User ID: Problems since updating PANOS and User ID Agent

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User ID: Problems since updating PANOS and User ID Agent

L3 Networker

About a month ago, I upgraded PAN-OS on our main PA-3050 HA cluster from 7.0.8 to 7.1.8.  This also required an update of the User ID Agent I had installed on a Windows 2012 R2 server from a 6.0.x version to a 7.0.x version; I upgraded to version 7.0.7-13.

 

I've started to receive reports that some individuals are seeing the captive portal and a request for authentication when visiting websites on the Internet several times a day.  I actually experienced this myself for the first time today.  Other than the upgrades, no other User ID configuration changes have been made and my behavior using my work computer wasn't really any different than any other day.

 

I checked the PAN firewall connection to the User ID Agent and it was fine.  I also have the PAN firewalls configured to connect to domain controllers and Exchange servers at a remote site using the built-in Server Monitoring and all of those are reporting as Connected as well.

 

Is anyone one else having a similar issue or can anyone help me troubleshoot this issue?

6 REPLIES 6

L4 Transporter

is it possible you don't have all of the AD servers defined in the UID agent?

--
CCNA Security, PCNSE7

I have 100% of AD DS servers and Exchange servers added in either the User ID agent or the agentless connection from the firewalls themselves.

was it working for a while and then went to the portal? it may be that the association timed out and a WMI probe or a security related event didn't occur within that timeout time frame.

--
CCNA Security, PCNSE7

Yes, it works for awhile and then the captive portal appears.  I understand about the security event in the AD security logs, but what I don't understand is why it suddenly started happening to people more frequently than it used to.  We haven't made any PAN-related User ID configuration changes in PAN-OS or on the User ID agent nor have made any significant changes to our workstations that would possibly explain why timeouts occur faster or why authentication events aren't appearing in AD as frequently as they used to.

 

Also, here are our various User ID settings related to repeating processes and timeouts:

 

  • Enable Security Log: <enabled>
  • Server Log Monitor Frequency: 2 sec.
  • Enable Session: <disabled>
  • Enable Probing: <disabled>
  • Enable User Identification Timeout: <enabled>
  • User Identification Timeout: 30 min.
  • Enable NTLM: <disabled>

I upgraded from 7.0.13 to 7.1.7 and I have tons of problems with USERID on the 7.1.x code. I had two tickets open and they opened two bugs for me. One of the problems was the useridd was crashing every several minutes. This was causing me all kinds of problems with userid including portal problems. They claimed my bugs were fixed in 7.1.9, but I'm sticking on the 7.0.x code for now.

-Brad

L1 Bithead

After updating firewalls and panorama to version 10.1.6-h6 the captive portal requires authentication at all times.
I don't know how the problem is related to the user agent version since it hasn't been changed.
Also after the version implementation it seems that there is now a token and we are no longer able to open the captive portal page via the URL.

  • 3745 Views
  • 6 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!