Verify your APP-ID User agents are connected and running:
show user user-id-agent statistics Name Host Port Vsys State Ver Usage --------------------------------------------------------------------------- mia-pa-app01 172.10.200.11 5007 vsys1 conn:idle 5 nyc-pa-app01 172.20.200.11 5007 vsys1 conn:idle 5 Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, 'C': Credential Enforcement
Verify your user mappings:
show user ip-user-mapping all IP Vsys From User IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 10.80.10.112 vsys1 UIA cordero\kcordero 85086 85086 10.20.30.24 vsys1 UIA cordero\jsmith 22594 22594 ....
Filter it by the username:
show user ip-user-mapping all | match kcordero IP Vsys From User IdleTimeout(s) MaxTimeout(s) --------------- ------ ------- -------------------------------- -------------- ------------- 10.80.10.112 vsys1 UIA cordero\kcordero 85086 85086
NOTE:
The UIA above under “From” means the mappings are being retrieved from a User-ID Agent.
AD (Active Directory) – The IP-user-mapping collected by the agentless service
GP (Global Protect)– The IP-user mapping retrieved from Global Protect
UIA– The IP-user mapping retrieved from the User-ID Agent
Force group mapping:
debug user-id refresh group-mapping all
Test authentication for a user:
test authentication authentication-profile LDAP_Login username kcordero password