Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

NSa2650 - SSO + LDAP + CFS

Hi!

I have this SSO + LDAP + CFS scenario.

So users are being identified and a CFS policy is assigned to them.

Everything is fine until one user logs out. And a minute later another user logs in.

Firewall is not refreshing this user from IP address and it is assigning the wrong CFS policy.

SSO is only working with DC logs.

I also tried with NETAPI/WMI, but the result is even worst. This method cannot even read the user from IP address.

Any way, I just want to keep doing with DC logs. But I need to resolve the problem I have when one user logs out and another one logs in to the same PC.

Thanks!

Category: Mid Range Firewalls
Reply

Best Answer

Answers

  • Hi @SEBASTIAN,

    Thank you for visiting SonicWall Community.

    As per your description, it looks like the issue could be with the probe method that you are using. Please change the probe type on the SSO agent to pure WMI and also on the firewall too. WMI is used when you need accuracy but this is TCP protocol and may be consumes sometime when compared to NetAPI. Also, set the probe interval on the firewall to 1 minute from the default value 5 minutes.

    There is an option called Scan Users in the SSO agent and please have this checkbox disabled.

    Hope this helps.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Hi @Saravanan

    It is not working with WMI.

    There is no AV or firewall at the client machine. UAC is also disabled.

    If I have a look at the logs I can see this message:

    "02/12/2021 09:10:12.261 TAG_ERROR Failed to query user by WMI, ip(192.168.33.10), result(The network path was not found)"

    The same from diagnostic tool:


  • Hi @SEBASTIAN,

    Thanks for the testing and screenshot.

    Could you please ensure you are using the latest SSO agent?

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • @SEBASTIAN - Could you please try with 4.1.19 and check? I don't see any sort of similar issue reported on this type.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Hi @Saravanan

    Not working with 4.1.19 either.

    This test is also not working.


  • Hi!

    User refresh login state is resolved with this option at the SSO Domain Controller settings:

    Now when a user logoff and another user logins from the same IP address, it is applied the correct CFS policy.

    I still have problems with NetAPI and WMI probe. I have opened a ticket with Support.

    Thanks!

  • Hi @SEBASTIAN,

    Good to know that part of the issue is addressed. We really appreciate your efforts.

    Did you change the polling interval setting on the SSO agent to a different value to address the correct CFS policy not applying issue?

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Hi @Saravanan

    Pull every 5 seconds is the default.

    This is just fine for me.

    Thanks.

  • Thanks @SEBASTIAN.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

Sign In or Register to comment.