USER ID Issues

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
Not applicable

USER ID Issues

Hi All,

My name is Paul Mathew and I am working as a Network Engineer at American School of Dubai, in UAE. Our environment is 99% MAC and IOS devices, and some of you were aware of Mobile Account concept in MAC. Let me explain briefly about it. Mobile account means when we login to a MAC machine as network user we create the mobile account so that the user can login to the device even though the network is unavailable and it acts like a local account. In our campus we have Aruba wireless infrastructure and for students and staff the WiFi authentication is 802.1X using windows RADIUS. Because of this setup there is no network connectivity when they login to the machines. Since we create the mobile account they are able to login to the machine even though the network is unavailable and therefore there is no authentication happening in AD (Active Directory). Since there is no authentication we cannot resolve the source user on PAN and we don't have any exchange server as everything is on Google. Is there any chance we can get the source user details from the Radius server since all the users got authenticated against Radius for the 802.1X. Please help us to solve this issue other than Captive Portal.

Regards.

Paul Mathew.


Accepted Solutions
Highlighted
Not applicable

We figure out the issue that we need to Palo Alto to the Access Control List to push the user names to the PA. I really appreciate your help on this. Thanks a lot.

Paul Mathew

View solution in original post


All Replies
Highlighted
L5 Sessionator

Following are the available UserID methods :

  1. AD        Active Directory----X
  2. CP        Captive Portal----X
  3. EDIR      eDirectory------X
  4. GP        Global Protect-----X
  5. NTLM      NTLM-------X
  6. SSL/VPN   SSL VPN------X
  7. UIA       User-ID Agent------X
  8. XMLAPI    XML API---- ?

The following Doc talks about Radius (Cisco ACS) and User-ID integration in the environments using 802.1x devices and wireless access points and controllers.

A script can be configured to run on the Syslog server that will extract the user and IP information from the message, format it correctly for the UID-API, and then send it to the API agent.

UserID API integration using Syslog

-Ameya

Highlighted
Not applicable

Thanks for the reply Ameya will try and let you know.

Highlighted
Not applicable

Hi Ameya,

I tried the XML API and it worked and now I am able to get all the names resolved on User-ID Agent and what we did is we dump all the logs to a linux box and from there it pushes everything to the User-ID Agent. Now the issue is in PA we configured the User Identification and through port TCP 5007 but it's not connecting to the server where the User-ID Agent is installed. Because of this it cannot resolve the source users in PA. I hope somebody can help me on this.

Regards

Paul Mathew

Highlighted
L6 Presenter

You mean no firewall , no anti-virus or something on agent PC.And connection problem ?

What is your panos version ?

Try to change 5007 on both sides and see what is going on.

Highlighted
Not applicable

Firewall is off on the agent server and both are using 5007 TCP port. we changed the port on either end and same result.

Highlighted
L5 Sessionator

The firewall uses Management interface to connect to the Agent Server by default.

can you reach the Agent server from the firewall?

>ping host <IP of the Agent srvr>

Check if the Agent is listening on the port configured.

>netstat -an | findstr "5007"

-Ameya

Highlighted
Not applicable

We figure out the issue that we need to Palo Alto to the Access Control List to push the user names to the PA. I really appreciate your help on this. Thanks a lot.

Paul Mathew

View solution in original post

Highlighted
L1 Bithead

hi paul,

what do you mean ACL to ush the username to PA. mind to explain briefly? so you are using XML API for user ip mapping right?

Highlighted
L5 Sessionator

I decipher, "They opened up the  ACL (policy ) on their intermediate FW  to allow uninterrupted access for the PA's IP address "

-Ameya

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!