Enable Policy for Users with Multiple Accounts
Focus
Focus

Enable Policy for Users with Multiple Accounts

Table of Contents
End-of-Life (EoL)

Enable Policy for Users with Multiple Accounts

If a user in your organization has multiple responsibilities, that user might have multiple usernames (accounts), each with distinct privileges for accessing a particular set of services, but with all the usernames sharing the same IP address (the client system of the user). However, the User-ID agent can map any one IP address (or IP address and port range for terminal server users) to only one username for enforcing policy, and you can’t predict which username the agent will map. To control access for all the usernames of a user, you must make adjustments to the rules, user groups, and User-ID agent.
For example, say the firewall has a rule that allows username corp_user to access email and a rule that allows username admin_user to access a MySQL server. The user logs in with either username from the same client IP address. If the User-ID agent maps the IP address to corp_user, then whether the user logs in as corp_user or admin_user, the firewall identifies that user as corp_user and allows access to email but not the MySQL server. On the other hand, if the User-ID agent maps the IP address to admin_user, the firewall always identifies the user as admin_user regardless of login and allows access to the MySQL server but not email. The following steps describe how to enforce both rules in this example.
  1. Configure a user group for each service that requires distinct access privileges.
    In this example, each group is for a single service (email or MySQL server). However, it is common to configure each group for a set of services that require the same privileges (for example, one group for all basic user services and one group for all administrative services).
    If your organization already has user groups that can access the services that the user requires, simply add the username that is used for less restricted services to those groups. In this example, the email server requires less restricted access than the MySQL server, and corp_user is the username for accessing email. Therefore, you add corp_user to a group that can access email (corp_employees) and to a group that can access the MySQL server (network_services).
    If adding a username to a particular existing group would violate your organizational practices, you can create a custom group based on an LDAP filter. For this example, say network_services is a custom group, which you configure as follows:
    1. Select DeviceUser IdentificationGroup Mapping Settings and Add a group mapping configuration with a unique Name.
    2. Select an LDAP Server Profile and ensure the Enabled check box is enabled.
    3. Select the Custom Group tab and Add a custom group with network_services as a Name.
    4. Specify an LDAP Filter that matches an LDAP attribute of corp_user and click OK.
    5. Click OK and Commit.
      Later, if other users that are in the group for less restricted services are given additional usernames that access more restricted services, you can add those usernames to the group for more restricted services. This scenario is more common than the inverse; a user with access to more restricted services usually already has access to less restricted services.
  2. Configure the rules that control user access based on the groups you just configured.
    1. Configure a security rule that allows the corp_employees group to access email.
    2. Configure a security rule that allows the network_services group to access the MySQL server.
  3. Configure the ignore list of the User-ID agent.
    This ensures that the User-ID agent maps the client IP address only to the username that is a member of the groups assigned to the rules you just configured. The ignore list must contain all the usernames of the user that are not members of those groups.
    In this example, you add admin_user to the ignore list of the Windows-based User-ID agent to ensure that it maps the client IP address to corp_user. This guarantees that, whether the user logs in as corp_user or admin_user, the firewall identifies the user as corp_user and applies both rules that you configured because corp_user is a member of the groups that the rules reference.
    1. Create an ignore_user_list.txt file.
    2. Open the file and add admin_user.
      If you later add more usernames, each must be on a separate line.
    3. Save the file to the User-ID agent folder on the domain server where the agent is installed.
      If you use the PAN-OS integrated User-ID agent, see Configure User Mapping Using the PAN-OS Integrated User-ID Agent for instructions on how to configure the ignore list.
  4. Configure endpoint authentication for the restricted services.
    This enables the endpoint to verify the credentials of the user and preserves the ability to enable access for users with multiple usernames.
    In this example, you have configured a firewall rule that allows corp_user, as a member of the network_services group, to send a service request to the MySQL server. You must now configure the MySQL server to respond to any unauthorized username (such as corp_user) by prompting the user to enter the login credentials of an authorized username (admin_user).
    If the user logs in to the network as admin_user, the user can then access the MySQL server without it prompting for the admin_user credentials again.
    In this example, both corp_user and admin_user have email accounts, so the email server won’t prompt for additional credentials regardless of which username the user entered when logging in to the network.
    The firewall is now ready to enforce rules for a user with multiple usernames.