Solving the IP-to-User Mapping Challenge After Cloud Migration of Active Directory

This blog post explores the critical challenges in maintaining IP-to-user mapping when migrating Active Directory to the cloud, and details an innovative solution using Juniper Mist NAC, AWS services, and API integration with corporate firewalls. Organizations transitioning to cloud-based identity services often face significant gaps in user attribution and security policy enforcement that require creative architectural approaches to resolve.

The Challenge: IP-to-User Mapping in a Cloud-First World

Understanding the Problem

When organizations migrate their on-prem AD to cloud environment, one of the most significant challenges they face is maintaining accurate IP-to-user mapping. Traditionally, on-prem AD servers provide this critical mapping through authentication processes, allowing network security teams to identify which users are using which IP addresses at any given time. This mapping forms the foundation for:

• User-based security policies
• Accurate attribution in security incidents
• Compliance requirements for user activity monitoring
• Troubleshooting network issues

In on-prem environments, domain controllers track user logins, and network security devices like firewalls can query this information directly or receive it through agents. However, when AD moves to the cloud, this direct communication path often breaks, creating significant visibility gaps for security teams.

Impact on Network Security Enforcement
Without accurate IP-to-user mapping, organizations face several critical security challenges:

Network security is fundamentally about maintaining visibility and control over who accesses what resources. When user identity information is lost, security teams must rely solely on IP addresses, which are insufficient for modern zero-trust security models. The consequences include:

• Inability to enforce user-based access policies
• Reduced effectiveness of security investigations
• Compliance gaps in user activity monitoring
• Less granular security controls
• Increased difficulty in troubleshooting network issues

These challenges are particularly acute in organizations that have invested heavily in identity-based security controls, as the migration to cloud-based identity services can unintentionally undermine these investments.

Looking for other reliable sources
Organizations can leverage several reliable methods to maintain IP-to-user mapping. Below are the most common approaches, each with distinct advantages and use cases:

1.Always On VPN Solutions
Modern Always On VPN implementations provide persistent connectivity and user attribution through authentication logs. This approach is ideal for organizations with remote users requiring secure, identity-based access to cloud resources. This solution integrates seamlessly with SASE architectures.

2. Captive Portal Authentication
Systems like Palo Alto’s Captive Portal enforce user authentication before network access:

• LDAP/MFA integration validates credentials against cloud directories (e.g., Azure AD, Okta) while enforcing multi-factor authentication.
• User-ID mapping automatically associates authenticated users with their IP addresses for firewall policy enforcement.
• BYOD support allows non-domain devices to access resources without domain membership.

Captive portals are particularly effective for guest networks or environments with unmanaged devices.

3.Syslog-Based User-ID Mapping

Firewalls like Palo Alto Networks and FortiGate (with the help of FortiAuthenticator) can ingest authentication logs to build IP-user mappings:

• Syslog parsing extracts usernames and IPs from authentication events.
• Native support some solution might provide predefined profiles for third-party systems like Cisco ASA, Juniper devices, Citrix gateways and more.

This method suits organizations with existing SIEM or log aggregation infrastructure.

4. API-Driven Integration

Custom integrations using vendor APIs enable real-time user mapping updates:

• Palo Alto XML API allows scripts to push user-IP pairs directly to firewalls.
• Juniper Mist API provides RADIUS accounting data for cloud-native environments.
• AWS Lambda processing can transform logs from diverse sources (e.g., VPNs, NAC) into firewall-compatible formats.

API-based approaches offer maximum flexibility for organizations with bespoke authentication workflows.

Key Considerations for Implementation

Organizations should evaluate these options based on their existing infrastructure, security requirements, and cloud adoption stage. Hybrid approaches (e.g., combining syslog parsing with API-driven updates) often provide the most resilient solution.

Our Custom Solution Architecture
Overview
To address the IP-to-user mapping challenge in our environment, we developed a custom solution that leverages:

1. Juniper Mist NAC: For user authentication and accounting logs
2. AWS API Gateway: To receive and process NAC accounting logs
3. AWS Lambda: To extract relevant mapping information and construct an API call to our corporate FW
4. Corporate FW API: To update user-ID mappings

This architecture provides a scalable, cost-effective solution that maintains accurate IP-to-user mapping without the need for additional commercial software licenses.

Component Breakdown

Juniper Mist NAC

Juniper Mist Access Assurance serves as the foundation of our solution, providing authentication services and detailed accounting logs. The cloud-based nature of this service aligns with our cloud-first strategy while eliminating the need to maintain on-premises authentication servers, it relies on RadSec (RADIUS over TLS) to secure communications between network devices and the cloud authentication service.

Key features we leverage include:

• 802.1X client cert-based authentication for corporate devices
• MAC Authentication Bypass (MAB) for IoT devices
• Detailed accounting logs containing user-IP mapping information
• Cloud API for configuration and management

AWS API Gateway and Lambda

The AWS components of our solution serve as the integration layer:

1. API Gateway: Provides a secure endpoint for receiving accounting logs from Juniper Mist cloud services
2. Lambda Function: Processes the logs to extract user-IP mapping information

Our Lambda function parses the accounting logs, extracting username, IP address, timestamp, and other relevant attributes. It then formats this information for consumption by our corporate firewall.

Firewall Integration
The final component of our solution is the integration with our corporate firewall through its API. The Lambda function makes API calls to update the user-ID mapping table on the firewall, ensuring that security policies can be accurately applied based on user identity rather than just IP address.

Results and Benefits
Implementing our custom solution has yielded several significant benefits:

Improved Security Posture
By maintaining accurate IP-to-user mapping, we’ve strengthened our security posture in several ways:

• Enhanced policy enforcement: Security policies can now be tied to user identities rather than just IP addresses, allowing for more granular control.
• Improved incident response: Security investigations can now quickly attribute network activity to specific users.
• Better compliance: We can now demonstrate user-level accountability for network access, supporting various compliance requirements.

Operational Efficiency
The solution has also improved our operational efficiency:

• Reduced troubleshooting time: Network issues can be more quickly associated with specific users.
• Automated mapping updates: The solution eliminates the need for manual user-ID mapping, which was considered as a possible workaround.
• Scalable architecture: The serverless architecture in AWS scales automatically with our needs.

Cost Savings
By leveraging already existing tools and licenses with the addition of cloud-based flexibility we were able to deliver the solution with minimal cost:

• Pay-per-use AWS costs: We only pay for the actual API calls and Lambda executions.
• Leveraging existing investments: We utilized our existing Juniper Mist deployment which already had MIST NAC license.
• Reduced operational overhead: The automated solution requires minimal ongoing maintenance.

Conclusion
Migrating Active Directory to the cloud creates significant challenges for maintaining IP-to-user mapping, but creative solutions can bridge this gap effectively. Our approach, leveraging Juniper Mist NAC, AWS services, and API integration, demonstrates that organizations can maintain robust security controls even during major infrastructure transitions.
By thinking beyond traditional solutions and embracing cloud-native integration approaches, we’ve developed a system that improves our security posture, enhances operational efficiency, and reduces costs. This architecture serves as a model for addressing similar challenges in cloud-first environments.
For organizations facing similar challenges, we recommend:

1. Evaluate cloud-based NAC solutions like Juniper Mist Access Assurance
2. Consider lightweight integration approaches using cloud services
3. Leverage API capabilities of existing security infrastructure
4. Focus on automation to reduce operational overhead

With proper planning and implementation, the challenge of IP-to-user mapping without on-prem AD can be effectively addressed, maintaining the security foundation needed for modern zero-trust security architectures.

Grigory Levitin

System Architect