I would like to use my AD groups in Security rules (along with RADIUS and HTML Captive Portal). So far I managed to use "known users" only, seems due to a lack of Group attribute exchange between PAN and RADIUS (MS IAS 2003).
I found the promising "Retrieve User Group" chekbox in RADIUS authentication profile settings but so far didn't find any reference to it in the Knowledgepoint.
Can anyone point me to a relevant docs, or to share a personal experience?
In order to use AD groups in security policies you will have to forward the group information from the Pan-agent to the Pan firewall using the Filter Group Members setting on the Pan-Agent gui
I am not going to use PAN agent (for this network segment), but rather HTTP Captive Portal with RADIUS. My problem is that the only method that worked so far was defining "known user" in security rule and specific AD user group in RADIUS policy that is not what I need (actually I need in a contrary).
You should configure an LDAP connection to your AD server in order to obtain groups for users that login via Captive Portal - you can use either RADIUS or LDAP to actually auth the users.
This doc may help you:
I will try to configure LDAP auth (actually I belive that I would not need RADIUS if LDAP auth in place).
You are correct - although it is also possible to auth users via RADIUS and get group info from LDAP. One use case for this is when two factor authentication is required.
I think these comments are missing your original question. There is a RADIUS VSA that you can use to have the RADIUS server pass the group info. It is called PaloAlto-User-Group. If you use this VSA on the RADIUS server, and then check the Retrieve User Group option you mention, the group name specified in the VSA will be checked in the allow list of the auth profile. You can enter the group names manually in the auth profile.
Mike: indeed. :-)
Anyway, I am going to test both ways next week (RADIUS User group and LDAP).
Assuming that MS IAS 2003 knows to deal with that PaloAlto-User-Group VSA....
Hi - I believe (from the original question) the groups are required for setting security policy. If this is true, then you'll need to use LDAP - VSA's are not currently supported for setting security policy rules against them. If the group information is for Access rights to the device, then VSA's will work.
Just to try to help you save time :smileyhappy:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!