Basic Palo Alto User Agent/ID Troubleshooting

Verify your APP-ID User agents are connected and running:

show user user-id-agent statistics

Name             Host            Port  Vsys    State             Ver Usage
mia-pa-app01   5007  vsys1   conn:idle         5
nyc-pa-app01   5007  vsys1   conn:idle         5

Usage: 'P': LDAP Proxy, 'N': NTLM AUTH, 'C': Credential Enforcement

Verify your user mappings:

show user ip-user-mapping all

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------    vsys1  UIA     cordero\kcordero                  85086          85086     vsys1  UIA     cordero\jsmith                    22594          22594

The UIA above under “From” means the mappings are being retrieved from a User-ID Agent.
AD – The IP-user-mapping collected by the agentless service
UIA– The IP-user mapping retrieved from the User-ID Agent

Force group mapping:

debug user-id refresh group-mapping all

Test authentication for a user:

test authentication authentication-profile LDAP_Login username kcordero password