To ensure that the firewall has the most current user mapping
information as users roam and obtain new IP addresses, configure
timeouts for clearing user mappings from the firewall cache. This
timeout applies to user mappings learned through any method except
Authentication Portal. For mappings learned through Authentication
Portal, set the timeout in the Authentication Portal Settings (Device > User Identification
> Authentication Portal Settings,
To match usernames collected from User-ID sources even if a domain
is not included, configure the firewall to allow matching usernames
without domains. You should only use this option if the usernames
in your organization are not duplicated across domains.
Enable User Identification Timeout
Select this option to enable a timeout value
for user mapping entries. When the timeout value is reached for
an entry, the firewall clears it and collects a new mapping. This
ensures that the firewall has the most current information as users
roam and obtain new IP addresses.
the timeout to ensure the firewall has the most current user-to-IP-address
User Identification Timeout (min)
Set the timeout value in minutes for user
mapping entries (range is 1 to 3,600; default is 45).
Set the timeout value to the half-life
of the DHCP lease or to the Kerberos ticket lifetime.
you configure firewalls to redistribute mapping information, each
firewall clears the mapping entries it receives based on the timeout
you set on that firewall, not on the timeouts set in the forwarding
Allow matching usernames without domains
Select this option to allow the firewall
to match users if the domain is not provided by the User-ID source.
To prevent users from being misidentified, only select this option
if your usernames are not duplicated across domains.
you enable this option, verify that the firewall has fetched the
group mappings from the LDAP server.