topic Re: RADIUS And Open LDAP Integration. in General Topics

RADIUS And Open LDAP Integration.

SubaMuthuram — Mon, 16 Aug 2021 06:35:50 GMT

Hi team,

I have come through as a requirement from one of my clients, They are using RADIUS Server for RSA authentication for globalprotect, but in USER ID they are using OpenLDAP, So in the ip-user-mapping, Whenever user connecting to globalprotect, I can see the user detecting from the GP and the only as "username", but the customer has configured a user group based policy and the user detected as "domain\username".

Due to this user traffic not hitting on the user-based policy, Is there a way we can integrate RADIUS and LDAP for globalprotect. Or any other suggestion to achieve this with another workaround.

Re: RADIUS And Open LDAP Integration.

santonic — Mon, 16 Aug 2021 10:12:31 GMT

As far as I know PA can use RADIUS user groups only in authentication profiles (checking if user belongs to certain group after succesful authentication).

For security (or any other) policies PA can only use user groups obtained from LDAP servers. So consider switching GP authentication to LDAP.

Re: RADIUS And Open LDAP Integration.

Mick_Ball — Mon, 16 Aug 2021 19:13:41 GMT

Edit the radius auth profile and add the required domain into the user domain box.

leave the username modifier alone and the domain info will not be passed onto radius auth but will be added in user id when radius auth is successful.

Re: RADIUS And Open LDAP Integration.

santonic — Tue, 17 Aug 2021 08:57:16 GMT

@Mick_Ball

Was thinking about this once, but never tried it. Can you confirm this works?

Also usernames between Open LDAP and RADIUS will have to match.

Re: RADIUS And Open LDAP Integration.

Mick_Ball — Tue, 17 Aug 2021 19:46:52 GMT

It works with local auth profile so will work with others..

i assume that if a user logs into a domain as domain\fred.smith then he probably wont log into radius as kevin roberts.... but yes you are correct and i have seen stranger things....

Re: RADIUS And Open LDAP Integration.

santonic — Wed, 18 Aug 2021 06:47:39 GMT

Haha, true that.

Tho I've seen different variatons to derive username from name and surname 😉

But I assume in OP's case it's just a radius proxy for MFA which uses LDAP as source of identities anyway.

Re: RADIUS And Open LDAP Integration.

SubaMuthuram — Sat, 21 Aug 2021 03:19:33 GMT

Hi Mick,

The issue resolved, With the below KB Article,

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0JCAS