https://live.paloaltonetworks.com/t5/general-topics/6-0-4-group-mapping-issue/m-p/37005#M27159 <HTML><HEAD></HEAD><BODY><P>I started running into this group mapping issue after update a client to 6.0.4. </P><P></P><P>We have a policy which matches on an Active Directory group for SSLVPN and what they can access. The same A.D. group is used in the Kerberos authentication profile to auth to VPN. </P><P></P><P>After the update, these users are no longer matching on this policy. There is a policy just above it utilizing a different A.D. group and users from that group match just fine. </P><P></P><P>I did notice in the CLI if I do a show user group mapping ?, it lists the LDAP format of the group name as oppose to domain/group... whereas for the group which is working, it shows domain/group. </P><P></P><P>If I go to the policy and delete the group then add the group back name in via the LDAP format, it auto-resolves it to the group\domain format as soon as I hit enter. </P></BODY></HTML> Fri, 08 Aug 2014 00:51:32 GMT SDorsey 2014-08-08T00:51:32Z https://live.paloaltonetworks.com/t5/general-topics/6-0-4-group-mapping-issue/m-p/37005#M27159 <HTML><HEAD></HEAD><BODY><P>I started running into this group mapping issue after update a client to 6.0.4. </P><P></P><P>We have a policy which matches on an Active Directory group for SSLVPN and what they can access. The same A.D. group is used in the Kerberos authentication profile to auth to VPN. </P><P></P><P>After the update, these users are no longer matching on this policy. There is a policy just above it utilizing a different A.D. group and users from that group match just fine. </P><P></P><P>I did notice in the CLI if I do a show user group mapping ?, it lists the LDAP format of the group name as oppose to domain/group... whereas for the group which is working, it shows domain/group. </P><P></P><P>If I go to the policy and delete the group then add the group back name in via the LDAP format, it auto-resolves it to the group\domain format as soon as I hit enter. </P></BODY></HTML> Fri, 08 Aug 2014 00:51:32 GMT https://live.paloaltonetworks.com/t5/general-topics/6-0-4-group-mapping-issue/m-p/37005#M27159 SDorsey 2014-08-08T00:51:32Z https://live.paloaltonetworks.com/t5/general-topics/6-0-4-group-mapping-issue/m-p/37006#M27160 <HTML><HEAD></HEAD><BODY><P>Eureka. Apparently 6.0.4 may have a problem processing group names which have a hyphen. I create a new group with the same users which lacked a hyphen and it matched as expected. Added a hyphen to the new group and it stopped.</P></BODY></HTML> Fri, 08 Aug 2014 01:11:48 GMT https://live.paloaltonetworks.com/t5/general-topics/6-0-4-group-mapping-issue/m-p/37006#M27160 SDorsey 2014-08-08T01:11:48Z