Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Iron

Identity Awareness (AD Query) not applying Identities in Rulebase

Jump to solution

Hello,

I'm looking at an issue with Identity awareness AD Query. From looking at the CPview, pdpd & pepd debug files I can see that identities are being gathered and stored on the gateway; PDP monitor has confirmed this. On the central management server, I am able to create access roles with the correct AD account set within & add them to the rulebase. However when testing the rule, my traffic hits the cleanup rule and is skipping the AD rule I have set. 

I am struggling to understand why this is happening as the gateway has knowledge of each AD user and associated IP address, as far as I can see all the required services are up. The gateway is also actively receiving events from multiple domain controllers.

Gateway is R80.20 Take 19 IAAS Azure

Management is R80.30 

Is anybody able to point me in the right direction?

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Highlighted
Iron

Hi,

 

I went back over the LDAP configuration again & found that the information in the LDAP account was correct. However when I took a look at the access roles in use I found they were pointing towards another LDAP account present on the management server, once I changed it to the new LDAP account I had created it started working. I'm now in the process of removing the obsolete LDAP accounts from the management server.

 

Thanks all for your help.

View solution in original post

0 Kudos
4 Replies
Highlighted
Admin
Admin
Have you verified the LDAP portion of the config is correct and working?
This is needed to correctly associate users with their groups, and thus their access roles.
0 Kudos
Highlighted
Iron

Thanks for your response @PhoneBoy , yes I believe it is all correct and working. The Account used is a domain administrator & I can see the AD user information such as group membership is being pulled through, both when adding users to access roles on the management server & when running a PDP monitor on the gateway.

It looks like all the required information is present on the gateway but just not being used.

0 Kudos
Highlighted

Have you verified the pepd daemon is running?

Here a couple useful commands to test if pepd is doing its job

#pep show stat – shows basic status of PEP

#pep show pdp all – shows status of PDPs

#pep show user query usr <username> – shows identity status of single user. Useful to confirm that the PEP has received identity data from PDP.

#pep show user query cid <IP address> – shows identity status of single IP address

Dave

 

 

0 Kudos
Highlighted
Iron

Hi,

 

I went back over the LDAP configuration again & found that the information in the LDAP account was correct. However when I took a look at the access roles in use I found they were pointing towards another LDAP account present on the management server, once I changed it to the new LDAP account I had created it started working. I'm now in the process of removing the obsolete LDAP accounts from the management server.

 

Thanks all for your help.

View solution in original post

0 Kudos