8.1.4 CP Normalizing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

8.1.4 CP Normalizing

L3 Networker

All of our users who auth over CP are now normalizing as 'domain.com\user' although we need them to be user@domain.com.

 

The authentication profile they go through has the %USERINPUT%@%USERDOMAIN% modifier.  Domain is filled in & login attribute is 'userPrincipalName'.

 

All users who are gettng mapped through AD instead of CP are showing corrently as user@domain.com.

 

We only have 1 auth profile, 1 ldap server profile, 1 group mapping settings profile.

5 REPLIES 5

L7 Applicator

@OGMaverick wrote:

All of our users who auth over CP are now normalizing as 'domain.com\user' although we need them to be user@domain.com.


What do you mean with "now"? Did the format suddenly change? Was there something changed by somwone in youe company? Did you upgrade from PAN-OS 8.0 to 8.1?

There were the following 2 changes:

 

8.1.2 > 8.1.4

 

Changed auth profile to include the modifier so users can log in as 'user' or 'user@ccboe.com' 

Cyber Elite
Cyber Elite

@OGMaverick,

The reason @Remo is asking about the possible upgrade path is due to the fact that there were default-behavior changes introduced in 8.1, so if this is your first release on 8.1 you could be encountering the changes for the first time. Take a look at your profile and see what the Primary Username field is. 

We've been on 8.1.x since we got our boxes (5220)

 

However, up until now we were only using userinput instead of modifying it so that users could log in with or without the domain.  Primary username is userPrincipalName.  The 8.1.4 upgrade & auth profile change were done at the same time.

... this probably is still a tricky task to do ...

I once spent quite while with testing this authentication for global protect with PAN-OS 8.0. But I gave up because of similar/the same problems that you describe.

Anyway if I would do it again, I would try it with two authentication profiles that are combined in a authentication sequence with the option "Use domain to determine authentication profile" enabled. In the sequence you have to place the auth profile for sAMAccountname first and the other for UPN as second profile. This way you have more flexibility with the domain/modifier and hopefully this is a way that will work.

  • 2138 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!