Palo Alto LDAP and User-ID

on

 


User ID:

AD user agent
LDAP user agent
captive portal
TS agent
PAN client













Configure LDAP

1. Create a service account called "ldap" in AD Managed Service Accounts OU.

2. Verify FW DNS is configured with internal AD/DNS server.

3. Verify Service route for DNS/LDAP points internal LAN.

4. Add a LDAP Server Profile and commit the change

















5. Verify LDAP connection is good.

     5.1 Can see Base DN show up, select it.

6. Add group mapping, commit the change.






























7. Verify Security policy can use username or groups.














Configure User-IP mapping

WinRM is recommenced.

1. Enable User-ID by zone









     2. Verify Kerberos service route points to internal and FW DNS is configured with internal AD/DNS server.

3. Create a Kerberos server profile

















  







   4. Configure agentless settings.
If use dedicated service account, refer:
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/create-a-dedicated-service-account-for-the-user-id-agent




     5. Add monitor server, commit the change
















6. Verify monitor server status is connected





check Logs > User-ID

check mapping from CLI

show user user-ids match-user []
show user ip-user-mapping all


  




show user user-ids match-user []
show user ip-user-mapping all


admin@PA440-2(active)> show user group-mapping state all

Group Mapping(vsys1, type: active-directory): LDAP-Group-Mapping
        Bind DN    : cn=ldap,cn=users,dc=sc,dc=local
        Base       : dc=sc,dc=local
        Group Filter: (None)
        User Filter: (None)
        Servers    : configured 1 servers
                10.0.0.10(389)
                        Last Action Time: 3130 secs ago(took 0 secs)
                        Next Action Time: In 470 secs
        Number of Groups: 4
        cn=contractors,cn=users,dc=sc,dc=local
        cn=employees,cn=users,dc=sc,dc=local
        cn=helpdesks,cn=users,dc=sc,dc=local
        cn=network admins,cn=users,dc=sc,dc=local


admin@PA440-2(active)> show user group name "cn=network admins,cn=users,dc=sc,dc=local"

User group 'cn=network admins,cn=users,dc=sc,dc=local' does not exist or does not have members
>

admin@PA440-2(active)> debug user-id refresh group-mapping all
group mapping 'LDAP-Group-Mapping' in vsys1 is marked for refresh.

admin@PA440-2(active)> show user group name "cn=employees,cn=users,dc=sc,dc=local"
short name:  sc\employees
source type: ldap
source:      LDAP-Group-Mapping
[1     ] sc\user1

https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PLey







Authentication Profile refers a server profile (with Allow List), then be used in creating admin account or  captive portal to actually authenticate user:


test authentication authentication-profile Auth-Profile username user1 password 

admin@Panorama> test authentication authentication-profile AuthProfielLDAP username user1 password
Enter password :
Target vsys is not specified, user "user1" is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...
name "user1" is in group "all"
Authentication to LDAP server at 172.16.1.10 for user "user1"
Egress: 172.16.1.62
Type of authentication: plaintext
Starting LDAP connection...
Succeeded to create a session with LDAP server
DN sent to LDAP server: CN=user1,CN=Users,DC=lab,DC=local
User expires in days: never
Authentication succeeded for user "user1"
admin@Panorama>


If use local user DB for admin access:
1. Create a local user and/or user group
2. Create a Authentication Profile, authentication type choose Local Database, configure Allow List.
3. Create an administrator identical name with step one, choose Authentication Profile created in step2. Assign Administrator Type Dynamic or Role Based. 
 
If use external DB like radius for admin access:
1. Create Server profile
2. Create Authentication Profile, authentication type choose the one created in spep1.
3. Device>Setup>Management>Authentication Settings, select Authentication Profile created in step 2.
4. Create an Admin Role Profile


Authentication Policy define what trigger the authentication.




=========================

IP-to-User Mappings Have Inconsistent Domain Prefix


https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVDCA0

  • When show user ip-user-mapping all command is used, some IP-to-user mappings display inconsistent domain prefix
  • The inconsistent domain prefix may cause the users listed with the DNS-domain name to hit the wrong security policy, if using group based policies.
  • some entries are listed as NetBIOS-domain\username, while others are listed as DNS-domain\username.

  • The issue is seen when the domain map is not populated on the device.
  • To check for the existence of the domain map run the command, debug user-id dump domain-map. No output is an indication of the problem as it is required to resolve the DNS to NetBIOS domain name. This resolution is required for the user to IP normalization process.
  • The domain map can only be pulled a directory partition from a root domain controller.







Comments

Post a Comment