https://live.paloaltonetworks.com/t5/globalprotect-discussions/is-there-a-way-to-accept-both-samaccountname-and/m-p/517968#M3297 <P>Bottom line I would like my user to be able to authenticate using either "MyUserID" or "MyUserID@MyDomain.com".&nbsp; Can this be done?</P> <P>&nbsp;&nbsp;</P> <P>Right now, my users authenticate using their SAMAccountName/userID.&nbsp; As we move toward x.509 Personal Certificate authentication, the user certs provide a UPN (email address).&nbsp; Given a user who has a&nbsp;SAMAccountName of "MyUserID" and UserPrincipalName of "MyUserID@MyDomain.COM"; is there a way to setup Authentication Profiles to strip off the "@mydomain.com" and thus always send the radius server just "MyUserID" for account matching?</P> <P>&nbsp;</P> <P>I've been looking at Authentication Profile -&gt; Username Modifier but I don't yet see a way to accomplish what I am looking for.&nbsp;</P> <P>&nbsp;</P> <P>Any suggestions?</P> Fri, 14 Oct 2022 15:56:37 GMT Will_Baldwin 2022-10-14T15:56:37Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/is-there-a-way-to-accept-both-samaccountname-and/m-p/517968#M3297 <P>Bottom line I would like my user to be able to authenticate using either "MyUserID" or "MyUserID@MyDomain.com".&nbsp; Can this be done?</P> <P>&nbsp;&nbsp;</P> <P>Right now, my users authenticate using their SAMAccountName/userID.&nbsp; As we move toward x.509 Personal Certificate authentication, the user certs provide a UPN (email address).&nbsp; Given a user who has a&nbsp;SAMAccountName of "MyUserID" and UserPrincipalName of "MyUserID@MyDomain.COM"; is there a way to setup Authentication Profiles to strip off the "@mydomain.com" and thus always send the radius server just "MyUserID" for account matching?</P> <P>&nbsp;</P> <P>I've been looking at Authentication Profile -&gt; Username Modifier but I don't yet see a way to accomplish what I am looking for.&nbsp;</P> <P>&nbsp;</P> <P>Any suggestions?</P> Fri, 14 Oct 2022 15:56:37 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/is-there-a-way-to-accept-both-samaccountname-and/m-p/517968#M3297 Will_Baldwin 2022-10-14T15:56:37Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/is-there-a-way-to-accept-both-samaccountname-and/m-p/518007#M3306 <P>I think you were looking in the right place, the username modifier is explained here and seems to be what you want:</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/device/device-authentication-profile/configure-an-authentication-profile" target="_blank">Authentication Profile (paloaltonetworks.com)</A></P> <P><EM>&nbsp;If you specify the %USERDOMAIN% variable and leave the&nbsp;User Domain</EM><LI-WRAPPER><SPAN><EM>&nbsp;blank, the firewall removes any user-entered domain string.</EM></SPAN></LI-WRAPPER></P> <P>&nbsp;</P> <P><SPAN><EM>- DM</EM></SPAN></P> Sat, 15 Oct 2022 21:10:45 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/is-there-a-way-to-accept-both-samaccountname-and/m-p/518007#M3306 dmifsud 2022-10-15T21:10:45Z