. I am mapping the CN attribute of the user certificate for username, therefore all users are authenticated like this:
As a result group mapping does not work.
I've found a nice workaround for that to set domain override in the group mapping to, for example contoso.com.
Then set in the certificate profile domain contoso.com as well.
Then all users get authenticated as:
and they are being populated in the group mapping also in the same manner, therefore everything works fine.
Unfortunately there is no similar option for the User-ID agent and when i implement this workaround to make certificate authentcation on CP working, i lose group mapping for the User-ID because on User-ID users are automatically mapped to their corresponding domain.
That is why i am looking for option to statically override the user domain in User-ID Agent. I can see that there is such option in the TS agent (https://live.paloaltonetworks.com/t5/Management-Articles/Domain-Override-Functionality-on-Terminal-S... but i can not find it in the original User-ID agent.
Does anybody have an idea?
Not sure if its an 'override' however if you enter the domain in the server profile (radius or LDAP) it should populate like you are wanting to. I have Global PRotect setup this way and use radius, so I just enter the 'domain' in the radius profile and the users diplay properly in the losg as domain\username.
Tested w. UID Agent 7.0.2, PANOS 7.0.2 VM-100:
In the configuration file UserIDAgentConfig.xml, for each auth source (server), there is a default-domain variable, which does not have a value by default. I tested by filling in the desired domain name to be prepended and sending via XML API usernames with and without domains and checking on firewall:
<server-entry name="xxx" type="active-directory" address="xxx" port="" syslog-profile="" default-domain="xxx"/>
In the following snippets, 10.1.1.1 is the firewall, 10.1.1.201 is the domain controller with UID Agent installed
XML file sent via curl:
<entry name="uid" ip="10.1.1.121" timeout="20"/>
<entry name="uid2" ip="10.1.1.122" timeout="20"/>
<entry name="beta\uid3" ip="10.1.1.123" timeout="20"/>
<entry name="gamma\uid4" ip="10.1.1.124" timeout="20"/>
File was sent via:
curl -vk --form email@example.com https://10.1.1.201:5006
UID Agent displays username exactly how it was sent, without interpreting the separator (@ and \ tried):
and the firewall is updated:
admin@pavm-7> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
10.1.1.124 vsys1 UIA gamma\uid4 222 222
10.1.1.201 vsys1 UIA alpha\panwagent 901 901
10.1.1.121 vsys1 UIA uid 397 397
10.1.1.125 vsys1 UIA uid5@delta 1127 1127
So the default-domain variable in UID Agent configuration file doesn't seem to append or overwrite a domain name to users without domain, to get something usable for user-group mapping.
Certificate used in CP is just a method to validate an identity - since it's not correlated natively to an auth server/sequence, I doubt you can extract fields from cert (e. g. UPN) to check user-group mapping.
If you are not trying to control internet access, but access to internal resources, Kerberos challenge introduced in PANOS 7.0 (works with browser-challenge method) might help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!