User-id agent timeout integration with dhcp lease timeout

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

User-id agent timeout integration with dhcp lease timeout

L2 Linker

Hi all,

let's suppose these conditions:

 

- interface with dhcp enabled, 24 hours lease timeout, ip range (for example) 192.168.3.0/24

- user-id agent enabled with 45 minutes timeout

- virtual machine environment with non persistent vm, so when a machine is powered off it will be destroyed and recreated with a new mac address

- a machine cannot do web-browsing without user-id

 

An example:

 

26/04/2022 11:03:49 -> machine MACHINE1 got ip from dhcp, 192.168.3.1

27/04/2022 11:00:00 -> user USER1 log into MACHINE1, so a user-id mapping will be created between 192.168.3.1 and USER1

27/04/2022 11:02:00 -> user USER1 log off from MACHINE1

27/04/2022 11:02:30 -> machine MACHINE1 will be recreated with a new mac address and got 192.68.3.100 from dhcp

27/04/2022 11:03:00 -> machine MACHINE1 release dhcp address got 24 hours ago

27/04/2022 11:20:00 -> a user with a pc connect his machine to the network and he got 192.168.3.1

Between 11:20:00 and 11:45:00 the user "unknown" with his pc can do web-browsing with ip 192.168.3.1 because he's recognized as USER1

27/04/2022 11:45:00 -> the user-id mapping between USER1 and 192.168.3.1 will be deleted, the "unknown" user can't web-browsing anymore

 

This could cause

- unknown user do web-browsing without having rights

- unknown user could visit sites as USER1, so the logs are not consistent

- unknown user can have access to other network segment due to the fact that he is presenting as USER1

- and so on..

 

Any hint on this, other that reducing dhcp timeout that could mitigate a bit the problem, but it doesn't resolve it?

 

Obviously the ideal could be that the dhcp does not assign an ip if there is already a user-id agent associated to the same ip with a different mac address, but I think I'm asking too much..

 

Thanks

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

If you have an AD or other radius system, I would use those logs instead of DHCP for user-id.. I had other issues in the past with user -id not being quick enough with AD so I started using Exchange logs, however there are issues with this as well, i.e. need to have outlook open, etc. You could install global protect on these VM's as the base image and have it update the PAN, e.g. internal gateway?

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH1CAK

Just some thoughts.

Cyber Elite
Cyber Elite

@N2Z2,

Anytime you have a situation like this, I really recommend using GlobalProtect and user certificates to handle the User-ID portion of things if you have an internal PKI infrastructure setup. It's the best experience that essentially eliminates the capability for a user to get an IP address with stale User-ID information associated with it. 

If that isn't an option for you, then I would recommend following @OtakarKlier's advice and using AD/Radius for user-id information so that the user logging into the VM will update the ip-user-mapping and overwrite the stale User-ID information. 

 

I ran into one instance a while back that the environment was doing essentially what you are doing now. The solution in that case was a lot of scripting and log scrubbing and using the API to update user information manually. It wasn't an elegant solution, but it got them through until a proper GlobalProtect installation could be configured and deployed in their environment. 

L2 Linker

Hi,

I've an AD domain connected for user-id agent, but in the example in the first post, the user "unknown" connects his MacBook to the network and he doesn't do login to AD domain (for example, it could do web-browsing with an ip based policy and a static dhcp lease for his mac address, I can't see the user but I'm 100% sure that the ip is his ip address, without considering mac spoofing).

The perfect solution will be "connect your MacBook to another vlan to get the address from another subnet" and usually this is the way, but there are a couple of case in which I cannot do that.

 

Maybe I could put a logoff script via gpo (yet another not elegant solution, as you said) that could use an API to invalidate the mapping?

 

Maybe something like

 

curl -F key=<mykey> --form file=@<myfile> "https://myfirewallip/api/?type=user-id

 

using this as <myfile>

 

<uid-message>
<payload>
<logout>
<entry user="domain\user1" ip="<local_ip_go_from_script>">
</logout>
</payload>
<type>update</type>
<version>1.0</version>
</uid-message>

 

Thanks again

 

N.

Cyber Elite
Cyber Elite

Hello,

So if you have a user, ie a guest, on your network, you can use the captive portal to capture their user name. 

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/user-id/user-id-concepts/user-mapping/capt...

Just a thought.

L2 Linker

Hi,

yes, it could be a solution.

Thanks for the hint

  • 2317 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!