This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
User-ID
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- User-ID
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
User-ID
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-29-2017 03:14 AM
When enabling user-id where does it check against to get the information to identify the users? I have it turned on for serveral zones and it only seems to work on the VPN user-id's.
42 REPLIES 42
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-01-2017 05:40 AM
i have never tried with LDAP but i'm sure its something to do with the PA being only able to read LDAP groups and not LDAP attributes that some LDAP admins use instead of groups.
below is a link explaining this issue and a possible workaround.
it may not help you but at least give you a better understanding of whats going on.
Mick.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-01-2017 06:09 AM
So the PA does do it userid queries only against AD
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-01-2017 07:04 AM
Hi @jdprovine
There are many methods to collect User id information: reading Active Directory authentication logs, server sessions (drive maps), API scripts, Captive portal, syslog collection, TerminalServer sessions, GlobalProtect authentication,...
Please check out this article that highlights most of the main ways to collect user identification information and how to set it all up:
Tom Piens
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy
PANgurus - SASE and Strata specialist; (co)managed services, VAR and consultancy
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-01-2017 07:09 AM
well i have only briefly browsed the document but my assumptions are as follows.
if your PA identifies its users via authentication, such as your VPN then you can use LDAP groups against those users for policies etc.
the previous link explains how to do this. but...
if your users do not auth via AD then you will not be able to map IP's to users as the LDAP server will not hold a database of user related IP's.
The PA user-id reads the security log on AD as this records users addresses when they use domain services, email, logon etc.
so I would say yes to your previous post.. But.. (again)
the user-AD agent installed seperately has config settings for EDirectory.. as wll as AD.
Mick.
oops! someone has just posted previous to me so may be of better use.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
12-01-2017 07:11 AM
the document I refer to is the one i posted earlier, not the one from @reaper.
sorry for the confusion....
Related Content
- UserID Agent 11.0 on Windows Server 2022 in General Topics
- Firewall servicing as UserID Client - limit in Next-Generation Firewall Discussions
- Windows UserID agent runs on a separate server in General Topics
- Globalprotect vpn prompting user principal name (upn) instead of domain-name/userid format and not connecting. in General Topics
- LDAP Members in group Issue in General Topics
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks