Hi, I would like to set up a security policy based on a group a user belongs to on my AD. I've set up the LDAP, and USER ID client on the server, but when I go to create the security rule, nothing shows up in the add box for the user. Even if I click the drop down, or start to type the domain/username info. I'm thinking I missed a step, or something. Can anyone recommend somethings I should check, or point me in the direction of some good documents?
Solved! Go to Solution.
Here is a document that explains how to configure User-ID agent and the LDAP server group mappings.
If you have all the configuration set according to the document. I would ask you to check whether the firewall is actually pulling the user-groups information. This can be verified with the command " show user group-mapping state all" . If you are able to see all the groups information in the output then the group mapping is working properly. So you might want to try using different browsers to create security rules and see if it helps.
If the firewall isn't showing User Info:
Verify if the Agent is the User-Mapping :
CLI command to verify User-IP Mapping (Done by User-Id Agent)
>show user ip-user-mapping
If you see this command not showing IP-User Mapping :
Check if the Agent is connected also verify if you see Discovered Users on the Agent (Monitor).
User Identification Initial Setup
If IP-User Mapping is being done as expected verify LDAP config for User-Group Mapping
CLI command to verify User-Group Mapping (Done by Firewall via LDAP)
Enlists Users in the group (Included Groups in LDAP/All if No Included Groups configured)
>show user group name <value>
User Identification Tech Note PAN-OS 4.1
You can also try resetting the user-id manager with the command "debug user-id reset user-id manager type all" and also "debug software restart user-id" from the cli
Thanks for the suggestions and help.
Looks like my PAN box is mapping users to IP's.
Here is what I see what I run show user ip-user-mapping:
IP Ident. By User Idle Timeout (s) Max. Timeout (s)
--------------- --------- -------------------------------- ---------------- ----------------
10.2.131.95 AD in\amorse 3499 3499
10.134.193.219 AD in\kwoodward 3499 3499
10.130.193.238 AD in\bucstudent 3499 3499
When I run: show user group list
I don't get anything back. I'm thinking this is where the problem is.
This looks odd to me too:
show user group-mapping state all
Group Mapping(vsys1, type: active-directory): test
Bind DN : PANBOX@IN.SCU.K12.CA.US
Base : DC=in,DC=scu,DC=k12,DC=ca,DC=us
Group Filter: (None)
User Filter: (None)
Servers : configured 1 servers
Proxy state: QUERY_SENT (no result back from agent)
Query agent: ADMASTER2
Last Action Time: (Never)
Next Action Time: In 2 secs
Number of Groups: 0
Thanks again for everyone's support! Can't wait to get this going!
From the output, the agent has not responded back to the firewall with the groups. Make sure the agent and firewall have connectivity and the agent can reach the DC to pull groups. Can you try to bypass the agent and pull the groups directly from DC?
I got the same errors like You.
In my situation problem was in Device > User Identyfication> Group Mapping Settigs > Group Include list - if you click on "+" you should see yor groups. I got error insted list of group.
To fix it go to Server Profiles > LDAP - server should be reached at 389 port according to
When you go to Device->Authentication Profile->(open profile up)->Login Attribute
What value is listed there? Mine was blank, and when I put in the value "sAMAccountName" everything started to work like magic. Does that help?
If you've already got that part working - have you looked at your Group Include List?
Device->User Identification->Group Mapping Settings->Group Include List (tab)
Expand your domain and then find the groups you want - then add them to the list... you can use these in your security policies if they are listed here. Does that help?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!