https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-create-ad-group-based-authentication-for/m-p/20316#M14801 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If your question is about using a group instead of users for admin, answer is no .... not yet</P><P>Else for sure you can group all your pa'sadmin in AD group and use all user in this group for defining admin profile and role. </P><P>What you have to do is to follow this doc: <A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-4740">https://live.paloaltonetworks.com/docs/DOC-4740</A>,create your admin account in the palo then assign them to admin role.</P><P></P><P>Hope help</P><P></P><P>V.</P></BODY></HTML> Tue, 27 Aug 2013 12:02:48 GMT VinceM 2013-08-27T12:02:48Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-create-ad-group-based-authentication-for/m-p/20315#M14800 <HTML><HEAD></HEAD><BODY><P>Hi All,.</P><P></P><P>Is it possible to create AD group based authentication for PaloAlto administrators?</P><P>If yes, kindly provide the steps for the same.</P><P></P><P>Regards,</P><P>Gururaj</P></BODY></HTML> Tue, 27 Aug 2013 11:15:28 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-create-ad-group-based-authentication-for/m-p/20315#M14800 Gururaj 2013-08-27T11:15:28Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-create-ad-group-based-authentication-for/m-p/20316#M14801 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If your question is about using a group instead of users for admin, answer is no .... not yet</P><P>Else for sure you can group all your pa'sadmin in AD group and use all user in this group for defining admin profile and role. </P><P>What you have to do is to follow this doc: <A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-4740">https://live.paloaltonetworks.com/docs/DOC-4740</A>,create your admin account in the palo then assign them to admin role.</P><P></P><P>Hope help</P><P></P><P>V.</P></BODY></HTML> Tue, 27 Aug 2013 12:02:48 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-create-ad-group-based-authentication-for/m-p/20316#M14801 VinceM 2013-08-27T12:02:48Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-create-ad-group-based-authentication-for/m-p/20317#M14802 <HTML><HEAD></HEAD><BODY><P>You can use Radius VSA to accomplish group permission for admin.&nbsp; Here's a doc on Radius VSA and configuration examples for Windows server: <A href="https://live.paloaltonetworks.com/docs/DOC-1765"> Radius Vendor Specific Attributes (VSA) </A>.</P><P></P><P>Thanks.</P></BODY></HTML> Tue, 27 Aug 2013 13:55:48 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-create-ad-group-based-authentication-for/m-p/20317#M14802 rmonvon 2013-08-27T13:55:48Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-create-ad-group-based-authentication-for/m-p/20318#M14803 <HTML><HEAD></HEAD><BODY><P>If you are planning to use a group name under Device ---&gt; administrator then it wont work</P><P>You have to user individual user names with LDAP as authentication profile.</P><P>Step1:</P><P>create LDAP profile</P><P>Device --&gt; Server Profiles ---&gt; LDAP</P><P></P><P><IMG alt="Capture.JPG.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7936_Capture.JPG.jpg" style="width: 620px; height: 315px;" /></P><P>Step2:</P><P>Create authentication profile under Device --&gt; Authentication Profiles</P><P></P><P><IMG alt="Capture.JPG.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7940_Capture.JPG.jpg" /></P><P></P><P>Step3:</P><P>Now select under Device --&gt; administrator</P><P>Create an Administrator user. Make sure the user name is same as on the DC other wise the user will not able able to login.</P><P><IMG alt="Capture.JPG.jpg" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7941_Capture.JPG.jpg" /></P><P>Now commit the changes and the user will be able to login.</P><P><BR />However if this is not feasible for you and you do not want to configure all you users here . You can also use Radius and set it with Admin Roles.</P><P>Here is a doc that explains how to do that.</P><P></P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-1765">https://live.paloaltonetworks.com/docs/DOC-1765</A></P><P></P><P>Hope this helps.</P><P>Thanks</P><P>Numan</P></BODY></HTML> Tue, 27 Aug 2013 23:00:15 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-create-ad-group-based-authentication-for/m-p/20318#M14803 mbutt 2013-08-27T23:00:15Z https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-create-ad-group-based-authentication-for/m-p/20319#M14804 <HTML><HEAD></HEAD><BODY><P>Here is another doc which explains on how to setup LDAP authentication</P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-2910">https://live.paloaltonetworks.com/docs/DOC-2910</A></P><P>Let us know if this helps.<BR />Thanks</P><P>Numan</P></BODY></HTML> Tue, 27 Aug 2013 23:01:28 GMT https://live.paloaltonetworks.com/t5/general-topics/is-it-possible-to-create-ad-group-based-authentication-for/m-p/20319#M14804 mbutt 2013-08-27T23:01:28Z