This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

User ID WiFi and LAN

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User ID WiFi and LAN

rjdahav163
L3 Networker

‎06-06-2017 07:26 AM

Hello

 

Our organisation does not use 802.1x authentication in our environment. We have LAN and WiFi for our employees. We want to implement User ID with PA with AD domains and User ID Agent. However I could not find documentation on User ID behaviour in following scenario:

Our users have laptops and they use LAN when laptops are docked into docking stations. But when a user removes a laptop from docking station then he is immediately connected to WiFi and gets another IP. Again when he comes back to his place he will be connected with LAN.

 

Is there any documentation on how such situation is handled by user id and what are the best practices in such scenario?

 

Thanks and Regards,

R

0 Likes Likes
6 REPLIES 6

VinceM
L5 Sessionator

‎06-06-2017 07:41 AM

Hi rjdahav163,

 

In this case, maybe you should have a look on deploying GP on all laptop and use GP on both external and internal gateway with transparent authentication.

Switching from wire to wifi auth is really fast.

 

Ref:

https://www.paloaltonetworks.com/documentation/60/globalprotect/global_protect_6-0/globalprotect-qui...

 

Hope help

0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎06-06-2017 07:56 AM

@rjdahav163,

The computer already has an IP and a mapping on your wireless network, but the binding order makes it so that they are using the ethernet connection instead of the wireless connection. The mapping will simply have two IP addresses listed for that user. For example if my laptop is docked I'm mapped to say 10.*.*.* but my wireless connection is listed as 172.16.*.* then the firewall will show my user-id mapping to both 10.191.16.17 and 172.16.1.2 both at the same time, once my laptop is undocked then I simply see the users traffic move the source address to 172.16.1.2 but the mapping doesn't really change. 

rjdahav163
L3 Networker
In response to VinceM

‎06-06-2017 08:10 AM

Thanks VinceM for your reply. So if I understand correctly, when internal network is detected GP will not initiate VPN right but only send the IP-Username association to the FW?

 

0 Likes Likes

rjdahav163
L3 Networker
In response to BPry

‎06-06-2017 08:14 AM

Thanks BPry for your reply. Your solution looks good. Will try out and post a feedback.

0 Likes Likes

Nick.Chenault
L1 Bithead
In response to rjdahav163

‎06-06-2017 08:26 AM

I agree with BPry's solution, we currently have a similar setup in our environment and works just fine between LAN/WLAN.

0 Likes Likes

VinceM
L5 Sessionator
In response to rjdahav163

‎06-06-2017 08:28 AM

Correct, internally, just use GP on internal gateway for user authent. No Tunnel, just authen.

And if you want to go farther, you can, in futur, use HIP for giving acces to dedicate ressources 🙂

 

Rgds

 

V.

0 Likes Likes
  • 5090 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks