UserID/Group mapping

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

UserID/Group mapping

L2 Linker

I have created a LDAP profile, group mapping and user mapping from Panorama, and it seems to be working.

Im able to do "test authentication username xxxxxxx.test@xxxxxxxxx.com authentication-profile xxxxxx-LDAP password and this works fine.

 

My problem is that panorama doesnt seem to be able to "manage" Palo Alto Networks User ID Agent Setup tab.

That tab is empty on local fw (device->User identification->User Mapping), if i enter anything in this tab, anything at all, i get the error msg bellow. Eventho Panorama has this config. I thought it was a template issue, so i created a test template and added all this config

in the new test template. And put it on top, but no luck. If i try to configure it manually i get the following error msg.

  • Error: Domain's DNS name is missing in Active Directory Authentication
  • client useridd phase 1 failure

 

From mp-log userid.log:

2023-09-12 09:18:26.617 +0200 connects to redis_dscd db1
2023-09-12 09:18:26.716 +0200 dsc adaptor completed rpc call for func ShowUser
2023-09-12 09:18:26.717 +0200 connects to redis_dscd db1
2023-09-12 09:19:12.608 +0200 device cert: NEW: cfg.device-cert-status, event change, invalid field!
2023-09-12 09:19:12.608 +0200 device cert: OLD: cfg.device-cert-status, event change, invalid field!
2023-09-12 09:19:12.608 +0200 device cert: Recevied (change) event for device cert. Update dsc connections.
2023-09-12 09:19:12.609 +0200 Error: pan_dsc_rpc_get_thermite_cert(pan_dsc_adaptor.c:691): [THERMITE] dsc rpc get device cert failed
2023-09-12 09:19:12.609 +0200 dsc adaptor completed rpc call for func UpdateThermiteCert
2023-09-12 09:20:04.302 +0200 phase1 started
2023-09-12 09:20:04.304 +0200 parsing config: config length 186610
2023-09-12 09:20:04.319 +0200 <vsys> tag does not exist
2023-09-12 09:20:04.319 +0200 mgmt internal: client certificate profile commit
2023-09-12 09:20:04.319 +0200 No child nodes present under secure connection server mgmt settings, No updates needed.
2023-09-12 09:20:04.319 +0200 [secure_conn] extract secure_conn userid channel settings SERVER
2023-09-12 09:20:04.319 +0200 [secure_conn] user_id secure comm enabled for SERVER
2023-09-12 09:20:04.319 +0200 No child nodes present under secure connection client mgmt settings, No updates needed.
2023-09-12 09:20:04.319 +0200 [secure_conn] extract secure_conn userid channel settings CLIENT
2023-09-12 09:20:04.319 +0200 [secure_conn] user_id secure comm enabled for CLIENT
2023-09-12 09:20:04.322 +0200 [secure_conn] user_id secure conn cfg SERVER:disabled CLIENT:disabled
2023-09-12 09:20:04.324 +0200 hipreport to icd channel: 1
2023-09-12 09:20:04.326 +0200 no wmi account is configured, no need to probe
2023-09-12 09:20:04.327 +0200 Error: pan_user_id_dir_server_parse_cfg(pan_user_id_collector.c:409): Domain's DNS name is missing in Active Directory Authentication
2023-09-12 09:20:04.327 +0200 Error: pan_user_id_collector_parse_cfg(pan_user_id_collector.c:2217): pan_user_id_dir_server_parse_cfg() failed
2023-09-12 09:20:04.327 +0200 Error: pan_user_id_parse_vsys_config(pan_user_id_cfg.c:818): pan_userid_collector_parse_cfg() failed
2023-09-12 09:20:04.327 +0200 Error: pan_user_id_parse_config_i(pan_user_id_cfg.c:1515): pan_user_id_parse_vsys_config() failed

 

So im missing domains dns name in active directory authentication. If this is the auth profile, i got the user domain set correct. Does anyone know

where "Domain's DNS name is missing in Active Directory Authentication" is?

 

/M

1 accepted solution

Accepted Solutions

We are running 10.2.3 both on Panorama and fw. So thats probably whats wrong. Only thing is that I cant add the config manually on the local fw. Says i need to override the template. And there isnt any gear icon to override... What vers. Panos is this fixed in?

 

/M 

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

What Panorama version are you using?

It was a bug in Panorama 10.2.x (at least up to 10.2.3) when UserID info in Panorama template was not pushed down to template stack and as a result not sent to firewall.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

Are you using the built in user-id agent for this? If you go to device->User identification->User Mapping then click the gear for Palo Alto Networks user-id agent setup, under the "server monitor account" there you'll fill out your account used for authentication as well as the "Domains DNS Name".

 

If you are not using the built in user-id agent, you can just go to the "server monitor" and "client probing" tabs and make sure everything is unchecked there.

We are running 10.2.3 both on Panorama and fw. So thats probably whats wrong. Only thing is that I cant add the config manually on the local fw. Says i need to override the template. And there isnt any gear icon to override... What vers. Panos is this fixed in?

 

/M 

Im using built in, but perhaps ill try the agent now that I know of the bug mentioned above.

 

 

  • 1 accepted solution
  • 3311 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!