8.1.4 CP Normalizing

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L3 Networker

8.1.4 CP Normalizing

All of our users who auth over CP are now normalizing as 'domain.com\user' although we need them to be user@domain.com.

 

The authentication profile they go through has the %USERINPUT%@%USERDOMAIN% modifier.  Domain is filled in & login attribute is 'userPrincipalName'.

 

All users who are gettng mapped through AD instead of CP are showing corrently as user@domain.com.

 

We only have 1 auth profile, 1 ldap server profile, 1 group mapping settings profile.

Highlighted
Cyber Elite


@OGMaverick wrote:

All of our users who auth over CP are now normalizing as 'domain.com\user' although we need them to be user@domain.com.


What do you mean with "now"? Did the format suddenly change? Was there something changed by somwone in youe company? Did you upgrade from PAN-OS 8.0 to 8.1?

L3 Networker

There were the following 2 changes:

 

8.1.2 > 8.1.4

 

Changed auth profile to include the modifier so users can log in as 'user' or 'user@ccboe.com' 

Highlighted
Cyber Elite

@OGMaverick,

The reason @vsys_remo is asking about the possible upgrade path is due to the fact that there were default-behavior changes introduced in 8.1, so if this is your first release on 8.1 you could be encountering the changes for the first time. Take a look at your profile and see what the Primary Username field is. 

Highlighted
L3 Networker

We've been on 8.1.x since we got our boxes (5220)

 

However, up until now we were only using userinput instead of modifying it so that users could log in with or without the domain.  Primary username is userPrincipalName.  The 8.1.4 upgrade & auth profile change were done at the same time.

Highlighted
Cyber Elite

... this probably is still a tricky task to do ...

I once spent quite while with testing this authentication for global protect with PAN-OS 8.0. But I gave up because of similar/the same problems that you describe.

Anyway if I would do it again, I would try it with two authentication profiles that are combined in a authentication sequence with the option "Use domain to determine authentication profile" enabled. In the sequence you have to place the auth profile for sAMAccountname first and the other for UPN as second profile. This way you have more flexibility with the domain/modifier and hopefully this is a way that will work.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!