https://live.paloaltonetworks.com/t5/general-topics/group-mapping-vs-authentication-profile/m-p/187160#M56997 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/44973">@rjdahav163</a>,</P> <P>&nbsp;</P> <P>In the Authentication Profile you select the specific users and groups that are allowed to authenticate with this profile. If you don’t add entries, no users can authenticate.</P> <P>In the mapping you can<SPAN>&nbsp;control which groups are&nbsp;retrieved from LDAP.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Hope this clarifies the difference between the 2.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Cheers !</SPAN></P> <P><SPAN>-Kiwi</SPAN></P> Wed, 15 Nov 2017 11:12:26 GMT kiwi 2017-11-15T11:12:26Z https://live.paloaltonetworks.com/t5/general-topics/group-mapping-vs-authentication-profile/m-p/187150#M56994 <P>Hi</P><P>&nbsp;</P><P>Here is what we want to do:</P><P>1. Implement a security policy rule based on user group membership</P><P>2. There is no User ID using any Agent. The users will authenticate using captive portal.</P><P>3. Firewall will use LDAP to retrieve group mapping</P><P>4. PAN OS 7.1</P><P>&nbsp;</P><P>Here's the question:</P><P>Assume that I want to allow only users from LDAP Group "HR" in the security policy. Then I create a LDAP Server Profile and then where do I need to mention the group:</P><P>1. In the Authentication Profile &gt; Advanced &gt; Allow List ??&nbsp; &nbsp; OR</P><P>2. In User IDentification &gt; Group Mapping Settings??&nbsp;</P><P>&nbsp;</P><P>OR both?</P><P>What is the purpose of each of the above settings? I am confused.</P><P>&nbsp;</P><P>Best Regards,</P><P>R</P> Wed, 15 Nov 2017 10:31:53 GMT https://live.paloaltonetworks.com/t5/general-topics/group-mapping-vs-authentication-profile/m-p/187150#M56994 rjdahav163 2017-11-15T10:31:53Z https://live.paloaltonetworks.com/t5/general-topics/group-mapping-vs-authentication-profile/m-p/187157#M56995 <P>there maybe more than 1 answer to this, depends on who is allowed to authenticate.</P><P>&nbsp;</P><P>i will assume that all users auth via your ldap authentication profile. so set this to "any"</P><P>&nbsp;</P><P>use your ldap server in group mapping settings, and select the groups you want to include in your policies.</P><P>&nbsp;</P><P>in your HR policy just add source HR group.</P><P>&nbsp;</P><P>so... auth profile is for users allowed to authenticate. (you will still need group mapping if drilling down to group level)</P><P>&nbsp;</P><P>probably confused things... happy to re post if required...</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 15 Nov 2017 10:54:59 GMT https://live.paloaltonetworks.com/t5/general-topics/group-mapping-vs-authentication-profile/m-p/187157#M56995 Mick_Ball 2017-11-15T10:54:59Z https://live.paloaltonetworks.com/t5/general-topics/group-mapping-vs-authentication-profile/m-p/187159#M56996 <P>The auth profile controls who is allowed to authenticate</P> <P>The group mapping controls which groups are learned from LDAP (to be used in security policy)</P> <P>And network access is controlled through the 'source user' field in the security policy</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>you can use all 3 to achieve your objective <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> Wed, 15 Nov 2017 11:07:30 GMT https://live.paloaltonetworks.com/t5/general-topics/group-mapping-vs-authentication-profile/m-p/187159#M56996 reaper 2017-11-15T11:07:30Z https://live.paloaltonetworks.com/t5/general-topics/group-mapping-vs-authentication-profile/m-p/187160#M56997 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/44973">@rjdahav163</a>,</P> <P>&nbsp;</P> <P>In the Authentication Profile you select the specific users and groups that are allowed to authenticate with this profile. If you don’t add entries, no users can authenticate.</P> <P>In the mapping you can<SPAN>&nbsp;control which groups are&nbsp;retrieved from LDAP.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Hope this clarifies the difference between the 2.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Cheers !</SPAN></P> <P><SPAN>-Kiwi</SPAN></P> Wed, 15 Nov 2017 11:12:26 GMT https://live.paloaltonetworks.com/t5/general-topics/group-mapping-vs-authentication-profile/m-p/187160#M56997 kiwi 2017-11-15T11:12:26Z