https://live.paloaltonetworks.com/t5/general-topics/radius-user-group/m-p/391168#M90758 <P>Hello!</P><P>&nbsp;</P><P>I'm studying the PCNSA, may I ask you a question about a security policy?</P><P>The "it" group in that policy could be a Radius group imported on the FW?</P><P>Or could be a way to map users to group?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="group palo alto.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30341i0F0D54BD99D27AC7/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="group palo alto.png" alt="group palo alto.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>PS:</P><P>it would be very useful if Palo Alto offered a free VM lab to test which we are learning, anyone know if it's already been provided?</P><P>&nbsp;</P><P>Many thanks</P><P>Ale</P> Sun, 14 Mar 2021 21:38:22 GMT alessandroco 2021-03-14T21:38:22Z https://live.paloaltonetworks.com/t5/general-topics/radius-user-group/m-p/391168#M90758 <P>Hello!</P><P>&nbsp;</P><P>I'm studying the PCNSA, may I ask you a question about a security policy?</P><P>The "it" group in that policy could be a Radius group imported on the FW?</P><P>Or could be a way to map users to group?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="group palo alto.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30341i0F0D54BD99D27AC7/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="group palo alto.png" alt="group palo alto.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>PS:</P><P>it would be very useful if Palo Alto offered a free VM lab to test which we are learning, anyone know if it's already been provided?</P><P>&nbsp;</P><P>Many thanks</P><P>Ale</P> Sun, 14 Mar 2021 21:38:22 GMT https://live.paloaltonetworks.com/t5/general-topics/radius-user-group/m-p/391168#M90758 alessandroco 2021-03-14T21:38:22Z https://live.paloaltonetworks.com/t5/general-topics/radius-user-group/m-p/391422#M90776 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/175011">@alessandroco</a> ,</P><P>&nbsp;</P><P>There are two ways to use users and user groups in policy:</P><P>- Local database: You can create the users (username and password) localy on firewall and then create user group again localy. After that in your security rule you can refer indivituals local users or the local user group. Local users and groups are configured under Device -&gt; Local Users Database</P><P>&nbsp;</P><P>- Group Mapping: Unfortunately currently only LDAP is supported. So if you have Active Directory, firewall will use LDAP to query the AD and "extract" all user groups that you have already created at the AD (you can set some filters and limit the groups that firewall will query, but by default FW will try to collect them all).</P><P>&nbsp;</P><P>So to anwert your question - No, user groups information cannot be collected over RADIUS. You need LDAP to gather group membership information (which user is member of which group).</P> Tue, 16 Mar 2021 11:14:23 GMT https://live.paloaltonetworks.com/t5/general-topics/radius-user-group/m-p/391422#M90776 aleksandar.astardzhiev 2021-03-16T11:14:23Z https://live.paloaltonetworks.com/t5/general-topics/radius-user-group/m-p/391528#M90785 Hello! Thank you very much for your answer, now is more clear to me!<BR /><BR />Bwt I still need a clarification, in fact the question said: “what is the<BR />purpose of the group in the security policy rule?<BR /><BR />1)map username to groups<BR />2)that group is a radius group<BR /><BR />Which one do you suggest?<BR /><BR />Thank you very much!<BR /> Tue, 16 Mar 2021 16:23:44 GMT https://live.paloaltonetworks.com/t5/general-topics/radius-user-group/m-p/391528#M90785 alessandroco 2021-03-16T16:23:44Z