This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Adding domain to username for user identification
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Re: Adding domain to username for user identification
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-14-2013 08:20 AM
Hello
We are using RSA for user authentication with Global Protect.
We need to identify the LDAP group (Windows Active Directory) the user belongs to, but It doesn't work.
The reason is that the user we use for authentication doesn't include the domain and the LDAP query doen't match the right user:
cscworks@pa-intx.cajamar.int(active)> show user ip-user-mapping all | match mbm60380
10.240.1.24 vsys1 UIA domain\mbm60380 2388 2388
10.240.1.1 vsys1 UIA domain\mbm60380 2101 2101
10.240.250.1 vsys2 GP mbm60380 2590859 2590859
cscworks@pa-intx.cajamar.int(active)> show user group name domain\group1
short name: domain\group1
[1 ] domain\aag60368
[2 ] domain\ced61081
[3 ] domain\jas61669
[4 ] domain\mbm60380
[5 ] domain\pmc61693
[6 ] domain\vcm60984
Is there any way to fix this?
Can the firewall add the domain to the LDAP query?
Labels:
- Labels:
-
Configuration
-
User-ID
9 REPLIES 9
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-14-2013 02:06 PM
I'm afraid I don't know how to clear the user cache for that IP or the group cache. I don't know how to reset the ldap server profile connection either.
I'm running 5.0.4 version
What authentication method are you using?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-14-2013 02:36 PM
You can use the following commands to clear the user ip mapping from the firewall. Just make sure user is logged out before you do this.
clear user-cache ip
clear user-cache-mp ip
Moreover, If you are using AD to authenticate user and have added netbios domain name in the profile that it should be appended to the mapping.
Hope this helps.
Thank you
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-14-2013 11:47 PM
Hello
I have cleared both caches but the result is the same.
I'm using RSA SecurID authentication, through a Cisco Secure ACS 4.2 server. It doesn't support domain stripping. At least the version we have
Thanks for you help
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-15-2013 12:55 AM
I've tried another thing:
- If I type domain\mbm60380 for GlobalProtect authentication the firewall sends to the Radius Server is mbm60380. It removes the domain.
- Nevertheless, if I type mbm60380@domain the firewall does send that user to the Radius. In that case it doesn't remove the suffix.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-15-2013 08:25 AM
I've been able to solve this issue.
Y use <username>@domain format in the GlobalProtect Client.
Then, I make the domain stripping in the Radius configuration so that the RSA server authenticates just the username without domain
Thank you
Related Content
- Global protect VPN disconnecting multiple times in GlobalProtect Discussions
- CP ask for username and password very often for couple of ussers even if PC-s in domain in General Topics
- Global Protect VPN Client not authenticating to 2012 R2 Domain Controller in GlobalProtect Discussions
- PA 10.2.3, RADIUS Challenge caused timeout even it shows auth success on Monitor in Next-Generation Firewall Discussions
- Template stack is partial empty??? in Panorama Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks