Active Directory help

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

Active Directory help

Hi All,

We received our first pan 3020 Monday and I have been trying to learn about the product in order to setup for production. I'm making good progress so far, but I have run into an issue importing AD users. I setup group mapping and I'm able to see groups that were imported, but no users. What am I missing?

Thanks in advance for your help.


Accepted Solutions
Highlighted
L0 Member

I just stumbled into my issue. Under "Server Profiles", "LDAP" I had domain.local in the domain field. So it was listing all of my users as domain.local\username. So when I was trying to find the users they didn't show up as domain\username. Amazing such a problem from one little field.

Thanks for all the help guys.

View solution in original post


All Replies
Highlighted
L3 Networker

Hello, you need need to setup a user ID agent to collect user > IP mappings. This can be done with the internal user ID Agent built in to the device or by using the external Windows User ID Agent.

Highlighted
L5 Sessionator

Have you configured ip user mapping as well. Please configure IP user mapping on the firewall, with either the agent or the agentless feature

You can view the users using the below commands:

>show user group list

This shows the groups that are learnt from the AD

>show user group name <group-name>

This command shows the users associated to that group

BR,

Karthik

Highlighted
L6 Presenter

so you use agentless system ? you configured user identification tab/user mapping  and enabled user identification on the zone you need ?

Highlighted
L0 Member

Currently I'm agentless. I setup the User Mapping and added server monitors for my dc's. I have Group Mapping Settings setup. LDAP is also setup, but when I click on a policy it only shows groups and no users.

Highlighted
L5 Sessionator

can you verify if the user mapping shows up the user, use following command to check the same

> show user ip-user-mapping all

If the user is present can you try manually type in the username i.e first couple of letters

Highlighted
L0 Member

I just stumbled into my issue. Under "Server Profiles", "LDAP" I had domain.local in the domain field. So it was listing all of my users as domain.local\username. So when I was trying to find the users they didn't show up as domain\username. Amazing such a problem from one little field.

Thanks for all the help guys.

View solution in original post

Highlighted
L4 Transporter

It's because you provide domain.local - change it to domain

please read this topic

Regards

Slawek

Highlighted
L5 Sessionator

Hi Jbo,

In the ldap profile under domain it is suppose to be netbios domain name and not FQDN. If you specify a wrong netbios domain name then the mapping will be incorrect and policies will not work correctly either. The reason is it appends the netbios domain name  you specify when it mapping the users. Hope that helps.

Thanks

Numan

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!