12-04-2017 06:15 AM - edited 12-04-2017 06:16 AM
Hello. We have such kind of problem. This user has allowed privilege to visit this category and the other one, but PA very frequently identify it by ip, not the username (with User-ID). we use agentless client for mapping between PA and our AD.
The problem happens very often with a small amount of users (for example exactly with this one). Maybe some of you have already faced with this?
Thanks in advance.
12-04-2017 06:21 AM
Could you send a screenshot of your User Mapping settings, specifically what your User Identification Timeout is set to. The biggest cause for this type of issue is inproper Log Monitor Frequency or having the User Identification Timeout set to low to actually keep the user mapped to the IP.
12-04-2017 07:48 AM
BPry,
you think that I should set this timeout higher than 45 minutes?
12-04-2017 07:51 AM
Most definitively this is what's causing your issue. If the user does not generate an authentication event on the server within the 45 minute time period you are losing the mapping. Most office workers, esspecially on Windows, will not be generating any events on the AD server for the agent to read within a 45 minute time period.
12-04-2017 08:26 AM
I changed this time to 3 hours. Right now this problem happens only at one user. Hope this is going to help me.
Thank you.
12-05-2017 03:24 AM
Sorry for hijacking this thread, but I have been looking for a recommendation when it comes to user-id timeout value. We have a few thousand users logging in and out of Citrix throughout the day, but others work only locally on their laptops. We have user-id agents on all domain controllers and TS agents on all Citrix servers. In addition we have loads of users with BYOD devices on a wireless network where we get IP-user-mappings from the wireless controllers (Syslog events).
12-05-2017 05:49 AM
The timeout value really depends on the enviroment. In an active enviroment where people will be generating logging events throughout the day, such as Citrix, the time can be set relatively low. When employees are working on one machine throughout the day I would generally set the timeout to equal your average work period, for example 480 mins for a total of an 8 hour ageout period.
The only thing to really remember is that setting a higher ageout period could cause users to maintain the last user mapping longer than intended. In the majority of rulebases this wouldn't really be a big concern, but that would be dependant on what your configuration actually looks like.
12-06-2017 04:23 AM
Thanks @BPry
My worry is that by setting the timeout value low to keep user-id from Citrix updated we risk timing out users working on thick clients that do not generate security log events frequently. Would adding our Exchange servers to the userid agents help with that? Our desktop/laptop users generally have Outlook open all the time.
12-06-2017 05:51 AM
What do you currently have your ageout value set to? You generally would not want to get any info from your Exchange servers.
12-06-2017 06:02 AM
You really shouldn't have any issues raising this value, the Citrix information should stay up-to-date and your thick clients will maintain their user-id information.
12-06-2017 06:53 AM
I would recommend adding Exchange as another source for User-ID mapping. Users may only login to the domain once in a day, but they check e-mail many times throughout the day. Each time they open/use Outlook is another opportunity to refresh their user-to-ipaddress mapping. With User-ID, more sources is a good thing(tm).
Also, what's your DHCP lease set to? A good starting point for your user mapping timeout value is 1/2 the DHCP lease time.
12-08-2017 06:05 AM
For employee clients we use 8 days as DHCP lease time, so 4 days user-ID timeout would perhaps be a bit excessive 🙂 But thanks for all the input, I'll probably increase the timeout to 4 hours as a start.
What do others think about adding Exchange servers to the user-ID agents?
12-08-2017 11:19 AM
A max timeout for user IP mapping is 24hrs so you don't need to worry about anything beyond that.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
