Rules for one AD group

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Rules for one AD group

Not applicable

Hello,

i'm french user of PA 500.

i search for create one rule apply to one AD group.

i have create 1 group in my AD and had one users in this Group.

on my PA settings, in User agent ID, i have had my two Ad controllers. on this controllers, User ID agent is install.

On Device-server profiles-LDAP, i have had a ldap profile, no problem.

On Device-User identification-Group mapping settings, no problem, my group is had to group include list

i have create a rules in policy, on first position, this rules is applicate on my group only and i have had a profile url filtering. On this url filtering profiles, all web adresse is accessible, (*.* in white list) and no block, no alert.

A second rules has been create, on this rule, for all users, there is a url filtering profiles to block streaming, social networking........

When i go on internet with users on group match with first rules, normally, i have full access on internet. it's not workink, it's the second rules applicated.

Any ideas why my first rules not working ?

Sorry for my bad english 😉

2 REPLIES 2

L3 Networker

Hello

It sounds like you have your configuration configured correctly, but without seeing only think I can recommend is the following.

1. Select the Network tab

2. Select the Zones link and make sure the zone that your clients connects has the Enable User Identification box checked.

3. Check the traffic log and see if your user name is being seen under the source user column.

If you have time during your local business day maybe you can call into support so we can assist.

Thank you

L4 Transporter

So assuming you do have user-id enabled for the Ingress zone of the User, can you check if the user-group mapping is correct.

Please do a:

> show user ip-user-mapping ip <user's ip>

This should show you his ip-mapping information and the groups he is a part of, that are being used in a policy.

> show user user-IDs match-user <username>

this should show you if the user is successfully being mapped to the group in the policy.

Make a note of how the mapping shows up, along with netbios name or just the username? for eg: hyatt\admin or admin, for the ip-mapping and for the user-group mapping, then you may want to check the 'domain' field configuration for your LDAP server profile.

  • 1974 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!