USER ID Issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

USER ID Issues

Not applicable

Hi All,

My name is Paul Mathew and I am working as a Network Engineer at American School of Dubai, in UAE. Our environment is 99% MAC and IOS devices, and some of you were aware of Mobile Account concept in MAC. Let me explain briefly about it. Mobile account means when we login to a MAC machine as network user we create the mobile account so that the user can login to the device even though the network is unavailable and it acts like a local account. In our campus we have Aruba wireless infrastructure and for students and staff the WiFi authentication is 802.1X using windows RADIUS. Because of this setup there is no network connectivity when they login to the machines. Since we create the mobile account they are able to login to the machine even though the network is unavailable and therefore there is no authentication happening in AD (Active Directory). Since there is no authentication we cannot resolve the source user on PAN and we don't have any exchange server as everything is on Google. Is there any chance we can get the source user details from the Radius server since all the users got authenticated against Radius for the 802.1X. Please help us to solve this issue other than Captive Portal.

Regards.

Paul Mathew.

1 accepted solution

Accepted Solutions

Not applicable

We figure out the issue that we need to Palo Alto to the Access Control List to push the user names to the PA. I really appreciate your help on this. Thanks a lot.

Paul Mathew

View solution in original post

10 REPLIES 10

L5 Sessionator

Following are the available UserID methods :

  1. AD        Active Directory----X
  2. CP        Captive Portal----X
  3. EDIR      eDirectory------X
  4. GP        Global Protect-----X
  5. NTLM      NTLM-------X
  6. SSL/VPN   SSL VPN------X
  7. UIA       User-ID Agent------X
  8. XMLAPI    XML API---- ?

The following Doc talks about Radius (Cisco ACS) and User-ID integration in the environments using 802.1x devices and wireless access points and controllers.

A script can be configured to run on the Syslog server that will extract the user and IP information from the message, format it correctly for the UID-API, and then send it to the API agent.

UserID API integration using Syslog

-Ameya

Thanks for the reply Ameya will try and let you know.

Not applicable

Hi Ameya,

I tried the XML API and it worked and now I am able to get all the names resolved on User-ID Agent and what we did is we dump all the logs to a linux box and from there it pushes everything to the User-ID Agent. Now the issue is in PA we configured the User Identification and through port TCP 5007 but it's not connecting to the server where the User-ID Agent is installed. Because of this it cannot resolve the source users in PA. I hope somebody can help me on this.

Regards

Paul Mathew

You mean no firewall , no anti-virus or something on agent PC.And connection problem ?

What is your panos version ?

Try to change 5007 on both sides and see what is going on.

Not applicable

Firewall is off on the agent server and both are using 5007 TCP port. we changed the port on either end and same result.

The firewall uses Management interface to connect to the Agent Server by default.

can you reach the Agent server from the firewall?

>ping host <IP of the Agent srvr>

Check if the Agent is listening on the port configured.

>netstat -an | findstr "5007"

-Ameya

Not applicable

We figure out the issue that we need to Palo Alto to the Access Control List to push the user names to the PA. I really appreciate your help on this. Thanks a lot.

Paul Mathew

hi paul,

what do you mean ACL to ush the username to PA. mind to explain briefly? so you are using XML API for user ip mapping right?

I decipher, "They opened up the  ACL (policy ) on their intermediate FW  to allow uninterrupted access for the PA's IP address "

-Ameya

L3 Networker

If I understand correctly, the messages will be sent to the user-ID agent running on domain controllers? How would this work in an environment where there are about 50 User-ID agents installed, 3 collectors and 1 RADIUS server?

Will the script send the information to all user-id agents?

I am thinking that sending from the RADIUS logs directly to the firewalls would be a better solution in this case? I don't know if this is possible? Does anybody else have a similar situation?

  • 1 accepted solution
  • 8128 Views
  • 10 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!