User ID WiFi and LAN

Reply
L3 Networker

User ID WiFi and LAN

Hello

 

Our organisation does not use 802.1x authentication in our environment. We have LAN and WiFi for our employees. We want to implement User ID with PA with AD domains and User ID Agent. However I could not find documentation on User ID behaviour in following scenario:

Our users have laptops and they use LAN when laptops are docked into docking stations. But when a user removes a laptop from docking station then he is immediately connected to WiFi and gets another IP. Again when he comes back to his place he will be connected with LAN.

 

Is there any documentation on how such situation is handled by user id and what are the best practices in such scenario?

 

Thanks and Regards,

R

Highlighted
L5 Sessionator

Hi rjdahav163,

 

In this case, maybe you should have a look on deploying GP on all laptop and use GP on both external and internal gateway with transparent authentication.

Switching from wire to wifi auth is really fast.

 

Ref:

https://www.paloaltonetworks.com/documentation/60/globalprotect/global_protect_6-0/globalprotect-qui...

 

Hope help

Highlighted
Cyber Elite

@rjdahav163,

The computer already has an IP and a mapping on your wireless network, but the binding order makes it so that they are using the ethernet connection instead of the wireless connection. The mapping will simply have two IP addresses listed for that user. For example if my laptop is docked I'm mapped to say 10.*.*.* but my wireless connection is listed as 172.16.*.* then the firewall will show my user-id mapping to both 10.191.16.17 and 172.16.1.2 both at the same time, once my laptop is undocked then I simply see the users traffic move the source address to 172.16.1.2 but the mapping doesn't really change. 

Highlighted
L3 Networker

Thanks VinceM for your reply. So if I understand correctly, when internal network is detected GP will not initiate VPN right but only send the IP-Username association to the FW?

 

Highlighted
L3 Networker

Thanks BPry for your reply. Your solution looks good. Will try out and post a feedback.

Highlighted
L1 Bithead

I agree with BPry's solution, we currently have a similar setup in our environment and works just fine between LAN/WLAN.

Highlighted
L5 Sessionator

Correct, internally, just use GP on internal gateway for user authent. No Tunnel, just authen.

And if you want to go farther, you can, in futur, use HIP for giving acces to dedicate ressources :-)

 

Rgds

 

V.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!