07-08-2016 08:09 AM
Scenario:
User comes to office connects to LAN. The user to IP mapping works correctly.
We allow access to internet based on usernames.
User disconnects the Ethernet cable and goes to different room where he connects with wifi.
However loses internet connection. Because user to IP mapping is still with old LAN IP.
What are the best practices to avoid these scenarios?
07-08-2016 09:38 AM
Hi Roby,
In this situation I would say the best practice is to go with GP for user mapping and use internal host detection. GP will reconnect on the new interface and authenticate.
The only other method you can use as a fall back is captive portal and have the user manually authenticate.
hope this helps,
Ben
07-10-2016 03:55 AM
If your users authtenticate to wireless using RADIUS or 802.1x you can also forward this authentication messages to the PA for user id mapping using the sys log receiver. Some common wireless authentication have instructions tested and posted if you search for your brand in the "Topics" area here.
07-11-2016 12:37 AM
besides Global Protect and Captive Portal you can also enable probing on the UserID agent which will trigger a probe whenever the firewall detects an IP address that is not known tries to start a new session, and can also be used to actively time-out stale user mappings
so in your scenario the probe would remove the wired mapping because the user's laptop won't reply to probes (preventing someone else from hijacking the IP and using the same mapped privileges) and as soon as the laptop sends out the first syn packet (or udp) from the wifi connection, the firewall will not have a mapping and request the userID agent for info, it will not have the IP mapped so will send out a probe to detect the user's information from the laptop.
on top of that you can also enable Captive Portal ofcourse 🙂
please take a look at this article which explains a couple of concepts: Getting Started: User-ID
07-11-2016 02:00 AM
We have disbaled the wmi probing in our network as we have reported sevral logs.
Let me search more on probing.
07-12-2016 06:23 AM - edited 07-12-2016 06:50 AM
Some more clarification on this case:
When user first logs in, he is connected via ethernet cable. He gets IP( ethernet) then user ip mapping works correctly.
When user disconnects the cable and connects via wifi, ( like @reaper stated if i enable probing, this will make sure the IP-user mapping on wired connections will be removed).
But how can i make sure the wireless user gets the IP-user mapping correctly . Because user has not logout and login.
Will wifi user get user to ip mapping correctly if we enable probing?
For this captive portal is only solution? ( means when user connects via wifi he has to autneticate via web-form) again?
07-12-2016 06:33 AM
Probing would ensure that the correct user mapping is established as long as they are authenticating when they enter the website and that information is forwarded to the PA. You wouldn't necissarly need to do a captive portal solution if you had them authenticate with their domain credentials when they first logged into the wireless. This can be accomplished through a Radius server.
This method of course hinges on the thought that you have an AP that is actually capable of doing authentication without the captive portal; I imagine if you have some cheap home router serving out your wireless then it won't have the ability to authenticate users without a captive portal.
07-12-2016 06:49 AM - edited 07-12-2016 06:53 AM
I've had this same issue, talked through it here:
https://live.paloaltonetworks.com/t5/General-Topics/Dual-NIC-IP-Mapping-Issue/m-p/5936#M4320
The issue is a Windows OS problem. I had a ticket with Microsoft that took over a month to get my answer to. When not using specific proxy settings IE will not pass login credentials to FQDN URLs as a security feature. You need to specifically tell the OS to allow credentials to be passed to the FQDN URLs you want.
Further, if you are dual connected, there's no gurantee the Windows OS will send traffic down one adapter versus another. While the wired adapter SHOULD be used before the wireless if you do a 'netstat' you will likely see connections out to the Internet via both adapters.
Essentially Windows can't know what's Intranet and Internet, because of this it just assumes anything via FQDN is Internet, hence the need for the bypass.
Once that issue is resolved then you can tackle the various remedies Palo has at their disposal for capturing credentials
At my company we've got about 25k domain users with around 12-14k logged in at any given time. UIA with WMI probing captures around 12k users and CP (With the NTLM challenge / portal redirect) around 400.
This seems to work about 99% of the time for us, but we occasionally run into issues getting attribution for some clients.
07-12-2016 07:04 AM - edited 07-12-2016 07:05 AM
Yes My Wireless AP uses the domain authetication. which includes both Active directory and radius.
The problem is user comes to office he connects the cable and logs in , so the user ip mapping will be for LAN IP.
There are chnances that the wifi also conects same time. But i believe LAN will take precedence over Wifi. so he will be able to browse internet.
But if he diconnects LAN and connects only to wifi the mapping to wifi IP wont be updated in PA user id agent.
This is were i need help. How to make sure the wifi ip also gets mapped with username immmediatly.
07-13-2016 01:18 AM
if your laptop is configured to allow WMI/netbios probes, the userID agent can collect user information from the laptop and tell the firewall which user is logged on
07-13-2016 01:49 AM - edited 07-13-2016 01:50 AM
So if user conects with both wired and wireless, and probing is turned on, the username will be mapped to both wired and wireless IPs?
If that is the case I believe probing will help.Because once the wired disconnects the username will be removed for wired and wireless will be still connect. Can some one confirm this.
As you @Brandon_Wertz have faced this sitaution, you were getting 2 IP address mapping for same user?
07-13-2016 01:56 AM
if the user logs on to AD via the wire, audit log will map the user to his wired IP, if then an outbound connection is made over the wifi (unmapped IP) , the firewall will query the userID agent for information on that IP
if the userid agent does not have a mapping and if probing is enabled, a probe will be sent to the wifi IP to query user information from the host. if WMI is configured correctly (trusted credentials, allowed by firewall,...) the userID agent will receive user information from the laptop and map that to the IP and tell that to the firewall
07-13-2016 05:18 AM
@Roby_Sreejith As @reaper described the credentials should be captured given that scenario.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
