How to retrieve multiple User Name" attributes for the same user with group mapping" (PAN-OS 8.0 and below)

How to retrieve multiple User Name" attributes for the same user with group mapping" (PAN-OS 8.0 and below)

27778
Created On 09/26/18 13:48 PM - Last Modified 12/07/22 02:33 AM


Environment


  • Palo Alto Firewall
  • PAN-OS 8.0 and below
  • User-ID

Resolution


Requirement


This article discusses retrieving multiple "User Name" attributes for the same user while fetching group mappings from the Active directory.

 

Please refer the below article which discusses the behaviour when multiple group mapping profiles are used to fetch different "User Name" attributes for the user belonging to the same user-group:


Inconsistent User Name with Multiple Group Mapping Profiles

 

As discussed in the above article, "User Name" attribute for a user may be overwritten by the group mapping profile refreshing last.


In various practical scenarios, it might be required to fetch different "User Name" attributes for the same user like "userPrincipalName" , "sAMaccount" , "E-mail" etc to be used for authentication and authorization.


For example, the users logging into their workstation might need to be authenticated/authorized with "sAMaccount" while the global-protect user may require the "userPrincipalName" for the same.

 

 

Solution


Retrieval of different "User Name" attributes for the same user can be achieved by using different groups for the user and
configuring the group mapping profiles to use "Include Groups" option.


This option helps in filtering the groups and retrieving the "User Name" attribute protecting it from being overwritten.


The following section describes the above solution with an example, where the user "Dennis Lee" belongs to two groups,
"marketing-group" and "support-group"

 

 
Following are the "User Name" parameters for the user as configured in the Active directory :

 


"userPrincipalName"   :   dennis.lee@lab333.local
"sAMaccount"             :   lab333\dlee

 


Two group-mapping profiles are being used with "Include Groups" option :

 

1. Group Mapping Profile 1 :  Retrieves the "sAMaccount"  :

 

Snip20170130_11.pngSnip20170130_13.png

 

 

 

 

2. Group Mapping Profile 2 :  Retrieves the "userPrincipalName"  :

 

 

Snip20170130_10.pngSnip20170130_9.png

 

 

 

 

Both "userPrincipalName" and "sAMaccount" parameters are now being successfully retrieved :

 

PA-VM-1> show user user-ids

User Name          Vsys         Groups
------------------------------------------------------------------
lab333\dlee         vsys1      cn=marketing-group,ou=user-groups,ou=departments,dc=lab333,dc=local 
lab333\dennis.lee   vsys1      cn=support-group,ou=user-groups,ou=departments,dc=lab333,dc=local


Total: 3
* : Custom Group

 

 

Additional Information


Support for multiple User Attributes for single Group Mapping is added starting on PAN-OS 8.1
PAN-OS 8.1 User-ID Features
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp7CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language