topic Re: Auth Profile 8.1.x LDAP in General Topics

Auth Profile 8.1.x LDAP

OGMaverick — Fri, 31 Aug 2018 00:22:40 GMT

We'd like our users to be able to log into Captive Portal or Globalprotect with user@domain.com or just user. We've messed around with seemingly every combination of username modifiers, but have not been able to get it to work both ways. Currently, logging in with user@domain.com works and the filter can see the user's AD group memberships. In certain configs, we can get just 'user' to log in, but no user groups are pulled. Does anyone have this working both ways? Currently on 8.1.2. Can't do 8.1.3 due to a bug that wouldn't allow us to commit on the HA pair.

Re: Auth Profile 8.1.x LDAP

Mick_Ball — Sat, 01 Sep 2018 07:44:11 GMT

I have never tried this but could you not have one auth profile with no modifier and another with the domain modifier and add them both to an authentication sequence.

perhaps putting your most popular auth type at the top...

Re: Auth Profile 8.1.x LDAP

OGMaverick — Tue, 04 Sep 2018 14:10:32 GMT

We've tried auth sequences as well, but currently we aren't able to get AD groups pulled when someone logs in as 'user'. They can successfully log into the portal and the palo shows their user's DN, but will not show their group memberships. Setting it up another way where they succesffuly log in as user@domain.com pulls their groups.

Re: Auth Profile 8.1.x LDAP

Mick_Ball — Tue, 04 Sep 2018 14:46:20 GMT

so when "user" logs in, are they using the same auth profile as user@domain.

that may be confusing...

do you get the same results with just one auth profile.

Re: Auth Profile 8.1.x LDAP

OGMaverick — Tue, 04 Sep 2018 16:44:29 GMT

We've tried with 1 auth profile to catch both as well as a sequence with 2 profiles. The current setup is a sequence that goes through the following:

Working with @domain.com & pulls groups:

User Domain: blank

Modifer: %USERINPUT%

Can log in without @domain.com but does not pull groups:

User Domain: domain.com

Modifer: %USERINPUT%@%USERDOMAIN%

I feel that we've tried every combination of modifier + user domain (blank, domain, domain.com) + userPrincipalName vs sAMAccountName to no avail of getting groups pulled when it lets just 'user' login. If we can just get a profile that works to let 'user' login & pull groups, then we'd be set putting it in a sequence.

Re: Auth Profile 8.1.x LDAP

Mick_Ball — Tue, 04 Sep 2018 16:42:02 GMT

ok im gonna test this tomorrow but im sure you need to fill in the user domain field.

this is where %userdomain% is populated from.

if you login as fred@domain.com with the user domain field blank and the modifier set to userinput@userdomain then you will actually login as fred.

we have the netbios name in our user domain field as this is what is used for group mappings.

anothe post will follow with PA help snippet thingy...

Re: Auth Profile 8.1.x LDAP

OGMaverick — Tue, 04 Sep 2018 16:45:32 GMT

I'm sorry, we actually do have the user domain filled with our domain for the profile where we are expecting just 'user'. Edited

Re: Auth Profile 8.1.x LDAP

Mick_Ball — Tue, 04 Sep 2018 16:48:32 GMT

ok no point sending the help file...

could you just post an example (using domain.com) of a users CN, UPN and SamAccountName.

i will have a play in the morning...

Re: Auth Profile 8.1.x LDAP

OGMaverick — Tue, 04 Sep 2018 18:12:32 GMT

Hope this helps - https://imgur.com/a/2fym3fn

We have a 220 test box, so free to make any changes to test at any time. Thanks!

Re: Auth Profile 8.1.x LDAP

Mick_Ball — Tue, 04 Sep 2018 18:39:48 GMT

Cool clips but of no help.

im looking for format

fred smiff

fred.smiff

fred.smiff@domain.com

Re: Auth Profile 8.1.x LDAP

Mick_Ball — Wed, 05 Sep 2018 13:00:39 GMT

OK i am able to connect via GP as either mick.ball or mick.ball@domain.thingy.com

and i can add user policies for domain.thingy.com\mick.ball

the policy applies to both mick.ball and mick.ball@domain.thingy.com logins.

is that your expected outcome?

Re: Auth Profile 8.1.x LDAP

OGMaverick — Wed, 05 Sep 2018 14:16:39 GMT

Yes, although the format for the username in our org would be mball.

Sorry for the delay, got the info from the server folk.

CN=Last\, First M. (ORG)

UPN= FLast@domain.com

sAMAccountName= FLast

Since users can log in and get groups pulled using user@domain.com with the following settings,

Attribute userPrincipalName

Blank domain

%USERINPUT%

it would make sense to me that the following settings would modify just user to work, but do not.

userPrincipalName

domain.com

%USERINPUT%@%USERDOMAIN%

Re: Auth Profile 8.1.x LDAP

Mick_Ball — Wed, 05 Sep 2018 14:54:08 GMT

i have exactly that..

this works for both mick.ball@domain.com and mick.ball

or is it the group stuff thats not working for you...

Re: Auth Profile 8.1.x LDAP

Mick_Ball — Wed, 05 Sep 2018 15:05:43 GMT

it may be an issue if you are still using auth order.

just use one profile as i have because the user "user" will still auth against the first profile in auth order and ignore the second'

hmm. that may be confusing... just use 1 profile as per my post, if you need auth order for redundancy the just replicate same settings to different servers.

Re: Auth Profile 8.1.x LDAP

OGMaverick — Wed, 05 Sep 2018 15:38:21 GMT

It's the group stuff. That will let the user log in, but not pull any groups, making the security policies not match. Once logged in with 'user', doing a show user ip-user-mapping ip x.x.x.x only shows:

IP address: 192.168.1.10 (vsys1)
User: domain.com\FLast
From: CP
Idle Timeout: 894s
Max. TTL: 3583s
MFA Timestamp: first(1) - 2018/09/05 11:02:37
Group(s): domain.com\FLast(225)

while logging in with user@domain.com shows:

IP address: 192.168.1.10 (vsys1)
User: FLast@domain.com
From: CP
Idle Timeout: 896s
Max. TTL: 3596s
MFA Timestamp: first(1) - 2018/09/05 11:04:12
Group(s): FLast@domain.com(115260)
domain\Flast(712)
cn=administrators,cn=builtin,dc=ccboe,dc=com(2147483660)

As well as the rest of the groups

Currently publishing the change to have cap portal only user the 1 profile made for just 'user' like you showed, instead of the sequence.

EDIT -

Testing the portal with just the 1 profile that has

userPrincipalName

domain.com

%USERINPUT%@%USERDOMAIN%

resulted in the same behaiviour above without the groups.

Re: Auth Profile 8.1.x LDAP

Mick_Ball — Wed, 05 Sep 2018 15:11:47 GMT

what domain settings do you have in your group mapping server profile?

Re: Auth Profile 8.1.x LDAP

OGMaverick — Wed, 05 Sep 2018 15:37:48 GMT

https://imgur.com/a/YJn5erd

We had tried with the User Domain filled in here as well as the profile and instead of the profile, but can test again. Group Include List is blank to include all

Testing the portal with just the 1 profile that has

userPrincipalName

domain.com

%USERINPUT%@%USERDOMAIN%

resulted in the same behaiviour above without the groups.

Re: Auth Profile 8.1.x LDAP

Mick_Ball — Wed, 05 Sep 2018 16:35:29 GMT

ok i would test again with 1 profile and add same domain to user domain in group id stuff.

Re: Auth Profile 8.1.x LDAP

OGMaverick — Wed, 05 Sep 2018 17:09:29 GMT

That combination did it! I think when we had user domain filled out in the group ID section previously, we were using sAMAccountName instead of userPrincipalName for the profile's login attribute. The 1 profile now works to match the user both ways. Thank you!

Re: Auth Profile 8.1.x LDAP

OGMaverick — Thu, 06 Sep 2018 18:52:36 GMT

Mirrored the exact same Auth Profile, User-ID Captive Portal (which is pointing to the new auth profile), User-ID Group Mapping settings, & LDAP server to the main Palo which is also on the same PanOS version and it is not even normalizing there. Wonder if ther is another setting elsewhere on the main device that I'm missing