Group Mapping vs Authentication Profile

L3 Networker

Group Mapping vs Authentication Profile



Here is what we want to do:

1. Implement a security policy rule based on user group membership

2. There is no User ID using any Agent. The users will authenticate using captive portal.

3. Firewall will use LDAP to retrieve group mapping

4. PAN OS 7.1


Here's the question:

Assume that I want to allow only users from LDAP Group "HR" in the security policy. Then I create a LDAP Server Profile and then where do I need to mention the group:

1. In the Authentication Profile > Advanced > Allow List ??    OR

2. In User IDentification > Group Mapping Settings?? 


OR both?

What is the purpose of each of the above settings? I am confused.


Best Regards,


L6 Presenter

Re: Group Mapping vs Authentication Profile

there maybe more than 1 answer to this, depends on who is allowed to authenticate.


i will assume that all users auth via your ldap authentication profile. so set this to "any"


use your ldap server in group mapping settings, and select the groups you want to include in your policies.


in your HR policy just add source HR group.


so... auth profile is for users allowed to authenticate. (you will still need group mapping if drilling down to group level)


probably confused things... happy to re post if required...



Community Manager

Re: Group Mapping vs Authentication Profile

The auth profile controls who is allowed to authenticate

The group mapping controls which groups are learned from LDAP (to be used in security policy)

And network access is controlled through the 'source user' field in the security policy



you can use all 3 to achieve your objective :)


Help the community: Like helpful comments and mark solutions
Reaper out
Community Team Member

Re: Group Mapping vs Authentication Profile

Hi @rjdahav163,


In the Authentication Profile you select the specific users and groups that are allowed to authenticate with this profile. If you don’t add entries, no users can authenticate.

In the mapping you can control which groups are retrieved from LDAP.


Hope this clarifies the difference between the 2.


Cheers !


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!