https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-rsa-securid-and-group-mapping-for-security/m-p/282423#M76086 <P>So I did use the groups in security policies but that is more a component of UserID rather than the setup for the VPN access. My deployment utilises a single portal and gateway but has multiple agent configurations that are mapped to the returned groups. In this way I am able to provide different split tunnel settings, agent settings and so forth</P> Tue, 13 Aug 2019 05:56:11 GMT SteveMcBride 2019-08-13T05:56:11Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-rsa-securid-and-group-mapping-for-security/m-p/280368#M75841 <P>I have setup Global Protect with RSA SecurID authentication.&nbsp; I would like to use the Active Directory groups of these users in my security policy to then allow or deny access to resources based upon their membership.&nbsp;</P><P>&nbsp;</P><P>I have configured the group mapping settings and the firewall is pulling in the AD groups.&nbsp; However, the policies I have created are not being matched.&nbsp; It appears since the authentication is via RSA it is not associating the user with the AD groups it is pulling via the group mapping since the user is not associated with the domain.</P><P>&nbsp;</P><P>I found this article which is relating:&nbsp;&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQdCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQdCAK</A> but it only seems to be working for the initial authentication, not for actual security policy access post authentication.</P><P>&nbsp;</P><P>IIs there a way to get this working or is there a better method for restricting resource access based upon group membership when authenticating via RADIUS to RSA SecurID?</P> Wed, 31 Jul 2019 18:39:36 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-rsa-securid-and-group-mapping-for-security/m-p/280368#M75841 TSilverline 2019-07-31T18:39:36Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-rsa-securid-and-group-mapping-for-security/m-p/280705#M75871 <P>I have not needed to try this but could you not just add the domain name to the authentication profile and then change the username modifier to "%USERDOMAIN%\%USERINPUT%".</P><P>&nbsp;</P><P>The firewall will then see user fred smith as domain\fred smith.</P><P>&nbsp;</P><P>the only additional requirement may be to tell radius server to ignore or accept any domain.</P><P>&nbsp;</P> Fri, 02 Aug 2019 08:35:28 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-rsa-securid-and-group-mapping-for-security/m-p/280705#M75871 Mick_Ball 2019-08-02T08:35:28Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-rsa-securid-and-group-mapping-for-security/m-p/282242#M76054 <P>I recently utilised RSA to authenticate GLobalProtect users. I leveraged ISE/RADIUS to do this and found it fairly straightforward with the RADIUS sending back group mappings to the Palos in the access-accept. These group mapping sent from the radius have to match with the group mapping configured for the globalprotect profile.&nbsp;</P><P>&nbsp;</P><P>My struggle was more related to getting the out of sync, new pin messages to present but this came down to issues between ISE and the PAs.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 12 Aug 2019 05:49:43 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-rsa-securid-and-group-mapping-for-security/m-p/282242#M76054 SteveMcBride 2019-08-12T05:49:43Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-rsa-securid-and-group-mapping-for-security/m-p/282311#M76073 <P>Thanks for the reply.&nbsp; Did you then use the groups returned in your security policies?&nbsp; Or did you have multiple portals/gateways handing out different IP address ranges authenticating different user groups?&nbsp; Or did you simply allow/deny access based upon group membership?</P> Mon, 12 Aug 2019 16:24:22 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-rsa-securid-and-group-mapping-for-security/m-p/282311#M76073 TSilverline 2019-08-12T16:24:22Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-rsa-securid-and-group-mapping-for-security/m-p/282423#M76086 <P>So I did use the groups in security policies but that is more a component of UserID rather than the setup for the VPN access. My deployment utilises a single portal and gateway but has multiple agent configurations that are mapped to the returned groups. In this way I am able to provide different split tunnel settings, agent settings and so forth</P> Tue, 13 Aug 2019 05:56:11 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-rsa-securid-and-group-mapping-for-security/m-p/282423#M76086 SteveMcBride 2019-08-13T05:56:11Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-rsa-securid-and-group-mapping-for-security/m-p/282564#M76109 <P>Thanks again for your reply.</P><P>Can you help me better understand what you mean by it being more a component of UserID?</P><P>&nbsp;</P><P>I understand the concept of mapping users to different agent configurations based upon groups - but i dont know how to use the groups of an authenticated RSA user for this purpose because RSA doesn't appear return all of the users groups.&nbsp; This seems pretty straightforward using straight AD, or using local groups in the FW..&nbsp; But I am not sure how to do it when authenticating against RSA.</P><P>&nbsp;</P><P>So, in your configuration, in which identity source are the groups configured?&nbsp; If AD, could you help me understand how you configured this?&nbsp; If somewhere else, can you explain how you configured the groups and got it all working?</P><P>&nbsp;</P><P>Thanks!</P> Tue, 13 Aug 2019 19:52:48 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-rsa-securid-and-group-mapping-for-security/m-p/282564#M76109 TSilverline 2019-08-13T19:52:48Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-rsa-securid-and-group-mapping-for-security/m-p/283342#M76211 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9981">@Mick_Ball</a>&nbsp;wrote:<BR /><P>I have not needed to try this but could you not just add the domain name to the authentication profile and then change the username modifier to "%USERDOMAIN%\%USERINPUT%".</P><P>&nbsp;</P><P>The firewall will then see user fred smith as domain\fred smith.</P><P>&nbsp;</P><P>the only additional requirement may be to tell radius server to ignore or accept any domain.</P><P>&nbsp;</P><HR /></BLOCKQUOTE><P>Foir some reason I didn't actually try at first this because you seemed to be speculating about the solution; but it was indeed the correct answer.</P><P>After adding the domain prepend, the group mapping function started working and I am now able to use AD groups for RSA authenticated users in my security policy!</P><P>No changes to RSA RADIUS server needed.</P><P>Thanks!</P> Sat, 17 Aug 2019 22:19:19 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-with-rsa-securid-and-group-mapping-for-security/m-p/283342#M76211 TSilverline 2019-08-17T22:19:19Z