User Mappings are mapped to the wrong Security Policy when using multiple Attributes

User Mappings are mapped to the wrong Security Policy when using multiple Attributes

2538
Created On 10/29/20 15:05 PM - Last Modified 03/13/21 00:27 AM


Symptom
The customer can run into a scenario where the users are mapped to a wrong Security Policy if they have multiple accounts. For instance, users can have a Standard and an Admin account. And, the Standard users are matched to Security Policy for Admin users because of the unique attribute they share. 

PAN-OS support Multiple Username Formats. This is configured via user-id attributes. More info here. If you have multiple accounts for the same user, for instance, Standard and Admin accounts:
FW(active)> show user ip-user-mapping all | match 066n
10.161.132.51    vsys2 UIA    adm\a-066n         1150          1150
10.110.65.44     vsys2 UIA    std\066n           7054          705

And the Standard user std\066n are mapping to a Security Policy for Admin users, this may be because of the unique attribute they have. For instance, the below output shows the Admin account having the same email address as the Standard Account, and thereby the user std\066n is matched with a Security Policy for Admins. You can see that the adm\a-066n is shown as Primary for std\066n.
 
FW(active)> show user user-attributes user std\066n

Primary: adm\a-066n Email: 066n@mail.com
Alt User Names:
1) 066n@mail.com
2) std\066n

FW(active)> show user user-attributes user adm\a-066n

Primary: adm\a-066n Email: 066n@mail.com
Alt User Names:
1) 066n@mail.com
2) std\066n


Environment
  • PAN-OS 8.1 and above.
  • Palo Alto Firewalls.
  • User ID configured
  • Users with multiple accounts with common email or other attributes.


 



Cause
If a user-id attribute is unique, the user will match to a wrong security policy if they have multiple accounts. For instance, the user can have a standard and an admin account. SAMAccountName can be different. They can exist as two different users.

Resolution
This is expected because of the unique mail attribute.
As a workaround, one can ignore the common attribute between the two users by adding a dummy value or change the attribute in the Active Directory for one of the Users.
For Example, In the above scenario, the mail attribute is configured with "mail1". Adding a dummy value for an attribute will prevent retrieving the values. 

User-added image

Primary Username = sAMAccountName
E-mail = left blank or 'mail1'
Alternate Username 1 = userPrincipalName


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBOt&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language