02-27-2013 10:33 AM
For a quick background; using PA-500 running version 5.0.1 with the User-ID agent installed for domain users as a stand alone agent on the Domain Controller and captive portal setup for AD users using wireless devices.
I have Captive Portal configured with NTLM redirect setup. It was all working good with users authenticating and users being identified as abc/user_name. For the past 2 weeks, I am seeing a problem with users being identified by Captive Portal, thereby hitting the explicit deny.
1. When I do a >show user ip-user-mapping ip x.x.x.x, the user name on the Palo Alto comes up as abc.local/user_name instead of abc/user_name after authenticating using Captive Portal and is not associated to any group.
2. When I clear the user cache and re-login via Captive Portal, the user-ip to mapping is correct i.e abc/user_name, but in around 10mins, it changes to abc.local/user_name, thereby hitting the explicit deny.
3. Another strange observation is, the wireless device upon connecting to SSID and browsing through to the internet, I get blocked straight away with no Captive Portal page popping up, but after 10mins when I retry to browse to the internet (without disconnecting from the SSID), bingo I have the Captive Portal page. I authenticate and the mapping works perfectly fine and remains constant.
Any thoughts on what and why this behaviour?
After searching the knowledge base, I read an article "Sessions Showing Wrong Username when using Captive Portal" documented on the 19th of July 2012. It stated that
"When doing NTLM authentication via Captive Portal, not every session is correctly authenticated and there seems to be irregular User/IP mappings in the logs. And this behaviour was when the main dataplane process (dp0) goes our of sync with the other dataplanes. The workaround suggested was to force all traffic to be processed by the dp0 dataplane by issuing the command via CLI; # set session processing-cpu dp0.
For my surprise, I could not find this command on the CLI in either config or normal mode on either version 4.1.x or version 5.x.x. Can someone please let me know if this command is available and in which mode do I apply it?
If this command is not available or changed etc etc.., can I please ask someone from PAN to update the document. It will be very much appreciated