topic Re: Standalone Prisma Access and LDAP Group Mapping in Prisma Access Discussions

Standalone Prisma Access and LDAP Group Mapping

RaymondMullin — Thu, 11 Jun 2020 15:04:59 GMT

I'm trying to implement group-based policies in a standalone Prisma Access deployment. The instructions for achieving this are really lacking. Can anyone clarify how to configure group based policy mapping on standalone Prisma Access deployments with no master device?

Re: Standalone Prisma Access and LDAP Group Mapping

RaymondMullin — Thu, 11 Jun 2020 15:06:30 GMT

Unclear instructions from the KB article:

Implement User-ID in Security Policies For a Standalone Prisma Access Deployment In a standalone Prisma Access deployment without a Master Device, you can use group-based policy using long-form DN entries in Panorama. Prisma Access uses the DN entries to evaluate the User-ID-based policies you have configured in Panorama. For example, given a User named Bob Alice who works in IT for Organization Hooli in the United States, a matching security policy may have ou=IT Staff,O=Hooli,C=US if the policy is to be applied to all IT staff, or CN=Bob Alice,ou=IT Staff,O=Hooli,C=US if the policy is only to be applied to Bob Alice.

Re: Standalone Prisma Access and LDAP Group Mapping

SuperMario — Thu, 11 Jun 2020 18:57:30 GMT

Hi Raymond,

To configure standalone group mapping, you need to have the following configured under the mobile users' template:

* LDAP server profile

* User-ID > Group-Mapping

Please note that in a standalone scenario, you won't be able to pull the group-names on Panorama GUI. Therefore, you will have to type as per the instructions from your comment the DN long format entry in your policy and configuration.

For testing purposes, you can create a security policy, set the policy on the top and deny traffic to a specific IP to a specific group, this is just one example of many ways you can test.

Please let us know if you have any further questions.

Re: Standalone Prisma Access and LDAP Group Mapping

RaymondMullin — Fri, 12 Jun 2020 01:11:50 GMT

Thanks for the help. Since the groups won't appear in the dropdown menu on the user page, I can simply write the LDAP path in the User tab of a policy? Something like "CN=Mail Room,OU=Groups,OU=Houston,OU=Company,DC=corporate,DC=papergoods,DC=com" ?

Re: Standalone Prisma Access and LDAP Group Mapping

SuperMario — Fri, 12 Jun 2020 16:38:05 GMT

Hi @RaymondMullin, that is correct.

Re: Standalone Prisma Access and LDAP Group Mapping

RaymondMullin — Fri, 12 Jun 2020 17:29:47 GMT

Thanks for the clarification. I added the object DN to the user tab on the policy page, but it doesn't seem to be working. I can add "domain\sampleUser" to the same policy and it works fine for that user. User mapping is working okay. I just seem to have a hard time getting the user group mapping to work. I've tried adding the object DN to both the Group Include List and Custom Group List in Device>User Identification>Group Mapping Settings, but I've come up empty every time. I wish there was better documentation on this implementation.

Re: Standalone Prisma Access and LDAP Group Mapping

SuperMario — Fri, 12 Jun 2020 18:05:13 GMT

Hi @RaymondMullin

The user mapping should always work because the userid is learned from the authentication.

Whereas in the case of the group mapping, we need to pull the information from your LDAP server and group-mapping configuration.

Hence, the group-mapping attribute fields need to be aligned to the user authentication profile attributes.

Here is an example:

If you are using sAMAccountName on your Authentication Profile, make sure you add the same format on your Group-Mapping configuration.

Best practice configuration:

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-users-to-groups.html

Re: Standalone Prisma Access and LDAP Group Mapping

RaymondMullin — Wed, 24 Jun 2020 14:50:44 GMT

Thanks for all the help. It's working now with the long form.