3 Replies Latest reply on May 30, 2014 11:13 AM by sliedl

    Passport Authenticator limit

    squidikus

      At some level it seems that my users begin to get blocked by my firewall for internet access. I check under manage passports and see that they do not have a passport from the firewall. Once I find a user who is inactive I revoke that passport and instantly the user with the connection issue receieves a passport and internet access is restored.

       

      My question is there a limit on the S2008 fireewall in regards to the number of passports?

        • 1. Re: Passport Authenticator limit
          sliedl

          What Authenticator are you using to generate Passports (i.e. MLC, AD, etc.)?

           

          What exact patch level are you running?

          • 2. Re: Passport Authenticator limit
            squidikus

            MLC 2.0

             

            8.2.3 Patch3

             

            Message was edited by: squidikus on 5/30/14 11:06:26 AM CDT
            • 3. Re: Passport Authenticator limit
              sliedl

              Are you using MLC 2.1?

               

              What do you mean by 'I check under manage passports and see that they do not have a passport' and then 'Once I find a user who is inactive I revoke that passport'?  Does this username already have a passport or not?  Also, is this user logging in from the same IP the previous passport (if there is one) was created for?

               

              You should also check on the MLC to see if it is going over its CPU limit and thus not sending new logon events to the firewall.  I think the default is if the CPU on the domain controller goes over 75% then MLC will stop watching the DC logon events for 20 minutes.  If this was the case, what you'd see is your users logging to their PC but when they go through the firewall they do not have a passport.  This is because MLC has stopped watching the DC logon events and thus has not communicated to the firewall that UsernameA just logged in from IP 1.2.3.4.

               

              There aren't any settings for 'max passports' so we are not hitting some type of limit there.

               

              There are a number of disparate reasons this could be seemingly not working correctly (the MLC CPU went too high, the FW lost connection to the MLC so is caching old entries, etc.) or maybe this has nothing to do with authentication and Passport and there is some other reason the users get blocked.  Investigating the audit while this is happening would be helpful (the new 'aconn' command-line tool at 8.3.2P03 can be helpful to determine why traffic is skipping the rule you believe it should be hitting).