Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

User ID (with Windows Agent) not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User ID (with Windows Agent) not working

L1 Bithead

Hi,

we set up User ID based on these docs:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRyCAK

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/configur...

 

Konfiguration and installation is working:

- the agent installed on server 2019 DC is getting infos

- the firewall (PA-220 9.1) is getting infos from the agent

- the users are displayed in monitoring

 

but:

- we can not select users in security policies

- we can manually add users in the policies - then the policies never matches.

 

Any ideas?

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello @FloriReus

 

based on what you described, the only thing coming to my mind is missing inclusion of "Domain Users" group under: Device > User Identification > Group Mapping > [Name] > Group Include List > add: "Domain Name\Domain Users". This should cover all AD users. Could you make sure this is in the place?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

Hello @FloriReus

 

based on what you described, the only thing coming to my mind is missing inclusion of "Domain Users" group under: Device > User Identification > Group Mapping > [Name] > Group Include List > add: "Domain Name\Domain Users". This should cover all AD users. Could you make sure this is in the place?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Hi @FloriReus ,

 

The security policy drop down only shows groups.  You need to manually type in users.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXWCA0  (It will also show previously typed in users.)

 

Could you add the user in the security policy exactly how you see it in the Monitoring tab, lan\user1, and let us know if that works?

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Ah, thank you!
I already got this hint. 
This brought me to a next issue - I can not add groups as the firewall can not read the DC. There is just no group in the list to add. (it seems reachable in general, if I shut it off I get a real error). 

FloriReus_0-1678094945648.png

 

I tried this already (see attached screenshots). seems not top work. 
but thanks for the link!

Cyber Elite
Cyber Elite

Hello @FloriReus

 

thank you for reply.

 

To make sure there is no mis-understanding please replace: "Domain Name" with your organization's real AD domain name.

 

Regarding the issue you described, when you configure LDAP profile under: Device > Server Profiles > LDAP > [LDAP Profile Name], make sure that under Server Settings you configure Base DN that covers your entire domain. You can find that information from Windows CMD by issuing: dsquery *

 

The Base DN is first returned entry on the top. The Base DN is the starting point an LDAP server uses when searching for users authentication within your Active Directory and if this is configured correctly this is what you will see under "Available Groups" in Group Mapping Settings. You should be able to type AD group name and press search button, then "+" button to add it to include list:

 

PavelK_0-1678104287489.png

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

L1 Bithead

yes, you are right!
I missed the baseDN; now it's working!

FloriReus_0-1678104972360.png

 

Cyber Elite
Cyber Elite

Hello @FloriReus

 

thank you for getting back to me. Based on your screen shot, there are 2 additional things I would suggest:

 

- Enable LDAPS by selecting: "Require SSL/TLS secured connection" if possible to secure LDAP traffic.

- Add an additional LDAP server for redundancy to avoid single point of failure.

 

Kind Regards

Pavel 

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 3491 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!