Adding domain to username for user identification

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Adding domain to username for user identification

L2 Linker

Hello

We are using RSA for user authentication with Global Protect.

We need to identify the LDAP group (Windows Active Directory) the user belongs to, but It doesn't work.

The reason is that the user we use for authentication doesn't include the domain and the LDAP query  doen't match the right user:

cscworks@pa-intx.cajamar.int(active)> show user ip-user-mapping all | match mbm60380

10.240.1.24     vsys1  UIA     domain\mbm60380                 2388           2388        

10.240.1.1      vsys1  UIA     domain\mbm60380                 2101           2101        

10.240.250.1    vsys2  GP      mbm60380                         2590859        2590859    

cscworks@pa-intx.cajamar.int(active)> show user group name domain\group1

short name:  domain\group1

[1     ] domain\aag60368

[2     ] domain\ced61081

[3     ] domain\jas61669

[4     ] domain\mbm60380

[5     ] domain\pmc61693

[6     ] domain\vcm60984

Is there any way to fix this?

Can the firewall add the domain to the LDAP query?

1 accepted solution

Accepted Solutions

L2 Linker

I've been able to solve this issue.

Y use <username>@domain format in the GlobalProtect Client.

Then, I make the domain stripping in the Radius configuration so that the RSA server authenticates just the username without domain

Thank you

View solution in original post

9 REPLIES 9

L6 Presenter

Add 'domain' in domain field within your ldap server profile and test. Here's my setup.

      ldap {

        amb {

          server {

            amb {

              port 389;

              address 172.16.20.23;

            }

          }

          ldap-type active-directory;

          base DC=amb,DC=local;

          bind-dn renato@amb.local;

          timelimit 30;

          bind-timelimit 30;

          ssl no;

          domain amb;

admin@PA-200> show user ip-user-mapping all

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

172.16.20.1     vsys1  AD      amb\renato                       2697           2697

172.100.100.1   vsys1  GP      amb\renato                       10746          10746

172.16.20.2     vsys1  AD      amb\renato                       289            289

172.16.20.226   vsys1  CP      amb\renato                       459            2538

172.16.20.23    vsys1  AD      amb\renato                       2526           2212

Total: 5 users

Without the domain configured:

ldap {

        amb {

          server {

            amb {

              port 389;

              address 172.16.20.23;

            }

          }

          ldap-type active-directory;

          base DC=amb,DC=local;

          bind-dn renato@amb.local;

          timelimit 30;

          bind-timelimit 30;

          ssl no;


admin@PA-200> show user ip-user-mapping all

IP              Vsys   From    User                             IdleTimeout(s) MaxTimeout(s)

--------------- ------ ------- -------------------------------- -------------- -------------

172.16.20.1     vsys1  AD      amb\renato                       2695           2695

172.100.100.1   vsys1  GP      renato                           2592000        2592000

172.16.20.2     vsys1  AD      amb\renato                       135            135

172.16.20.226   vsys1  CP      amb\renato                       305            2384

172.16.20.23    vsys1  AD      amb\renato                       2372           2058


I've tried with domain but it doesn't work either:

domain.int-PCI-RSA {

          server {

            esc04.domain.int {

              port 636;

              address 192.168.66.3;

            }

            esc15.domain.int {

              port 636;

              address 192.168.66.15;

            }

            esc16.domain.int {

              port 636;

              address 192.168.66.16;

            }

            esc03.domain.int {

              port 636;

              address 192.168.66.4;

            }

          }

          ldap-type active-directory;

          bind-dn F5-APM-AD@domain.int;

          timelimit 30;

          bind-timelimit 30;

          retry-interval 60;

          bind-password  xxxxxxxxxxxxxxxxxxx;

          ssl yes;

          base dc=domain,dc=int;

          domain domain;

        }

show user ip-user-mapping all | match mbm60380

10.240.1.24     vsys1  UIA     domain\mbm60380                 922            922         

10.240.1.1      vsys1  UIA     domain\mbm60380                 2363           2363        

10.240.250.1    vsys2  GP      mbm60380                         2591972        2591972 

Thanks for your answer

Did you attempt to clear the user cache for the IP in question? Perhaps clearing the group cache as well and resetting the ldap server profile connection.

What PANOS are you running?

I'm afraid I don't know how to clear the user cache for that IP or the group cache.  I don't know how to reset the ldap server profile connection either.

I'm running 5.0.4 version

What authentication method are you using?

You can use the following commands to clear the user ip mapping from the firewall. Just make sure user is logged out before you do this.

clear user-cache ip

clear user-cache-mp ip

Moreover, If you are using AD to authenticate user and have added netbios domain name in the profile that it should be appended to the mapping.

Capture.JPG

Hope this helps.

Thank you

Hello

I have cleared both caches but the result is the same.

I'm using RSA SecurID authentication, through a Cisco Secure ACS 4.2 server. It doesn't support domain stripping. At least the version we have

Thanks for you help

L2 Linker


I've tried another thing:

- If I type domain\mbm60380 for GlobalProtect authentication the firewall sends to the Radius Server is mbm60380. It removes the domain.

- Nevertheless, if I type mbm60380@domain the firewall does send that user to the Radius. In that case it doesn't remove the suffix.

L2 Linker

I've been able to solve this issue.

Y use <username>@domain format in the GlobalProtect Client.

Then, I make the domain stripping in the Radius configuration so that the RSA server authenticates just the username without domain

Thank you

  • 1 accepted solution
  • 7501 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!