for identifying users on an PA-3020 with PAN-OS 5.0.5 I use a combination of reading the information from eDirectory, XML-API and captive portal.
I am now facing the problem that users which use different computers at the same time with their user account which is authenticated against the eDirectory (for example one at their workplace and another one during a meeting in another room), only the first IP which is known to the eDirectory is authenticated on the firewall (but both IPs are available in the eDirectory if I check for them using a simple LDAP browser or novell console one) and the captive portal is shown to the user (in best case, also got reports that in some cases just the block response page got prompted)
Also I have sometimes entries for source "Unknown" and user "Unknown" if I list the user mappings on the device using "show user ip-user-mapping all".
Is that a known problem or more a kind of feature?
The firewall gets the ip-user-mapping from either the agent or through the agentless-service, based on the log on events from the DC or from the edirectory. The agent or the service can hold multiple ip-user mappings for the same user, but from different machines (ip addresses). We should also see the multiple entries for the user on the agent or the firewall (agentless service). Can you increase the timeout of the ip-user-mapping on the agent, so that the entries are not cleared at a faster rate.
Its common to see unknowns under the "show user ip-user mapping all" command. This mapping is seen when the firewall does not have information about an IP address from the agent/agentless service, and those users for whom captive portal isnt defined for. You can force the firewall to query the agent/ agentless service to actively probe for these unknown IP addresses using the netbios or wmi probing.
The below documents explains the recommended steps for user identifictaion
Ok, played around with the timeout settings of the agentless service of the device but had no success. The device still sees only one IP address from the edirectory.
For testing I have installed the User-ID Agent on one of my clients, which then is able to see both IP addresses, also the device is able to see both IPs if I add the Agent to the device.
I guess that there is an bug in the implementation of the agentless service on the device that it only retrieves one IP from the e-directory
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!