User-ID Agent for Active Directory won't transfer mappings

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-ID Agent for Active Directory won't transfer mappings

L1 Bithead

Hello-

I have a new PA500 (running 4.0.4)  that I've set up and am now trying to tie to Active Directory in order to create user-based policies.  I have everything configured to my knowledge, but I'm not getting any user-IP mappings on the firewall.

I installed what I believe to be the latest AD agent, 3.1.2 (filename PanAgent-3.1.2.msi), on my server and configured it as follows (using made-up IP addresses and domains for this example):

Domain Name: mydomain.com

Port Number: 31200

Domain Controller Address: 1.1.1.1

Allow List: 1.1.1.0/24

Filter Group: mydomain\users

I am able to successfully view the user-ip mappings and groups through the configuration program.

I have also configured the agent settings on the PA500 as follows:

Agent Type: userid-agent

Name: userid-AD

IP Address: 1.1.1.1

Port: 31200

Furthermore, I've enabled the agent on the trusted zone through the following settings:

Enable User Identification: Yes

Include List: addr-localnet (1.1.1.0/24)

I believe that this is all I have to do to get the user-IP mappings to work but I am not seeing any such mappings on the firewall.  If I consult the PA500's logs I find:

UserID connected to agent userid-AD(1.1.1.1) version 3, initiated by 1.1.1.2

and

Pan-Agent connected: IP 1.1.1.1 port 31200, initiated by 1.1.1.2

However, if I consult the agent's logs on the server I find it filled with the following error:

New Connection(1.1.1.2:<port>) Socket(<socket>)
SSL read error in pan_host_agent_rcv_data -2-16-0
Connection(1) is closed!

If I run show user userid-agent statistics on the CLI I get an output like follows:

Server: userid-AD(vsys: vsys1) Address: 1.1.1.1:31200
        Connection                                        : Not Connected
        Version                                           : <Unknown>
        number of connection tried                        : 5295
        number of connection succeeded                    : 5224
        number of connection failed                       : 71
        number of user ip mapping messages received       : 0
        number of user ip mapping add entries received    : 0
        number of user ip mapping del entries received    : 0
        number of ip msgs rcvd but failed to process      : 0
        number of status messages received                : 0
        number of request of ip mapping messages sent     : 0
        number of request of all ip mapping messages sent : 0
        number of request of status messages sent         : 0

I'm at a loss here and hope that this is enough information for somebody to help me out.  Does anybody have any ideas on why my mappings aren't working?  I don't know whether this is applicable at all, but my Web GUI gives me a certificate error when I attempt to access it.

Thanks for any help you can provide.

1 accepted solution

Accepted Solutions

L6 Presenter

Agent type on the PAN configuration should be pan agent as opposed to userid-agent. Change it and commit and you should see the PAN communicate successfully. Userid-agent is for eDir whereas pan-agent is for AD environment.

View solution in original post

2 REPLIES 2

L6 Presenter

Agent type on the PAN configuration should be pan agent as opposed to userid-agent. Change it and commit and you should see the PAN communicate successfully. Userid-agent is for eDir whereas pan-agent is for AD environment.

Well, that was simple.  Thanks for the help.

  • 1 accepted solution
  • 3085 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!