User-ID with 802.1x problems wired and wireless

cancel
Showing results for 
Search instead for 
Did you mean: 

User-ID with 802.1x problems wired and wireless

L1 Bithead

Hi all.

 

We have PA-820 with 10.1.2 with User-ID Agent on Windows AD runing version 10.0.4-r23 and we are using Cisco switches for users. We have 802.1x enabled on ports for users. The problem we have is, that PA doesn't recognise users from 802.1x, instead sometimes they are recognised as machines (under Monitor->User-ID), and then it won't apply Security policies as it should. User passes 802.1x authentication as it should, he gets correct VLAN assigned and correct IP address.

The same problems are on wired and on wireless. I suspect there is an issue with forwarding correct user from AD to User-ID Agent. I tried clearing test user in User-ID Agent on server, but no change.

 

On AD in Windows Event viwer I can see user getting authenticated correctly in Security logs and under NPS logs.

 

We have Server monitoring turned on and both AD servers are connected. When checking User-ID Agent on Windows server, there is missing the user I connected with. This is almost new setup and we are not sure, if it even worked from day 1.

 

Is there any guide how to troubleshoot? Any idea what could be the reason for problems? 

 

Kind regards

1 REPLY 1

L1 Bithead
 
For now, it looks like I fixed it for now. We will test it for a while. I had to enable "Enable Server Session read" in Use-ID Agent under Server Monitor.

There is still some problem with MAC devieces, but this a problem for another day.

I enabled "Enable Server Session read" although Palo Alto doesn't recommend it.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/map-ip-addresses-to-users/configu...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!