https://live.paloaltonetworks.com/t5/general-topics/can-t-get-ad-groups-to-be-used-as-user-authentication/m-p/50063#M36847 <HTML><HEAD></HEAD><BODY><P>Mike,</P><P></P><P>The issue might be with the format that ldap is pulling up the user as. The agent might be pulling up the user as xx/user1 whereas ldap might pull it up as yy/user1. Can you verify if the user is mapped the same from both the agent and ldap?</P><P></P><P>1. show user user-IDs match-user &lt;user_name&gt; : this is the one pulled by ldap</P><P>2. show user ip-user-mapping ip &lt;ip_test_user&gt; : this is per the agent</P><P></P><P></P><P>If the output of 1 and 2 are different, goto the ldap server profile settings and change the domain to the one listed in 2. </P><P></P><P>Please let me know if this was helpful.</P><P></P><P></P><P>Thanks,</P><P>Sri</P></BODY></HTML> Tue, 31 Jul 2012 00:31:44 GMT zarina 2012-07-31T00:31:44Z https://live.paloaltonetworks.com/t5/general-topics/can-t-get-ad-groups-to-be-used-as-user-authentication/m-p/50061#M36845 <HTML><HEAD></HEAD><BODY><P>We are running 2 2050 firewalls running 4.16 software and 2 user agents running 4.1.0-43 code.&nbsp;&nbsp; When i try to limit a policy by an AD user name it works fine.&nbsp;&nbsp; However if I want to user a AD group name it wont hit the rule if i put in the user as a group.&nbsp; What am i doing wrong.</P><P></P><P>So</P><P>MYAD\mcarlton will work for a user on a policy but</P><P>MYAD\cooladmins will not work.</P><P></P><P>What am i doing wrong?</P><P></P><P>Thanks</P><P></P><P>Mike</P></BODY></HTML> Thu, 26 Jul 2012 16:51:06 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-get-ad-groups-to-be-used-as-user-authentication/m-p/50061#M36845 mcarlton 2012-07-26T16:51:06Z https://live.paloaltonetworks.com/t5/general-topics/can-t-get-ad-groups-to-be-used-as-user-authentication/m-p/50062#M36846 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Just some ideas, as I'm currently also playing with this feature set:</P><P></P><UL><LI>have you included the ou where the groups are in into the group mappings? (Device --&gt; User Identication" --&gt; Group Mappings")</LI><LI>have you limited the LDAP Server into a Base DN where the groups are not included?</LI></UL><P></P><P>Andre</P></BODY></HTML> Thu, 26 Jul 2012 16:56:29 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-get-ad-groups-to-be-used-as-user-authentication/m-p/50062#M36846 u13550 2012-07-26T16:56:29Z https://live.paloaltonetworks.com/t5/general-topics/can-t-get-ad-groups-to-be-used-as-user-authentication/m-p/50063#M36847 <HTML><HEAD></HEAD><BODY><P>Mike,</P><P></P><P>The issue might be with the format that ldap is pulling up the user as. The agent might be pulling up the user as xx/user1 whereas ldap might pull it up as yy/user1. Can you verify if the user is mapped the same from both the agent and ldap?</P><P></P><P>1. show user user-IDs match-user &lt;user_name&gt; : this is the one pulled by ldap</P><P>2. show user ip-user-mapping ip &lt;ip_test_user&gt; : this is per the agent</P><P></P><P></P><P>If the output of 1 and 2 are different, goto the ldap server profile settings and change the domain to the one listed in 2. </P><P></P><P>Please let me know if this was helpful.</P><P></P><P></P><P>Thanks,</P><P>Sri</P></BODY></HTML> Tue, 31 Jul 2012 00:31:44 GMT https://live.paloaltonetworks.com/t5/general-topics/can-t-get-ad-groups-to-be-used-as-user-authentication/m-p/50063#M36847 zarina 2012-07-31T00:31:44Z