Hello. We have such kind of problem. This user has allowed privilege to visit this category and the other one, but PA very frequently identify it by ip, not the username (with User-ID). we use agentless client for mapping between PA and our AD.
The problem happens very often with a small amount of users (for example exactly with this one). Maybe some of you have already faced with this?
Thanks in advance.
Could you send a screenshot of your User Mapping settings, specifically what your User Identification Timeout is set to. The biggest cause for this type of issue is inproper Log Monitor Frequency or having the User Identification Timeout set to low to actually keep the user mapped to the IP.
Most definitively this is what's causing your issue. If the user does not generate an authentication event on the server within the 45 minute time period you are losing the mapping. Most office workers, esspecially on Windows, will not be generating any events on the AD server for the agent to read within a 45 minute time period.
Sorry for hijacking this thread, but I have been looking for a recommendation when it comes to user-id timeout value. We have a few thousand users logging in and out of Citrix throughout the day, but others work only locally on their laptops. We have user-id agents on all domain controllers and TS agents on all Citrix servers. In addition we have loads of users with BYOD devices on a wireless network where we get IP-user-mappings from the wireless controllers (Syslog events).
The timeout value really depends on the enviroment. In an active enviroment where people will be generating logging events throughout the day, such as Citrix, the time can be set relatively low. When employees are working on one machine throughout the day I would generally set the timeout to equal your average work period, for example 480 mins for a total of an 8 hour ageout period.
The only thing to really remember is that setting a higher ageout period could cause users to maintain the last user mapping longer than intended. In the majority of rulebases this wouldn't really be a big concern, but that would be dependant on what your configuration actually looks like.
My worry is that by setting the timeout value low to keep user-id from Citrix updated we risk timing out users working on thick clients that do not generate security log events frequently. Would adding our Exchange servers to the userid agents help with that? Our desktop/laptop users generally have Outlook open all the time.
I would recommend adding Exchange as another source for User-ID mapping. Users may only login to the domain once in a day, but they check e-mail many times throughout the day. Each time they open/use Outlook is another opportunity to refresh their user-to-ipaddress mapping. With User-ID, more sources is a good thing(tm).
Also, what's your DHCP lease set to? A good starting point for your user mapping timeout value is 1/2 the DHCP lease time.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!