SlideShare uma empresa Scribd logo

User id installation and configuration

Alberto Rivai
Alberto Rivai

This document provides instructions for configuring User-ID on a Palo Alto Networks firewall to map users to IP addresses and enumerate users and groups from an Active Directory server. It discusses using the User-ID agent and agentless methods. For agent-based mapping, it describes installing the agent, configuring permissions, and adding the agent to the firewall. For agentless mapping, it covers configuring the firewall and a service account. It also provides information on integrating User-ID with Microsoft NPS and DHCP through a script to automatically map authenticated wireless users.

Tecnologia
1 de 25
Baixar para ler offline
The “almost” complete guide of User-ID installation and configuration Alberto Rivai
Contents 1. IP – User Mapping ........................................................................................................................... 3 a. IP - User Mapping ( with UID Agent ) .......................................................................................... 3 Create service account, configure account permission and install UID agent ............................... 3 Configure User-ID agent in the firewall .......................................................................................... 7 b. IP – User Mapping ( Agentless ) .................................................................................................. 8 Create service account and configure account permission ............................................................ 8 Configure UID in the firewall......................................................................................................... 10 2. User enumeration ......................................................................................................................... 13 3. IP – User Mapping through User-ID API............................................................................................ 15 3.1 User-ID agent API, Microsoft NPS, Microsoft DHCP integration ................................................ 15 Lab Diagram .................................................................................................................................. 16 Installation .................................................................................................................................... 16 UIDConfig.xml variables description ............................................................................................. 24 3.2 User-ID agentless API, Microsoft NPS, Microsoft DHCP integration .................................... 24
User Identification in PAN-OS 4.1 encompasses two primary functions: • • Mapping of those users to their current IP addresses Enumeration of users and their associated group membership. 1. IP – User Mapping a. IP - User Mapping ( with UID Agent ) The first section is to map users to their current IP addresses. This section uses UID agent to perform the function. Create service account, configure account permission and install UID agent 1. create service account ( example Labuid ) in the DC 2. Login to any computer that is a member of the domain, you do not need to install the UID agent in the AD server or Domain controller. 3. Login with an account that have local administrator permission 4. add Labuid to be a member of local Administrator group 5. download UID agent 6. run command prompt as administrator 7. install from command prompt 8. By default, the agent will be configured to log in as the user who installed the .msi file. In the screen shot that follows, you will see that the “Labuid” account that installed the agent is
now the agent service account. Use the “Edit” button on the configuration window to change the service account to a restricted user account if desired. 9. Allow the Agent account to log on the member server as a service. On the member server open the “Local Security Policy” mmc. 10. Under the “Local Policies” > “User Rights Assignments” add the service account to the “Log in as a Service” option 11. For Win2K8, Add the service account user to the “Event Log Reader” and “Server Operator” built in local security groups in the domain. 12. For Win2K3, the user right “Manage auditing and security log” must be given to that account. Edit the Default Domain Controller Security Policy, found under Programs -> Admin Tools. Drill down to Security Settings -> Local Policies -> User Rights Assignment. You will see the screen below.
In the right-hand pane, locate the user right “Manage auditing and security log”. Double click that entry. You will see that only Administrators have that user right. Click Add User or Group. Enter the username of the account you just created, and click on Check Names to confirm that account exists. The account name will become underlined.
13. Make sure that the service is running in Services window. 14. To check if you have configured the UID agent correctly, go to Start -> Palo Alto Networks -> User-ID Agent and open the UID agent GUI, go to Discovery Tab, you will see the Domain Controller listed. 15. To check if the UID agent successfully reads the event viewer and discovers the username go to Monitoring tab.
16. Next step is adding the UID agent in the firewall. Configure User-ID agent in the firewall 17. Login to the firewall 18. Go to Device tab 19. Then User Identification node, click User-ID Agents sub-tab 20. Click Add, and then enter the name, IP address and port (default 5007). Click OK then hit commit. 21. You will see the green button when the UID agent successfully connected to the firewall.
22. To verify that the firewall receive the User-IP mapping, ssh to the firewall and execute the below command admin@PA-200> show user ip-user-mapping all b. IP – User Mapping ( Agentless ) The IP – User Mapping function that was performed by the User-ID agent, can be replaced by an agentless User-ID. Agentless User-ID allow server to be run from the PAN device. The login which works on the User-ID agent - most likely will not work on the Agentless. (Additional permission are needed) Create service account and configure account permission 1. Create the service account in AD. This is utilized on the device. Be sure the user is part of the Distributed COM Users, Server Operators and Event Log Readers groups.
2. 3. 4. Device uses WMI Authentication. you must modify the CIMV2 security properties on the AD server the device connects to. Run wmimgmt.msc (on the domain controller server) on the command prompt to open the console and select properties as shown below. Select the Security tab of the WMI Control Properties and drill down to the CIMV2 folder. Select this folder and click the Security button. Add the service account from step 1. In this case, it's panrunner@nike.local. For this account, check off both Enable Account and Remote Enable.
5. After you’ve completed the permission setting for UID account , you need to setup the UID configuration in the firewall. Configure UID in the firewall 6. Login to the firewall GUI 7. Go to Device tab -> User Identification select User Mapping sub-tab 8. Under Server Monitoring, click Add and add IP address of the server to be monitored.
9. Click Edit on the Palo Alto Networks User ID Agent Setup 10. Be sure to configure with domainusername format for username under WMI Authentication tab along with valid credentials for that user. 11. 12. 13. 14. Enable Server Monitor options (enable security log/enable session) accordingly. Client probing is enabled by default so disable if desired. Click Commit Confirm connectivity via GUI and/or CLI as shown below.
15. Confirm ip-user-mapping is working as shown below.
2. User enumeration The second section is to configure Enumeration of users and their associated group membership. Before a security policy can be written for groups of users, the relationships between the users and the groups they are members of must be established. This information is retrieved from an LDAP directory, such as Active Directory or eDirectory. The firewall or an agent will access the directory and search for group objects. Each group object will contain a list of user objects that are members. This list will be evaluated and will become the list of users and groups available in security policy and authentication profiles. The only method of retrieving this data if through LDAP queries from the firewall. An agent system can be configured to proxy the firewall LDAP queries if the topology requires that. 1. Login to the firewall through GUI 2. Go to Device tab then Server Profile -> LDAP then click Add 3. List the directory servers that you want the firewall to use in the server list. You need to provide at least one server; two or more are recommended for failover purposes. The standard LDAP port for this configuration is 389. 4. Enter the name of the domain in the “Domain” field. The domain name should be a Netbios name 5. Select a directory “Type”. Based on the selected directory type, the firewall can populate default values for attributes and objectclasses used for user and group objects in the directory server. 6. Enter the base of the LDAP directory in the “Base” field. For example, if your Active Directory Domain is “acme.local”, your base would be “dc=acme,dc=local”, unless you want to leverage an Active Directory Global Catalog. 7. Enter a user name for a user with sufficient permission to read the LDAP tree. In an Active Directory environment, a valid username for this entry could be the “User Principal Name”, e.g. “administrator@acme.local” but also the users distinguished name, e.g. “cn=Administrator,cn=Users,dc=acme,dc=local”. 8. Enter and confirm the authentication password for the user account that you entered above. 9. In case you have difficulties identifying your directory base DN, you can simply follow these steps:
a. Open the Active Directory Users and Groups management console on your domain controller. b. Select “Advanced features” in the “View” menu of the management console. c. Select the top of your domain object and select “Properties”. d. Navigate to the “Attribute Editor” in the properties window and scroll to the “distinguishedName” attribute. e. Copy the content of this attribute into the LDAP Server configuration “Base” field in the firewall management UI. Group Mapping Settings After the LDAP server has been configured, you need to configure how groups and users are retrieved from the directory and which users groups are to be included in policies. In order to create a new group mapping entry, navigate to the “Device > User Identification” menu and create a new entry under the “Group Mapping Settings” tab. In this configuration, you specify which LDAP server profile is going to be used to identify users and groups. • Select the “LDAP Server Profile” you configured earlier in the “LDAP Server Profile” section in the drop-down list under “Server Profile”. All LDAP Attributes and ObjectClasses will be pre-populated based on the directory server type you selected in the “LDAP Server Profile”. Under normal circumstances, you should not have to modify any of these attributes. Please refer to the Palo Alto Networks Administrator’s Guide for customizations of these attributes. The default update interval for changes in user groups is 3600 seconds (1 hour). You can customize this value to a shorter period if needed.
Go to Group include list tab, leave this blank if you want to include ALL groups, or select the groups that you want to be mapped. 3. IP – User Mapping through User-ID API 3.1 User-ID agent API, Microsoft NPS, Microsoft DHCP integration Pre-requisite - Microsoft 2008 Server 64 Bit Microsoft NPS Microsoft DHCP server Palo Alto Networks UID Agent - Scripts from https://github.com/cesanetwan/scripts/tree/master/paloalto - At least 1 Windows server running IAS/NPS - The server running the Palo-Alto User-ID Agent must have IP connectivity - The Palo-Alto User-ID Agent must have the User-ID XML API enabled - As a convention, the script should be stored in a DFS share for replication purposes ie %domainname%scripts - The script needs to be configured to trigger on a Windows Event 6272 - The User-ID timeout set in the Palo-Alto User ID Agent must be less than the session timeout on the wireless controller
- Task must be configured to run under the designated sync account for the content filter at sites - Said account must be granted log on as service, log on as batch job rights, in addition to full permissions to read, write and modify to the installation directory of the Palo-Alto User ID Agent, and additionally be a member of the "DHCP Users" builtin group in Active Directory - The ignore_user_list and UIDConfig.xml must be present in the installation directory of the Palo-Alto User ID Agent, and customised to the sites configuration as per the samples in this repository - The scheduled task should be configured to queue new instances should the task be running when a new instance is called, and modified to fit the template provided in this repository This integration script was provided and developed by the guys from Catholic Education SA, mainly Gareth Hill. Their link can be found https://github.com/cesanetwan/scripts/wiki/CEFilter-UIDRADIUS-script The CESA UID RADIUS script is a means of enumerating 802.1x authorised users to the PaloAlto Networks User-ID Agent such that the appropriate filtering policies are applied automatically, allowing for a seamless user-experience with Palo Alto Networks NGFW and User-ID. Lab Diagram Installation The below steps are to be used for the above sample diagram. Please change the variables according to the instruction at https://github.com/cesanetwan/scripts/wiki/CEFilter-UID-RADIUS-script 1. Copy the below file UIDRADIUSScript.vbs to C:WindowsSYSVOLdomainscripts ( note that this can be changed to any location )
UIDRADIUSScript.vb s 2. Copy the below file UIDConfig.xml to C:Program Files (x86)Palo Alto NetworksUser-ID Agent UIDConfig.xml 3. Create a scheduled task to trigger on Windows Event 6272
Click on Properties Check Run with Highest Privileges
Change to Queue a new instance
Right click on the event and click export task to XML Edit the tasks XML to reflect the example XML file below User-id.xml Importantly, the Triggers and the Exec sections <Triggers> <EventTrigger> <Enabled>true</Enabled>
<Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=6272]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription> <ValueQueries> <Value name="SubjectUserName">Event/EventData/Data[@Name='SubjectUserName']</Value> <Value name="CallingStationID">Event/EventData/Data[@Name='CallingStationID']</Value> </ValueQueries> </EventTrigger> </Triggers> Exec Section <Exec> <Command>C:WindowsSystem32cscript.exe</Command> <Arguments>C:WindowsSYSVOLdomainscriptsUIDRADIUSScript.vbs "$(SubjectUserName)" $(CallingStationID)</Arguments> </Exec> Then delete the original task and import the modified XML. Type in your username and password
Enable the task Test by authenticating user through 802.1x, you should then see 802.1x authenticated user appear in the User-ID agent monitoring tab. UIDConfig.xml variables description <?xml version="1.0" encoding="UTF-8"?> <user-id-script-config> <domain>LAB</domain> - the domain of the site in question <LogFormat>DHCP</LogFormat> - The log format - valid values are NPS, IAS and DHCP, for the various methods of processing this information, in this example we’re using DHCP <AgentServer>192.168.6.3</AgentServer> - server the UID agent is installed on <AgentPort>5008</AgentPort> - port the User-ID XML API is listening on <Debug>1</Debug> - a debug flag (not implemented yet) <DHCPServer>main.lab.com</DHCPServer> - the DHCP Server at the site in question, used to do remote queries if there are 2 NPS servers at a site </user-id-script-config 3.2 User-ID agentless API, Microsoft NPS, Microsoft DHCP integration ( Work in progress ) Pre-requisite - Microsoft 2008 Server 64 Bit Microsoft NPS Microsoft DHCP server Palo Alto Networks PANOS 5.0 Scripts from https://github.com/cesanetwan/scripts/tree/agentle/paloalto Agentless branch - At least 1 Windows server running IAS/NPS - The Palo-Alto Networks firewall must run PANO 5.0 - As a convention, the script should be stored in a DFS share for replication purposes ie %domainname%scripts - The script needs to be configured to trigger on a Windows Event 6272
Revision History Date 12 April 2013 Revision 1.0 Comment Draft References https://github.com/cesanetwan/scripts/wiki/CEFilter-UID-RADIUS-script https://live.paloaltonetworks.com/docs/DOC-3664 https://live.paloaltonetworks.com/docs/DOC-3120 https://live.paloaltonetworks.com/docs/DOC-1807

Recomendados

User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-id
Alberto Rivai
 
Presentacion Palo Alto Networks
Presentacion Palo Alto NetworksPresentacion Palo Alto Networks
Presentacion Palo Alto Networks
Laurent Daudré-Vignier
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id concepts
Mostafa El Lathy
 
AWS Pentesting
AWS PentestingAWS Pentesting
AWS Pentesting
MichaelRodriguesdosS1
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
BAKOTECH
 
Introduction of firewall slides
Introduction of firewall slidesIntroduction of firewall slides
Introduction of firewall slides
rahul kundu
 
Cobit 5 for information security
Cobit 5 for information securityCobit 5 for information security
Cobit 5 for information security
Elkanouni Mohamed
 
12 palo alto app-id concept
12 palo alto app-id concept12 palo alto app-id concept
12 palo alto app-id concept
Mostafa El Lathy
 

Recomendados

User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-id
Alberto Rivai
 
Presentacion Palo Alto Networks
Presentacion Palo Alto NetworksPresentacion Palo Alto Networks
Presentacion Palo Alto Networks
Laurent Daudré-Vignier
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id concepts
Mostafa El Lathy
 
AWS Pentesting
AWS PentestingAWS Pentesting
AWS Pentesting
MichaelRodriguesdosS1
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
BAKOTECH
 
Introduction of firewall slides
Introduction of firewall slidesIntroduction of firewall slides
Introduction of firewall slides
rahul kundu
 
Cobit 5 for information security
Cobit 5 for information securityCobit 5 for information security
Cobit 5 for information security
Elkanouni Mohamed
 
12 palo alto app-id concept
12 palo alto app-id concept12 palo alto app-id concept
12 palo alto app-id concept
Mostafa El Lathy
 
ClearPass Policy Model - An Introduction
ClearPass Policy Model - An IntroductionClearPass Policy Model - An Introduction
ClearPass Policy Model - An Introduction
Aruba, a Hewlett Packard Enterprise company
 
LTM essentials
LTM essentialsLTM essentials
LTM essentials
bharadwajv
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
Harris Andrea
 
Palo alto-review
Palo alto-reviewPalo alto-review
Palo alto-review
Rayan Darine
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEM
John Hubbard
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
chuckbt
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
Castleforce
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep Security
Andrew Wong
 
cyberedu_module_4_cybersecurite_organisation_02_2017.pptx
cyberedu_module_4_cybersecurite_organisation_02_2017.pptxcyberedu_module_4_cybersecurite_organisation_02_2017.pptx
cyberedu_module_4_cybersecurite_organisation_02_2017.pptx
Jean-Michel Razafindrabe
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logic
Alberto Rivai
 
16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept
Mostafa El Lathy
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
xKinAnx
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefits
Anthony Daniel
 
Guest Access with ArubaOS
Guest Access with ArubaOSGuest Access with ArubaOS
Guest Access with ArubaOS
Aruba, a Hewlett Packard Enterprise company
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Anton Chuvakin
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
mfmurat
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
Dhruv Sharma
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
Elasticsearch
 
Large scale, distributed access management deployment with aruba clear pass
Large scale, distributed access management deployment with aruba clear passLarge scale, distributed access management deployment with aruba clear pass
Large scale, distributed access management deployment with aruba clear pass
Aruba, a Hewlett Packard Enterprise company
 
Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authentication
Alberto Rivai
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
BAKOTECH
 

Mais conteúdo relacionado

Mais procurados

LTM essentials
LTM essentialsLTM essentials
LTM essentials
bharadwajv
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
Castleforce
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
xKinAnx
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
mfmurat
 

Mais procurados (20)

ClearPass Policy Model - An Introduction
ClearPass Policy Model - An IntroductionClearPass Policy Model - An Introduction
ClearPass Policy Model - An Introduction
 
LTM essentials
LTM essentialsLTM essentials
LTM essentials
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
 
Palo alto-review
Palo alto-reviewPalo alto-review
Palo alto-review
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEM
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewalls
 
Introduction - Trend Micro Deep Security
Introduction - Trend Micro Deep SecurityIntroduction - Trend Micro Deep Security
Introduction - Trend Micro Deep Security
 
cyberedu_module_4_cybersecurite_organisation_02_2017.pptx
cyberedu_module_4_cybersecurite_organisation_02_2017.pptxcyberedu_module_4_cybersecurite_organisation_02_2017.pptx
cyberedu_module_4_cybersecurite_organisation_02_2017.pptx
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logic
 
16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept16 palo alto ssl decryption policy concept
16 palo alto ssl decryption policy concept
 
Presentation f5 – beyond load balancer
Presentation f5 – beyond load balancerPresentation f5 – beyond load balancer
Presentation f5 – beyond load balancer
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Next generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefitsNext generation firewall(ngfw)feature and benefits
Next generation firewall(ngfw)feature and benefits
 
Guest Access with ArubaOS
Guest Access with ArubaOSGuest Access with ArubaOS
Guest Access with ArubaOS
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
 
Large scale, distributed access management deployment with aruba clear pass
Large scale, distributed access management deployment with aruba clear passLarge scale, distributed access management deployment with aruba clear pass
Large scale, distributed access management deployment with aruba clear pass
 

Destaque

End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
BAKOTECH
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
Amazon Web Services
 
Modern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto NetworksModern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto Networks
dtimal
 
Vfm website-projects
Vfm website-projectsVfm website-projects
Vfm website-projects
vfmindia
 

Destaque (20)

Palo Alto Networks authentication
Palo Alto Networks authenticationPalo Alto Networks authentication
Palo Alto Networks authentication
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
 
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
PALO ALTO presentation used during the SWITCHPOINT NV/SA Quarterly Experience...
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
User Expert forum Wildfire configuration
User Expert forum Wildfire configurationUser Expert forum Wildfire configuration
User Expert forum Wildfire configuration
 
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config GuideCisco Wireless LAN Controller Palo Alto Networks Config Guide
Cisco Wireless LAN Controller Palo Alto Networks Config Guide
 
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using YubikeyPalo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
 
Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...
Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...
Palo Alto Networks Application Usage and Risk Report - Key Findings for Hong ...
 
Palo Alto Networks Application Usage and Risk Report - Key Findings for ANZ
Palo Alto Networks Application Usage and Risk Report - Key Findings for ANZPalo Alto Networks Application Usage and Risk Report - Key Findings for ANZ
Palo Alto Networks Application Usage and Risk Report - Key Findings for ANZ
 
Amazon virtual private cloud (vpc)
Amazon virtual private cloud (vpc)Amazon virtual private cloud (vpc)
Amazon virtual private cloud (vpc)
 
Cross-device tracking with Google Analytics - Thomas Danniau @ gaucBE
Cross-device tracking with Google Analytics - Thomas Danniau @ gaucBECross-device tracking with Google Analytics - Thomas Danniau @ gaucBE
Cross-device tracking with Google Analytics - Thomas Danniau @ gaucBE
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2
 
PAN Platform Summary
PAN Platform SummaryPAN Platform Summary
PAN Platform Summary
 
Modern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto NetworksModern Malware by Nir Zuk Palo Alto Networks
Modern Malware by Nir Zuk Palo Alto Networks
 
FlexPod_for_HondaTH
FlexPod_for_HondaTHFlexPod_for_HondaTH
FlexPod_for_HondaTH
 
NATE-Central-Log
NATE-Central-LogNATE-Central-Log
NATE-Central-Log
 
Vsphere 4-partner-training180
Vsphere 4-partner-training180Vsphere 4-partner-training180
Vsphere 4-partner-training180
 
Vfm website-projects
Vfm website-projectsVfm website-projects
Vfm website-projects
 
Webinar NETGEAR - ProsSafe Switch gestibili e supporto della configurazione ...
Webinar NETGEAR - ProsSafe Switch gestibili e supporto della configurazione ...Webinar NETGEAR - ProsSafe Switch gestibili e supporto della configurazione ...
Webinar NETGEAR - ProsSafe Switch gestibili e supporto della configurazione ...
 
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
VMworld 2013: VMware NSX with Next-Generation Security by Palo Alto Networks
 

Semelhante a User id installation and configuration

Ddns management system user's manual v1.0 20120301
Ddns management system user's manual v1.0 20120301Ddns management system user's manual v1.0 20120301
Ddns management system user's manual v1.0 20120301
Eason Lai
 
Standard IAM Business Processes: Corporate / Intranet Deployment
Standard IAM Business Processes: Corporate / Intranet DeploymentStandard IAM Business Processes: Corporate / Intranet Deployment
Standard IAM Business Processes: Corporate / Intranet Deployment
Hitachi ID Systems, Inc.
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
Hai Nguyen
 

Semelhante a User id installation and configuration (20)

Microsoft identity platform and device authorization flow to use azure servic...
Microsoft identity platform and device authorization flow to use azure servic...Microsoft identity platform and device authorization flow to use azure servic...
Microsoft identity platform and device authorization flow to use azure servic...
 
Microsoft Lync Server 2010 Installation
Microsoft Lync Server 2010 InstallationMicrosoft Lync Server 2010 Installation
Microsoft Lync Server 2010 Installation
 
Java EE Services
Java EE ServicesJava EE Services
Java EE Services
 
Actor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active DirectoryActor Model Import Connector for Microsoft Active Directory
Actor Model Import Connector for Microsoft Active Directory
 
Buzzient oracle crmod_integration
Buzzient oracle crmod_integrationBuzzient oracle crmod_integration
Buzzient oracle crmod_integration
 
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
A Deep Dive into Exploiting SaaS-Based Company Partnership Management Dashboa...
 
Ddns management system user's manual v1.0 20120301
Ddns management system user's manual v1.0 20120301Ddns management system user's manual v1.0 20120301
Ddns management system user's manual v1.0 20120301
 
Merged document
Merged documentMerged document
Merged document
 
Standard IAM Business Processes: Corporate / Intranet Deployment
Standard IAM Business Processes: Corporate / Intranet DeploymentStandard IAM Business Processes: Corporate / Intranet Deployment
Standard IAM Business Processes: Corporate / Intranet Deployment
 
Sap basis and_security_administration
Sap basis and_security_administrationSap basis and_security_administration
Sap basis and_security_administration
 
Setting up an odi agent
Setting up an odi agentSetting up an odi agent
Setting up an odi agent
 
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
ArcSight Actor Model Import Connector for Microsoft Active Directory Configur...
 
PPT_CC.pptx
PPT_CC.pptxPPT_CC.pptx
PPT_CC.pptx
 
Amigopod+cp+customisation v1.0
Amigopod+cp+customisation v1.0Amigopod+cp+customisation v1.0
Amigopod+cp+customisation v1.0
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
 
Obiee 11g security creating users groups and catalog permissions
Obiee 11g security creating users groups and catalog permissionsObiee 11g security creating users groups and catalog permissions
Obiee 11g security creating users groups and catalog permissions
 
Sage CRM 7.2 Patch Release Notes (Patch E June 2014)
Sage CRM 7.2 Patch Release Notes (Patch E June 2014)Sage CRM 7.2 Patch Release Notes (Patch E June 2014)
Sage CRM 7.2 Patch Release Notes (Patch E June 2014)
 
Visual connect
Visual connectVisual connect
Visual connect
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
The Intersection of Identity Management and Cloud Computing
The Intersection of Identity Management and Cloud ComputingThe Intersection of Identity Management and Cloud Computing
The Intersection of Identity Management and Cloud Computing
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 

Último (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

User id installation and configuration

  • 1. The “almost” complete guide of User-ID installation and configuration Alberto Rivai
  • 2. Contents 1. IP – User Mapping ........................................................................................................................... 3 a. IP - User Mapping ( with UID Agent ) .......................................................................................... 3 Create service account, configure account permission and install UID agent ............................... 3 Configure User-ID agent in the firewall .......................................................................................... 7 b. IP – User Mapping ( Agentless ) .................................................................................................. 8 Create service account and configure account permission ............................................................ 8 Configure UID in the firewall......................................................................................................... 10 2. User enumeration ......................................................................................................................... 13 3. IP – User Mapping through User-ID API............................................................................................ 15 3.1 User-ID agent API, Microsoft NPS, Microsoft DHCP integration ................................................ 15 Lab Diagram .................................................................................................................................. 16 Installation .................................................................................................................................... 16 UIDConfig.xml variables description ............................................................................................. 24 3.2 User-ID agentless API, Microsoft NPS, Microsoft DHCP integration .................................... 24
  • 3. User Identification in PAN-OS 4.1 encompasses two primary functions: • • Mapping of those users to their current IP addresses Enumeration of users and their associated group membership. 1. IP – User Mapping a. IP - User Mapping ( with UID Agent ) The first section is to map users to their current IP addresses. This section uses UID agent to perform the function. Create service account, configure account permission and install UID agent 1. create service account ( example Labuid ) in the DC 2. Login to any computer that is a member of the domain, you do not need to install the UID agent in the AD server or Domain controller. 3. Login with an account that have local administrator permission 4. add Labuid to be a member of local Administrator group 5. download UID agent 6. run command prompt as administrator 7. install from command prompt 8. By default, the agent will be configured to log in as the user who installed the .msi file. In the screen shot that follows, you will see that the “Labuid” account that installed the agent is
  • 4. now the agent service account. Use the “Edit” button on the configuration window to change the service account to a restricted user account if desired. 9. Allow the Agent account to log on the member server as a service. On the member server open the “Local Security Policy” mmc. 10. Under the “Local Policies” > “User Rights Assignments” add the service account to the “Log in as a Service” option 11. For Win2K8, Add the service account user to the “Event Log Reader” and “Server Operator” built in local security groups in the domain. 12. For Win2K3, the user right “Manage auditing and security log” must be given to that account. Edit the Default Domain Controller Security Policy, found under Programs -> Admin Tools. Drill down to Security Settings -> Local Policies -> User Rights Assignment. You will see the screen below.
  • 5. In the right-hand pane, locate the user right “Manage auditing and security log”. Double click that entry. You will see that only Administrators have that user right. Click Add User or Group. Enter the username of the account you just created, and click on Check Names to confirm that account exists. The account name will become underlined.
  • 6. 13. Make sure that the service is running in Services window. 14. To check if you have configured the UID agent correctly, go to Start -> Palo Alto Networks -> User-ID Agent and open the UID agent GUI, go to Discovery Tab, you will see the Domain Controller listed. 15. To check if the UID agent successfully reads the event viewer and discovers the username go to Monitoring tab.
  • 7. 16. Next step is adding the UID agent in the firewall. Configure User-ID agent in the firewall 17. Login to the firewall 18. Go to Device tab 19. Then User Identification node, click User-ID Agents sub-tab 20. Click Add, and then enter the name, IP address and port (default 5007). Click OK then hit commit. 21. You will see the green button when the UID agent successfully connected to the firewall.
  • 8. 22. To verify that the firewall receive the User-IP mapping, ssh to the firewall and execute the below command admin@PA-200> show user ip-user-mapping all b. IP – User Mapping ( Agentless ) The IP – User Mapping function that was performed by the User-ID agent, can be replaced by an agentless User-ID. Agentless User-ID allow server to be run from the PAN device. The login which works on the User-ID agent - most likely will not work on the Agentless. (Additional permission are needed) Create service account and configure account permission 1. Create the service account in AD. This is utilized on the device. Be sure the user is part of the Distributed COM Users, Server Operators and Event Log Readers groups.
  • 9. 2. 3. 4. Device uses WMI Authentication. you must modify the CIMV2 security properties on the AD server the device connects to. Run wmimgmt.msc (on the domain controller server) on the command prompt to open the console and select properties as shown below. Select the Security tab of the WMI Control Properties and drill down to the CIMV2 folder. Select this folder and click the Security button. Add the service account from step 1. In this case, it's panrunner@nike.local. For this account, check off both Enable Account and Remote Enable.
  • 10. 5. After you’ve completed the permission setting for UID account , you need to setup the UID configuration in the firewall. Configure UID in the firewall 6. Login to the firewall GUI 7. Go to Device tab -> User Identification select User Mapping sub-tab 8. Under Server Monitoring, click Add and add IP address of the server to be monitored.
  • 11. 9. Click Edit on the Palo Alto Networks User ID Agent Setup 10. Be sure to configure with domainusername format for username under WMI Authentication tab along with valid credentials for that user. 11. 12. 13. 14. Enable Server Monitor options (enable security log/enable session) accordingly. Client probing is enabled by default so disable if desired. Click Commit Confirm connectivity via GUI and/or CLI as shown below.
  • 12. 15. Confirm ip-user-mapping is working as shown below.
  • 13. 2. User enumeration The second section is to configure Enumeration of users and their associated group membership. Before a security policy can be written for groups of users, the relationships between the users and the groups they are members of must be established. This information is retrieved from an LDAP directory, such as Active Directory or eDirectory. The firewall or an agent will access the directory and search for group objects. Each group object will contain a list of user objects that are members. This list will be evaluated and will become the list of users and groups available in security policy and authentication profiles. The only method of retrieving this data if through LDAP queries from the firewall. An agent system can be configured to proxy the firewall LDAP queries if the topology requires that. 1. Login to the firewall through GUI 2. Go to Device tab then Server Profile -> LDAP then click Add 3. List the directory servers that you want the firewall to use in the server list. You need to provide at least one server; two or more are recommended for failover purposes. The standard LDAP port for this configuration is 389. 4. Enter the name of the domain in the “Domain” field. The domain name should be a Netbios name 5. Select a directory “Type”. Based on the selected directory type, the firewall can populate default values for attributes and objectclasses used for user and group objects in the directory server. 6. Enter the base of the LDAP directory in the “Base” field. For example, if your Active Directory Domain is “acme.local”, your base would be “dc=acme,dc=local”, unless you want to leverage an Active Directory Global Catalog. 7. Enter a user name for a user with sufficient permission to read the LDAP tree. In an Active Directory environment, a valid username for this entry could be the “User Principal Name”, e.g. “administrator@acme.local” but also the users distinguished name, e.g. “cn=Administrator,cn=Users,dc=acme,dc=local”. 8. Enter and confirm the authentication password for the user account that you entered above. 9. In case you have difficulties identifying your directory base DN, you can simply follow these steps:
  • 14. a. Open the Active Directory Users and Groups management console on your domain controller. b. Select “Advanced features” in the “View” menu of the management console. c. Select the top of your domain object and select “Properties”. d. Navigate to the “Attribute Editor” in the properties window and scroll to the “distinguishedName” attribute. e. Copy the content of this attribute into the LDAP Server configuration “Base” field in the firewall management UI. Group Mapping Settings After the LDAP server has been configured, you need to configure how groups and users are retrieved from the directory and which users groups are to be included in policies. In order to create a new group mapping entry, navigate to the “Device > User Identification” menu and create a new entry under the “Group Mapping Settings” tab. In this configuration, you specify which LDAP server profile is going to be used to identify users and groups. • Select the “LDAP Server Profile” you configured earlier in the “LDAP Server Profile” section in the drop-down list under “Server Profile”. All LDAP Attributes and ObjectClasses will be pre-populated based on the directory server type you selected in the “LDAP Server Profile”. Under normal circumstances, you should not have to modify any of these attributes. Please refer to the Palo Alto Networks Administrator’s Guide for customizations of these attributes. The default update interval for changes in user groups is 3600 seconds (1 hour). You can customize this value to a shorter period if needed.
  • 15. Go to Group include list tab, leave this blank if you want to include ALL groups, or select the groups that you want to be mapped. 3. IP – User Mapping through User-ID API 3.1 User-ID agent API, Microsoft NPS, Microsoft DHCP integration Pre-requisite - Microsoft 2008 Server 64 Bit Microsoft NPS Microsoft DHCP server Palo Alto Networks UID Agent - Scripts from https://github.com/cesanetwan/scripts/tree/master/paloalto - At least 1 Windows server running IAS/NPS - The server running the Palo-Alto User-ID Agent must have IP connectivity - The Palo-Alto User-ID Agent must have the User-ID XML API enabled - As a convention, the script should be stored in a DFS share for replication purposes ie %domainname%scripts - The script needs to be configured to trigger on a Windows Event 6272 - The User-ID timeout set in the Palo-Alto User ID Agent must be less than the session timeout on the wireless controller
  • 16. - Task must be configured to run under the designated sync account for the content filter at sites - Said account must be granted log on as service, log on as batch job rights, in addition to full permissions to read, write and modify to the installation directory of the Palo-Alto User ID Agent, and additionally be a member of the "DHCP Users" builtin group in Active Directory - The ignore_user_list and UIDConfig.xml must be present in the installation directory of the Palo-Alto User ID Agent, and customised to the sites configuration as per the samples in this repository - The scheduled task should be configured to queue new instances should the task be running when a new instance is called, and modified to fit the template provided in this repository This integration script was provided and developed by the guys from Catholic Education SA, mainly Gareth Hill. Their link can be found https://github.com/cesanetwan/scripts/wiki/CEFilter-UIDRADIUS-script The CESA UID RADIUS script is a means of enumerating 802.1x authorised users to the PaloAlto Networks User-ID Agent such that the appropriate filtering policies are applied automatically, allowing for a seamless user-experience with Palo Alto Networks NGFW and User-ID. Lab Diagram Installation The below steps are to be used for the above sample diagram. Please change the variables according to the instruction at https://github.com/cesanetwan/scripts/wiki/CEFilter-UID-RADIUS-script 1. Copy the below file UIDRADIUSScript.vbs to C:WindowsSYSVOLdomainscripts ( note that this can be changed to any location )
  • 17. UIDRADIUSScript.vb s 2. Copy the below file UIDConfig.xml to C:Program Files (x86)Palo Alto NetworksUser-ID Agent UIDConfig.xml 3. Create a scheduled task to trigger on Windows Event 6272
  • 18.
  • 19. Click on Properties Check Run with Highest Privileges
  • 20.
  • 21. Change to Queue a new instance
  • 22. Right click on the event and click export task to XML Edit the tasks XML to reflect the example XML file below User-id.xml Importantly, the Triggers and the Exec sections <Triggers> <EventTrigger> <Enabled>true</Enabled>
  • 23. <Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select Path="Security"&gt;*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=6272]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription> <ValueQueries> <Value name="SubjectUserName">Event/EventData/Data[@Name='SubjectUserName']</Value> <Value name="CallingStationID">Event/EventData/Data[@Name='CallingStationID']</Value> </ValueQueries> </EventTrigger> </Triggers> Exec Section <Exec> <Command>C:WindowsSystem32cscript.exe</Command> <Arguments>C:WindowsSYSVOLdomainscriptsUIDRADIUSScript.vbs "$(SubjectUserName)" $(CallingStationID)</Arguments> </Exec> Then delete the original task and import the modified XML. Type in your username and password
  • 24. Enable the task Test by authenticating user through 802.1x, you should then see 802.1x authenticated user appear in the User-ID agent monitoring tab. UIDConfig.xml variables description <?xml version="1.0" encoding="UTF-8"?> <user-id-script-config> <domain>LAB</domain> - the domain of the site in question <LogFormat>DHCP</LogFormat> - The log format - valid values are NPS, IAS and DHCP, for the various methods of processing this information, in this example we’re using DHCP <AgentServer>192.168.6.3</AgentServer> - server the UID agent is installed on <AgentPort>5008</AgentPort> - port the User-ID XML API is listening on <Debug>1</Debug> - a debug flag (not implemented yet) <DHCPServer>main.lab.com</DHCPServer> - the DHCP Server at the site in question, used to do remote queries if there are 2 NPS servers at a site </user-id-script-config 3.2 User-ID agentless API, Microsoft NPS, Microsoft DHCP integration ( Work in progress ) Pre-requisite - Microsoft 2008 Server 64 Bit Microsoft NPS Microsoft DHCP server Palo Alto Networks PANOS 5.0 Scripts from https://github.com/cesanetwan/scripts/tree/agentle/paloalto Agentless branch - At least 1 Windows server running IAS/NPS - The Palo-Alto Networks firewall must run PANO 5.0 - As a convention, the script should be stored in a DFS share for replication purposes ie %domainname%scripts - The script needs to be configured to trigger on a Windows Event 6272
  • 25. Revision History Date 12 April 2013 Revision 1.0 Comment Draft References https://github.com/cesanetwan/scripts/wiki/CEFilter-UID-RADIUS-script https://live.paloaltonetworks.com/docs/DOC-3664 https://live.paloaltonetworks.com/docs/DOC-3120 https://live.paloaltonetworks.com/docs/DOC-1807