User-ID and internet access

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User-ID and internet access

L4 Transporter

Hello,

 

If a user uses the PC at home (not behind the Palos) to access the Internet then hibernates their PC, then comes to work and connects to the network (behind the Palos) and un-hibernates, they can no longer access the Internet until the PC re-authenticates to AD and when the user-ID agent can identify the user again. There is a period when the user cannot use the Internet as the Palo policy states the user must be known via user-ID. This can be while depending on what apps the user uses after they un-hibernate.

Is there a way to fix this?

 

Thanks in advance

 

 

1 accepted solution

Accepted Solutions

L4 Transporter

Hi Farzana,

 

You could deploy Global Protect & internal host detection so that when the computer comes out of hibernation, the GP connects and authenticates the user that way (but does not establish a tunnel).  

 

Another way would be to implement a 'catch-all' captive portal policy so that if all the other identification methods fail, they have to authenticate via a captive portal.

 

One other way would be to configure wireless access points to send syslog to your firewall, if a user authenticates to the wireless network the AP could send syslog to the firewall containing the username & IP address which you can configure the firewall to parse out and create a mapping for them.

 

You can find more info here and determine which solution best fits you.

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/user-id-overview#67469

 

hope this helps,

Ben

View solution in original post

2 REPLIES 2

L4 Transporter

Hi Farzana,

 

You could deploy Global Protect & internal host detection so that when the computer comes out of hibernation, the GP connects and authenticates the user that way (but does not establish a tunnel).  

 

Another way would be to implement a 'catch-all' captive portal policy so that if all the other identification methods fail, they have to authenticate via a captive portal.

 

One other way would be to configure wireless access points to send syslog to your firewall, if a user authenticates to the wireless network the AP could send syslog to the firewall containing the username & IP address which you can configure the firewall to parse out and create a mapping for them.

 

You can find more info here and determine which solution best fits you.

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/user-id-overview#67469

 

hope this helps,

Ben

Thanks Ben for the wonderful suggestions.

  • 1 accepted solution
  • 2218 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!