topic Re: Filtering by a Azure AD user does not work in Gateway-->Agent-->Client Settings in GlobalProtect Discussions

Filtering by a Azure AD user does not work in Gateway-->Agent-->Client Settings

JoseCortijo — Wed, 23 Nov 2022 15:38:33 GMT

Hi,

we currently have global protect integrated with Azure MFA using SAML and it works flawless.
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/palo-alto-networks-globalprotect-tutorial

Now, we would like to offer a different IP Pool depending on the user account. when I check in the MONITOR for connections using that VPN gateway, I see the different corporate email addresses in the SOURCE USER column. this email address is the one used to make the authentication via Azure MFA.

At this point, my approach was to create a new Agent-->client setting in the gateway portal . In the 'Config Selection Criteria' I included my corporate email addreass as SOURCE USER. No errors were shown so I clicked OK and commit. I also included a different IP pool range to filter conenctions later on with dedicated policies.

Surprisingly, afte the change was applied and I reconnect, I still get an IP address from the old IP pool, the one with 'any' on its client settings. it seems like my user name did not match for some reason. (see attachement)

we have a PA-850 running version 10.1.3

thanks

Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.

Re: Filtering by a Azure AD user does not work in Gateway-->Agent-->Client Settings

JoseCortijo — Wed, 23 Nov 2022 15:52:36 GMT

According to the official documentation the source user in the client setting tab must be configured via User Identification.

In our case we only have the internal Active Directory and checking its settings I saw an option that called my attention, Alternate Username 1.

I wonder if I put "mail" in that field, it might be used in the filtering as a username. (see attachment)

Does anyone used that before for a similar purpose?

thanks

Re: Filtering by a Azure AD user does not work in Gateway-->Agent-->Client Settings

tamerfahmy — Mon, 27 Mar 2023 20:30:11 GMT

Hi @JoseCortijo - did you ever figure this out? I am having a similar issue. I am using SAML and I have an "any" user config which works fine. But I am trying to add a more restrictive config above that one, which contains specific users or groups, and cannot get it to work. All users keep matching the "any" rule.

Re: Filtering by a Azure AD user does not work in Gateway-->Agent-->Client Settings

pkumar2 — Tue, 16 May 2023 20:50:04 GMT

We don't need user-id enabled for this.

If you are using a username to filter, check the Globalprotect/authd.logs to see what username is passed to the firewall.
use domain\username format to filter the config.

E.g

username@domain.com, then use domain.com\username as the source user.

Hope this helps.

Re: Filtering by a Azure AD user does not work in Gateway-->Agent-->Client Settings

JoseCortijo — Fri, 19 May 2023 16:47:21 GMT

Hi @pkumar2 ,

I afraid that that simple solution does not work. That was my first attempt indeed.

Following your advice I checked the Globalprotect authentication logs and I saw username@domain.com as source user.
I added domain\useraccount and even the email address but there is still no match with the rule.

I am getting the client settings with the "any" as a filter.

A technician from a local partner told me that I might have an issue with the group mapping settings. The email should be mapped with the LDAP information stored in PA. I checked that as well but I did not see anything wrong.

Re: Filtering by a Azure AD user does not work in Gateway-->Agent-->Client Settings

tamerfahmy — Fri, 19 May 2023 17:24:12 GMT

@JoseCortijo - I got my issue resolved with the help of PAN support, figured I'd share it here in case it helps you. For my two LDAP server profiles, instead of using LDAP/636 to each of my AD domains (root and child), I switched to GlobalCatalog/3269 to the root domain as well as LDAP/636 to the root domain. I then changed User ID group mapping to use the GlobalCatalog server profile, so that it could read all domains, and blanked the User Domain field in the group mapping config. Next, I added the relevant AD groups to the Group Mapping Group Include list and also to the SAML Authentication Profile Allow List under Advanced. Now in my Agent Client Settings, I add the relevant groups to the Source User list.

Here is the doc that helped me, as it recommends using Global Catalog if you have Universal AD Groups, and also mentions that the User Domain field can usually be left blank in the Group Mapping config: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-users-to-groups

HTH!

Re: Filtering by a Azure AD user does not work in Gateway-->Agent-->Client Settings

JoseCortijo — Tue, 20 Jun 2023 11:57:47 GMT

Hi @tamerfahmy

thanks a lot for your reply and the link. Not sure if my issue was the same as yours. The AD groups got already populated and I could select the target AD group in the Agent Client Settings, my issue was that it didn't seem to match the condition so the different settings based on AD membership never applied.

I followed your instructions and I created an additional LDAP server profile for the global catalog and then, a new group mapping configuration using that new ldap server profile. Not sure if I should keep both group mappings enabled or not.

the result keeps the same, I can select the ad group in the Agent Client settings but it is never taken into account.

I attach some screenshots, maybe you could see where could be my issue.

thanks once again for your reply.

Re: Filtering by a Azure AD user does not work in Gateway-->Agent-->Client Settings

tamerfahmy — Mon, 23 Oct 2023 18:49:40 GMT

Hi @JoseCortijo,

Yes, I have both group mappings enabled.

Did you add the relevant AD groups to the Group Include list in the global catalog Group Mapping?

Also, in the SAML Authentication Profile > Advanced > Allow List, you can try adding the groups explicitly instead of using "all".

Re: Filtering by a Azure AD user does not work in Gateway-->Agent-->Client Settings

nemanja_miloj — Fri, 11 Oct 2024 09:12:10 GMT

Hey @JoseCortijo did you find solution for this problem?