User-ID Agent - Domain Override?
Showing results for 
Search instead for 
Did you mean: 

User-ID Agent - Domain Override?

L1 Bithead

Hello All,

I deseprately need an option to override the domain name for user-IP-mappings collected from an User-ID Agent.

I've found that the Terminal Server User-ID agent has that option ( which is very handy for multi-domain environments, but unfortunately i couldnt find that option for the AD User-ID Agent.

I hope that there is some hidden switch or configuration that could make me to the job.



To give an example - i have a working User-ID Agent collecting and parsing the Event Logs from few DCs that are serving users in multiple domains in a single forest.



Users are mapped perfectly fine such as:





In the same time Group Mapping via LDAP also works fine generally and users are mapped to the correct groups


The problem is that i want to enable Captive portal with Client Certificate Authentication which gives me no option to get the correct user domain. I am mapping the CN attribute of the user certificate for username, therefore all users are authenticated like this:




As a result group mapping does not work.


I've found a nice workaround for that to set domain override in the group mapping to, for example

Then set in the certificate profile domain as well.


Then all users get authenticated as:\jdoe\owilde\tom


and they are being populated in the group mapping also in the same manner, therefore everything works fine.

Unfortunately there is no similar option for the User-ID agent and when i implement this workaround to make certificate authentcation on CP working, i lose group mapping for the User-ID because on User-ID users are automatically mapped to their corresponding domain.


That is why i am looking for option to statically override the user domain in User-ID Agent. I can see that there is such option in the TS agent ( but i can not find it in the original User-ID agent.

Does anybody have an idea?


Cyber Elite
Cyber Elite

Not sure if its an 'override' however if you enter the domain in the server profile (radius or LDAP) it should populate like you are wanting to. I have Global PRotect setup this way and use radius, so I just enter the 'domain' in the radius profile and the users diplay properly in the losg as domain\username.

L2 Linker

Tested w. UID Agent 7.0.2, PANOS 7.0.2 VM-100:


In the configuration file UserIDAgentConfig.xml, for each auth source (server), there is a default-domain variable, which does not have a value by default. I tested by filling in the desired domain name to be prepended and sending via XML API usernames with and without domains and checking on firewall:





<server-entry name="xxx" type="active-directory" address="xxx" port="" syslog-profile="" default-domain="xxx"/>



In the following snippets, is the firewall, is the domain controller with UID Agent installed


XML file sent via curl:


<entry name="uid" ip="" timeout="20"/>

<entry name="uid2" ip="" timeout="20"/>

<entry name="beta\uid3" ip="" timeout="20"/>

<entry name="gamma\uid4" ip="" timeout="20"/>


File was sent via:


curl -vk --form file=@uid.xml


UID Agent displays username exactly how it was sent, without interpreting the separator (@ and \ tried):






and the firewall is updated:


admin@pavm-7> show user ip-user-mapping all

IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- ------------- vsys1 UIA gamma\uid4 222 222 vsys1 UIA alpha\panwagent 901 901 vsys1 UIA uid 397 397 vsys1 UIA uid5@delta 1127 1127


So the default-domain variable in UID Agent configuration file doesn't seem to append or overwrite a domain name to users without domain, to get something usable for user-group mapping.


Certificate used in CP is just a method to validate an identity - since it's not correlated natively to an auth server/sequence, I doubt you can extract fields from cert (e. g. UPN) to check user-group mapping.


If you are not trying to control internet access, but access to internal resources, Kerberos challenge introduced in PANOS 7.0 (works with browser-challenge method) might help.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!