Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

User to IP mapping issues while connecting to WIFI(wireless)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User to IP mapping issues while connecting to WIFI(wireless)

L4 Transporter

Scenario:

 

User comes to office connects to LAN. The user to IP mapping works correctly.

We allow access to internet based on usernames.

User disconnects the Ethernet cable and goes to different room where he connects with wifi.

However loses internet connection. Because user to IP mapping is still with old LAN IP.

 

What are the best practices to avoid these scenarios?

PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com
12 REPLIES 12

L4 Transporter

Hi Roby,

 

In this situation I would say the best practice is to go with GP for user mapping and use internal host detection. GP will reconnect on the new interface and authenticate.

 

The only other method you can use as a fall back is captive portal and have the user manually authenticate.

 

hope this helps,

Ben

L7 Applicator

If your users authtenticate to wireless using RADIUS or 802.1x you can also forward this authentication messages to the PA for user id mapping using the sys log receiver.  Some common wireless authentication have instructions tested and posted if you search for your brand in the "Topics" area here.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Cyber Elite
Cyber Elite

besides Global Protect and Captive Portal you can also enable probing on the UserID agent which will trigger a probe whenever the firewall detects an IP address that is not known tries to start a new session, and can also be used to actively time-out stale user mappings

 

so in your scenario the probe would remove the wired mapping because the user's laptop won't reply to probes (preventing someone else from hijacking the IP and using the same mapped privileges) and as soon as the laptop sends out the first syn packet (or udp) from the wifi connection, the firewall will not have a mapping and request the userID agent for info, it will not have the IP mapped so will send out a probe to detect the user's information from the laptop.

 

on top of that you can also enable Captive Portal ofcourse 🙂

 

 

please take a look at this article which explains a couple of concepts: Getting Started: User-ID

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

We have disbaled the wmi probing in our network as we have reported sevral logs.

Let me search more on probing.

PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com

Some more clarification on this case:

 

When user first logs in, he is connected via ethernet cable. He gets IP( ethernet) then user ip mapping works correctly.

When user disconnects the cable and connects via wifi, ( like @reaper stated if i enable probing, this will make sure the IP-user mapping on wired connections will be removed).

But how can i make sure the wireless user gets the IP-user mapping correctly . Because user has not logout and login.

Will wifi user get user to ip mapping correctly if we enable probing?

For this captive portal is only solution? ( means when user connects via wifi he has to autneticate via web-form) again?

PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com

Probing would ensure that the correct user mapping is established as long as they are authenticating when they enter the website and that information is forwarded to the PA. You wouldn't necissarly need to do a captive portal solution if you had them authenticate with their domain credentials when they first logged into the wireless. This can be accomplished through a Radius server.

This method of course hinges on the thought that you have an AP that is actually capable of doing authentication without the captive portal; I imagine if you have some cheap home router serving out your wireless then it won't have the ability to authenticate users without a captive portal. 

@Roby_Sreejith

 

I've had this same issue, talked through it here:

 

https://live.paloaltonetworks.com/t5/General-Topics/Dual-NIC-IP-Mapping-Issue/m-p/5936#M4320

 

The issue is a Windows OS problem.  I had a ticket with Microsoft that took over a month to get my answer to.  When not using specific proxy settings IE will not pass login credentials to FQDN URLs as a security feature.  You need to specifically tell the OS to allow credentials to be passed to the FQDN URLs you want.

 

Further, if you are dual connected, there's no gurantee the Windows OS will send traffic down one adapter versus another.  While the wired adapter SHOULD be used before the wireless if you do a 'netstat' you will likely see connections out to the Internet via both adapters.

 

Essentially Windows can't know what's Intranet and Internet, because of this it just assumes anything via FQDN is Internet, hence the need for the bypass.

 

Once that issue is resolved then you can tackle the various remedies Palo has at their disposal for capturing credentials 

 

At my company we've got about 25k domain users with around 12-14k logged in at any given time.  UIA with WMI probing captures around 12k users and CP (With the NTLM challenge / portal redirect) around 400.

 

This seems to work about 99% of the time for us, but we occasionally run into issues getting attribution for some clients.

@BPry

Yes My Wireless AP uses the domain authetication. which includes both Active directory and radius. 

The problem is user comes to office he connects the cable and logs in , so the user ip mapping will be for LAN IP.

 

There are chnances that the wifi also conects same time. But i believe LAN will take precedence over Wifi. so he will be able to browse internet.

 

But if he diconnects LAN and connects only to wifi the mapping to wifi IP wont be updated in PA user id agent.

This is were i need help. How to make sure the wifi ip also gets mapped with username immmediatly. 

PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com

if your laptop is configured to allow WMI/netbios probes, the userID agent can collect user information from the laptop and tell the firewall which user is logged on

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

So if user conects with both wired and wireless, and probing is turned on, the username will be mapped to both wired and wireless IPs?

If that is the case I believe probing will help.Because once the wired disconnects the username will be removed for wired and wireless will be still connect. Can some one confirm this.

 

 As you @Brandon_Wertz have faced this sitaution, you were getting 2 IP address mapping for same user?

PCNSE-7, ACE-6,ACE 7 , CCNP, CCNA,CCIE(theory) , RHCE
Firewalldog dot com

if the user logs on to AD via the wire, audit log will map the user to his wired IP, if then an outbound connection is made over the wifi (unmapped IP) , the firewall will query the userID agent for information on that IP

if the userid agent does not have a mapping and if probing is enabled, a probe will be sent to the wifi IP to query user information from the host. if WMI is configured correctly (trusted credentials, allowed by firewall,...) the userID agent will receive user information from the laptop and map that to the IP and tell that to the firewall

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@Roby_Sreejith As @reaper described the credentials should be captured given that scenario.

  • 6727 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!