- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-15-2016 11:46 PM
Hello,
If a user uses the PC at home (not behind the Palos) to access the Internet then hibernates their PC, then comes to work and connects to the network (behind the Palos) and un-hibernates, they can no longer access the Internet until the PC re-authenticates to AD and when the user-ID agent can identify the user again. There is a period when the user cannot use the Internet as the Palo policy states the user must be known via user-ID. This can be while depending on what apps the user uses after they un-hibernate.
Is there a way to fix this?
Thanks in advance
09-16-2016 03:44 AM
Hi Farzana,
You could deploy Global Protect & internal host detection so that when the computer comes out of hibernation, the GP connects and authenticates the user that way (but does not establish a tunnel).
Another way would be to implement a 'catch-all' captive portal policy so that if all the other identification methods fail, they have to authenticate via a captive portal.
One other way would be to configure wireless access points to send syslog to your firewall, if a user authenticates to the wireless network the AP could send syslog to the firewall containing the username & IP address which you can configure the firewall to parse out and create a mapping for them.
You can find more info here and determine which solution best fits you.
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/user-id-overview#67469
hope this helps,
Ben
09-16-2016 03:44 AM
Hi Farzana,
You could deploy Global Protect & internal host detection so that when the computer comes out of hibernation, the GP connects and authenticates the user that way (but does not establish a tunnel).
Another way would be to implement a 'catch-all' captive portal policy so that if all the other identification methods fail, they have to authenticate via a captive portal.
One other way would be to configure wireless access points to send syslog to your firewall, if a user authenticates to the wireless network the AP could send syslog to the firewall containing the username & IP address which you can configure the firewall to parse out and create a mapping for them.
You can find more info here and determine which solution best fits you.
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/user-id/user-id-overview#67469
hope this helps,
Ben
09-18-2016 05:21 PM
Thanks Ben for the wonderful suggestions.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!