https://live.paloaltonetworks.com/t5/general-topics/can-t-authenticate-users-in-nested-groups-ad-radius/m-p/49327#M36341 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>I have a rule to allow access to Facebook.&nbsp; The rule works if I list individual users, but not groups.</P><P></P><P>We have a single forest with 2 child domains.</P><P></P><P>Universal Group "FB Allowed"&nbsp; has the following groups as members: "OU1 FB Allowed" and "OU2 FB Allowed"</P><P></P><P>These universal groups contain members from both domains.</P><P></P><P>I'm trying to avoid having to maintain multiple groups in the rules.&nbsp; As far as the Palo is concerned, I want it to read from 1 group and allow local admins at each site to populate their users into their respective groups.</P></BODY></HTML> Thu, 11 Aug 2011 15:32:13 GMT aindelicato 2011-08-11T15:32:13Z https://live.paloaltonetworks.com/t5/general-topics/can-t-authenticate-users-in-nested-groups-ad-radius/m-p/49327#M36341 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>I have a rule to allow access to Facebook.&nbsp; The rule works if I list individual users, but not groups.</P><P></P><P>We have a single forest with 2 child domains.</P><P></P><P>Universal Group "FB Allowed"&nbsp; has the following groups as members: "OU1 FB Allowed" and "OU2 FB Allowed"</P><P></P><P>These universal groups contain members from both domains.</P><P></P><P>I'm trying to avoid having to maintain multiple groups in the rules.&nbsp; As far as the Palo is concerned, I want it to read from 1 group and allow local admins at each site to populate their users into their respective groups.</P></BODY></HTML> Thu, 11 Aug 2011 15:32:13 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-authenticate-users-in-nested-groups-ad-radius/m-p/49327#M36341 aindelicato 2011-08-11T15:32:13Z https://live.paloaltonetworks.com/t5/general-topics/can-t-authenticate-users-in-nested-groups-ad-radius/m-p/49328#M36342 <HTML><HEAD></HEAD><BODY><P>Hello, I believe you have 2 separate user agents configured 1 for each domain.</P><P>Are you able to read group information?</P><P>&gt; <STRONG style="color:red">debug device-server dump user-group name “domain\groupname”</STRONG> </P></BODY></HTML> Sun, 14 Aug 2011 01:55:24 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-authenticate-users-in-nested-groups-ad-radius/m-p/49328#M36342 ukhapre 2011-08-14T01:55:24Z https://live.paloaltonetworks.com/t5/general-topics/can-t-authenticate-users-in-nested-groups-ad-radius/m-p/49329#M36343 <HTML><HEAD></HEAD><BODY><P>I had the same problem in a demo install and I opened a case. That was a few months ago with a 4.x release. Unfortunately support was not willing to replicate the issue in their Lab and I did not want to bother the prospect with onsite troubleshooting sessions during a demo installation....&nbsp; So the case was dropped (case number 00038670), but the problem is still there, just did not have time to setup the whole scenario again in our own Lab and open up another case.&nbsp; Roland</P></BODY></HTML> Tue, 16 Aug 2011 11:57:18 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-authenticate-users-in-nested-groups-ad-radius/m-p/49329#M36343 gafrol 2011-08-16T11:57:18Z