Palo Alto Networks Knowledgebase: How Does Active Directory (AD) Auto Discover Work for Agentless User-ID?

How Does Active Directory (AD) Auto Discover Work for Agentless User-ID?

3832
Created On 02/08/19 00:01 AM - Last Updated 02/08/19 00:02 AM
User-ID
Resolution

For Agentless User-ID, the Palo Alto Networks device sends a standard query to the DNS server configured on the device. The DNS server must be a local DNS server that's part of the domain or a third-party DNS server that knows all the domain mappings.

 

Note: PAN-OS User Mapping (Agentless User-ID) is a feature introduced in PAN-OS 5.0.

 

Details

The following is a screenshot of a working query:


1.png

The query above should give the following result:

2.png

 

Possible Issues

  1. No configured domain
    1. If a domain is not configured, a "No domain configured" error appears.
      3.png
    2. The domain is configured in General Settings on the Device > Setup page under Management.
      4.png
  2. Issues with the configured DNS server. You can have multiple issues with the DNS server:
    1. No DNS server is configured on the Palo Alto Networks device.
    2. An internal DNS server is configured, but it does not have all the necessary domain mappings.
    3. A public DNS server is used. The following is an example of a capture where a public DNS is used:
      5.png

 

owner: rvanderveken



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClYKCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language