This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

User ID (with Windows Agent) not working

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User ID (with Windows Agent) not working

Go to solution
FloriReus
L1 Bithead

‎03-01-2023 11:28 PM

Hi,

we set up User ID based on these docs:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRyCAK

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/configur...

 

Konfiguration and installation is working:

- the agent installed on server 2019 DC is getting infos

- the firewall (PA-220 9.1) is getting infos from the agent

- the users are displayed in monitoring

 

but:

- we can not select users in security policies

- we can manually add users in the policies - then the policies never matches.

 

Any ideas?

 

Preview file
22 KB
Preview file
64 KB
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎03-03-2023 01:24 PM

Hello @FloriReus

 

based on what you described, the only thing coming to my mind is missing inclusion of "Domain Users" group under: Device > User Identification > Group Mapping > [Name] > Group Include List > add: "Domain Name\Domain Users". This should cover all AD users. Could you make sure this is in the place?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

0 Likes Likes
7 REPLIES 7

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎03-03-2023 01:24 PM

Hello @FloriReus

 

based on what you described, the only thing coming to my mind is missing inclusion of "Domain Users" group under: Device > User Identification > Group Mapping > [Name] > Group Include List > add: "Domain Name\Domain Users". This should cover all AD users. Could you make sure this is in the place?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
TomYoung
Cyber Elite
Cyber Elite

‎03-03-2023 08:03 PM - edited ‎03-03-2023 08:12 PM

Hi @FloriReus ,

 

The security policy drop down only shows groups.  You need to manually type in users.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXWCA0  (It will also show previously typed in users.)

 

Could you add the user in the security policy exactly how you see it in the Monitoring tab, lan\user1, and let us know if that works?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
FloriReus
L1 Bithead
In response to PavelK

‎03-06-2023 01:31 AM

Ah, thank you!
I already got this hint. 
This brought me to a next issue - I can not add groups as the firewall can not read the DC. There is just no group in the list to add. (it seems reachable in general, if I shut it off I get a real error). 

FloriReus_0-1678094945648.png

 

0 Likes Likes

Go to solution
FloriReus
L1 Bithead
In response to TomYoung

‎03-06-2023 01:33 AM

I tried this already (see attached screenshots). seems not top work. 
but thanks for the link!

0 Likes Likes

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎03-06-2023 04:07 AM

Hello @FloriReus

 

thank you for reply.

 

To make sure there is no mis-understanding please replace: "Domain Name" with your organization's real AD domain name.

 

Regarding the issue you described, when you configure LDAP profile under: Device > Server Profiles > LDAP > [LDAP Profile Name], make sure that under Server Settings you configure Base DN that covers your entire domain. You can find that information from Windows CMD by issuing: dsquery *

 

The Base DN is first returned entry on the top. The Base DN is the starting point an LDAP server uses when searching for users authentication within your Active Directory and if this is configured correctly this is what you will see under "Available Groups" in Group Mapping Settings. You should be able to type AD group name and press search button, then "+" button to add it to include list:

 

PavelK_0-1678104287489.png

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
FloriReus
L1 Bithead

‎03-06-2023 04:33 AM

yes, you are right!
I missed the baseDN; now it's working!

FloriReus_0-1678104972360.png

 

0 Likes Likes

Go to solution
PavelK
Cyber Elite
Cyber Elite

‎03-06-2023 08:27 PM

Hello @FloriReus

 

thank you for getting back to me. Based on your screen shot, there are 2 additional things I would suggest:

 

- Enable LDAPS by selecting: "Require SSL/TLS secured connection" if possible to secure LDAP traffic.

- Add an additional LDAP server for redundancy to avoid single point of failure.

 

Kind Regards

Pavel 

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 1 accepted solution
  • 3489 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks