User id installation and configuration

The “almost” complete guide of User-ID

installation and configuration

Alberto Rivai

Contents 1. IP – User Mapping ........................................................................................................................... 3

a. IP - User Mapping ( with UID Agent ) .......................................................................................... 3

Create service account, configure account permission and install UID agent ............................... 3

Configure User-ID agent in the firewall .......................................................................................... 7

b. IP – User Mapping ( Agentless ) .................................................................................................. 8

Create service account and configure account permission ............................................................ 8

Configure UID in the firewall ......................................................................................................... 10

2. User enumeration ......................................................................................................................... 13

3. IP – User Mapping through User-ID API ............................................................................................ 15

3.1 User-ID agent API, Microsoft NPS, Microsoft DHCP integration ................................................ 15

Lab Diagram .................................................................................................................................. 16

Installation .................................................................................................................................... 16

UIDConfig.xml variables description ............................................................................................. 24

3.2 User-ID agentless API, Microsoft NPS, Microsoft DHCP integration .................................... 24

User Identification in PAN-OS 4.1 encompasses two primary functions:

• Mapping of those users to their current IP addresses

• Enumeration of users and their associated group membership.

1. IP – User Mapping

a. IP - User Mapping ( with UID Agent )

The first section is to map users to their current IP addresses. This section uses UID agent to perform

the function.

Create service account, configure account permission and install UID agent

1. create service account ( example Lab\uid ) in the DC

2. Login to any computer that is a member of the domain, you do not need to install the UID

agent in the AD server or Domain controller.

3. Login with an account that have local administrator permission

4. add Lab\uid to be a member of local Administrator group

5. download UID agent

6. run command prompt as administrator

7. install from command prompt

8. By default, the agent will be configured to log in as the user who installed the .msi file. In the

screen shot that follows, you will see that the “Lab\uid” account that installed the agent is

now the agent service account. Use the “Edit” button on the configuration window to

change the service account to a restricted user account if desired.

9. Allow the Agent account to log on the member server as a service. On the member server

open the “Local Security Policy” mmc.

10. Under the “Local Policies” > “User Rights Assignments” add the service account to the “Log

in as a Service” option

11. For Win2K8, Add the service account user to the “Event Log Reader” and “Server Operator”

built in local security groups in the domain.

12. For Win2K3, the user right “Manage auditing and security log” must be given to that

account. Edit the Default Domain Controller Security Policy, found under Programs -> Admin

Tools. Drill down to Security Settings -> Local Policies -> User Rights Assignment. You will see

the screen below.

In the right-hand pane, locate the user right “Manage auditing and security log”. Double click that

entry. You will see that only Administrators have that user right.

Click Add User or Group.

Enter the username of the account you just created, and click on Check Names to confirm that

account exists. The account name will become underlined.

13. Make sure that the service is running in Services window.

14. To check if you have configured the UID agent correctly, go to Start -> Palo Alto Networks ->

User-ID Agent and open the UID agent GUI, go to Discovery Tab, you will see the Domain

Controller listed.

15. To check if the UID agent successfully reads the event viewer and discovers the username go

to Monitoring tab.

16. Next step is adding the UID agent in the firewall.

Configure User-ID agent in the firewall

17. Login to the firewall

18. Go to Device tab

19. Then User Identification node, click User-ID Agents sub-tab

20. Click Add, and then enter the name, IP address and port (default 5007). Click OK then hit

commit.

21. You will see the green button when the UID agent successfully connected to the firewall.

22. To verify that the firewall receive the User-IP mapping, ssh to the firewall and execute the

below command

admin@PA-200> show user ip-user-mapping all

b. IP – User Mapping ( Agentless )

The IP – User Mapping function that was performed by the User-ID agent, can be replaced by an

agentless User-ID. Agentless User-ID allow server to be run from the PAN device.

The login which works on the User-ID agent - most likely will not work on the Agentless. (Additional

permission are needed)

Create service account and configure account permission

1. Create the service account in AD. This is utilized on the device. Be sure the user is part of the Distributed COM Users, Server Operators and Event Log Readers groups.

2. Device uses WMI Authentication. you must modify the CIMV2 security properties on the AD server the device connects to.

3. Run wmimgmt.msc (on the domain controller server) on the command prompt to open the console and select properties as shown below.

4. Select the Security tab of the WMI Control Properties and drill down to the CIMV2 folder. Select this folder and click the Security button. Add the service account from step 1. In this case, it's [email protected]. For this account, check off both Enable Account and Remote Enable.

5. After you’ve completed the permission setting for UID account , you need to setup the UID

configuration in the firewall.

Configure UID in the firewall

6. Login to the firewall GUI

7. Go to Device tab -> User Identification select User Mapping sub-tab

8. Under Server Monitoring, click Add and add IP address of the server to be monitored.

9. Click Edit on the Palo Alto Networks User ID Agent Setup

10. Be sure to configure with domain\username format for username under WMI Authentication tab along with valid credentials for that user.

11. Enable Server Monitor options (enable security log/enable session) accordingly. 12. Client probing is enabled by default so disable if desired. 13. Click Commit 14. Confirm connectivity via GUI and/or CLI as shown below.

15. Confirm ip-user-mapping is working as shown below.

2. User enumeration

The second section is to configure Enumeration of users and their associated group membership.

Before a security policy can be written for groups of users, the relationships between the users and

the groups they are members of must be established. This information is retrieved from an LDAP

directory, such as Active Directory or eDirectory. The firewall or an agent will access the directory

and search for group objects. Each group object will contain a list of user objects that are members.

This list will be evaluated and will become the list of users and groups available in security policy and

authentication profiles. The only method of retrieving this data if through LDAP queries from the

firewall. An agent system can be configured to proxy the firewall LDAP queries if the topology

requires that.

1. Login to the firewall through GUI

2. Go to Device tab then Server Profile -> LDAP then click Add

3. List the directory servers that you want the firewall to use in the server list. You need to provide at least one server; two or more are recommended for failover purposes. The standard LDAP port for this configuration is 389.

4. Enter the name of the domain in the “Domain” field. The domain name should be a Netbios name

5. Select a directory “Type”. Based on the selected directory type, the firewall can populate default values for attributes and objectclasses used for user and group objects in the directory server.

6. Enter the base of the LDAP directory in the “Base” field. For example, if your Active Directory Domain is “acme.local”, your base would be “dc=acme,dc=local”, unless you want to leverage an Active Directory Global Catalog.

7. Enter a user name for a user with sufficient permission to read the LDAP tree. In an Active Directory environment, a valid username for this entry could be the “User Principal Name”, e.g. “[email protected]” but also the users distinguished name, e.g. “cn=Administrator,cn=Users,dc=acme,dc=local”.

8. Enter and confirm the authentication password for the user account that you entered above.

9. In case you have difficulties identifying your directory base DN, you can simply follow

these steps:

a. Open the Active Directory Users and Groups management console on your domain controller.

b. Select “Advanced features” in the “View” menu of the management console.

c. Select the top of your domain object and select “Properties”.

d. Navigate to the “Attribute Editor” in the properties window and scroll to the “distinguishedName” attribute.

e. Copy the content of this attribute into the LDAP Server configuration “Base” field in the firewall management UI.

Group Mapping Settings

After the LDAP server has been configured, you need to configure how groups and users are retrieved from the directory and which users groups are to be included in policies.

In order to create a new group mapping entry, navigate to the “Device > User Identification” menu and create a new entry under the “Group Mapping Settings” tab. In this configuration, you specify which LDAP server profile is going to be used to identify users and groups.

• Select the “LDAP Server Profile” you configured earlier in the “LDAP Server Profile” section in the drop-down list under “Server Profile”. All LDAP Attributes and ObjectClasses will be pre-populated based on the directory server type

you selected in the “LDAP Server Profile”. Under normal circumstances, you should not have to

modify any of these attributes. Please refer to the Palo Alto Networks Administrator’s Guide for

customizations of these attributes.

The default update interval for changes in user groups is 3600 seconds (1 hour). You can customize this value to a shorter period if needed.

Go to Group include list tab, leave this blank if you want to include ALL groups, or select the groups

that you want to be mapped.

3. IP – User Mapping through User-ID API

3.1 User-ID agent API, Microsoft NPS, Microsoft DHCP integration

Pre-requisite

- Microsoft 2008 Server 64 Bit

- Microsoft NPS

- Microsoft DHCP server

- Palo Alto Networks UID Agent

- Scripts from https://github.com/cesanetwan/scripts/tree/master/paloalto

- At least 1 Windows server running IAS/NPS

- The server running the Palo-Alto User-ID Agent must have IP connectivity

- The Palo-Alto User-ID Agent must have the User-ID XML API enabled

- As a convention, the script should be stored in a DFS share for replication purposes ie

%domainname%\scripts\

- The script needs to be configured to trigger on a Windows Event 6272

- The User-ID timeout set in the Palo-Alto User ID Agent must be less than the session

timeout on the wireless controller

- Task must be configured to run under the designated sync account for the content filter at

sites

- Said account must be granted log on as service, log on as batch job rights, in addition to

full permissions to read, write and modify to the installation directory of the Palo-Alto User

ID Agent, and additionally be a member of the "DHCP Users" builtin group in Active

Directory

- The ignore_user_list and UIDConfig.xml must be present in the installation directory of

the Palo-Alto User ID Agent, and customised to the sites configuration as per the

samples in this repository

- The scheduled task should be configured to queue new instances should the task be

running when a new instance is called, and modified to fit the template provided in this

repository

This integration script was provided and developed by the guys from Catholic Education SA, mainly

Gareth Hill. Their link can be found https://github.com/cesanetwan/scripts/wiki/CEFilter-UID-

RADIUS-script

The CESA UID RADIUS script is a means of enumerating 802.1x authorised users to the Palo-Alto Networks User-ID Agent such that the appropriate filtering policies are applied automatically, allowing for a seamless user-experience with Palo Alto Networks NGFW and User-ID.

Lab Diagram

Installation

The below steps are to be used for the above sample diagram. Please change the variables according

to the instruction at https://github.com/cesanetwan/scripts/wiki/CEFilter-UID-RADIUS-script

1. Copy the below file UIDRADIUSScript.vbs to C:\Windows\SYSVOL\domain\scripts\ ( note

that this can be changed to any location )

UIDRADIUSScript.vbs

2. Copy the below file UIDConfig.xml to C:\Program Files (x86)\Palo Alto Networks\User-ID

Agent\

UIDConfig.xml

3. Create a scheduled task to trigger on Windows Event 6272

Click on Properties

Check Run with Highest Privileges

Change to Queue a new instance

Right click on the event and click export task to XML

Edit the tasks XML to reflect the example XML file below

User-id.xml

Importantly, the Triggers and the Exec sections

<Triggers>

<EventTrigger>

<Enabled>true</Enabled>

<Subscription>&lt;QueryList&gt;&lt;Query Id="0" Path="Security"&gt;&lt;Select

Path="Security"&gt;*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and

EventID=6272]]&lt;/Select&gt;&lt;/Query&gt;&lt;/QueryList&gt;</Subscription>

<ValueQueries>

<Value name="SubjectUserName">Event/EventData/Data[@Name='SubjectUserName']</Value>

<Value

name="CallingStationID">Event/EventData/Data[@Name='CallingStationID']</Value>

</ValueQueries>

</EventTrigger>

</Triggers>

Exec Section

<Exec>

<Command>C:\Windows\System32\cscript.exe</Command>

<Arguments>C:\Windows\SYSVOL\domain\scripts\UIDRADIUSScript.vbs "$(SubjectUserName)"

$(CallingStationID)</Arguments>

</Exec>

Then delete the original task and import the modified XML.

Type in your username and password

Enable the task

Test by authenticating user through 802.1x, you should then see 802.1x authenticated user appear

in the User-ID agent monitoring tab.

UIDConfig.xml variables description

<?xml version="1.0" encoding="UTF-8"?>

<user-id-script-config>

<domain>LAB</domain> - the domain of the site in question

<LogFormat>DHCP</LogFormat> - The log format - valid values are NPS, IAS and DHCP, for the various methods of processing this information, in this example we’re using DHCP

<AgentServer>192.168.6.3</AgentServer> - server the UID agent is installed on

<AgentPort>5008</AgentPort> - port the User-ID XML API is listening on

<Debug>1</Debug> - a debug flag (not implemented yet)

<DHCPServer>main.lab.com</DHCPServer> - the DHCP Server at the site in question, used to do remote queries if there are 2 NPS servers at a site

</user-id-script-config

3.2 User-ID agentless API, Microsoft NPS, Microsoft DHCP integration (

Work in progress )

Pre-requisite

- Microsoft 2008 Server 64 Bit

- Microsoft NPS

- Microsoft DHCP server

- Palo Alto Networks PANOS 5.0

- Scripts from https://github.com/cesanetwan/scripts/tree/agentle/paloalto

Agentless branch

- At least 1 Windows server running IAS/NPS

- The Palo-Alto Networks firewall must run PANO 5.0

- As a convention, the script should be stored in a DFS share for replication purposes ie

%domainname%\scripts\

- The script needs to be configured to trigger on a Windows Event 6272

Revision History Date Revision Comment

12 April 2013 1.0 Draft

References

https://github.com/cesanetwan/scripts/wiki/CEFilter-UID-RADIUS-script

https://live.paloaltonetworks.com/docs/DOC-3664

https://live.paloaltonetworks.com/docs/DOC-3120

https://live.paloaltonetworks.com/docs/DOC-1807