Adding domain to username for user identification

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Adding domain to username for user identification

L2 Linker


We are using RSA for user authentication with Global Protect.

We need to identify the LDAP group (Windows Active Directory) the user belongs to, but It doesn't work.

The reason is that the user we use for authentication doesn't include the domain and the LDAP query  doen't match the right user:> show user ip-user-mapping all | match mbm60380     vsys1  UIA     domain\mbm60380                 2388           2388      vsys1  UIA     domain\mbm60380                 2101           2101    vsys2  GP      mbm60380                         2590859        2590859> show user group name domain\group1

short name:  domain\group1

[1     ] domain\aag60368

[2     ] domain\ced61081

[3     ] domain\jas61669

[4     ] domain\mbm60380

[5     ] domain\pmc61693

[6     ] domain\vcm60984

Is there any way to fix this?

Can the firewall add the domain to the LDAP query?


I'm afraid I don't know how to clear the user cache for that IP or the group cache.  I don't know how to reset the ldap server profile connection either.

I'm running 5.0.4 version

What authentication method are you using?

You can use the following commands to clear the user ip mapping from the firewall. Just make sure user is logged out before you do this.

clear user-cache ip

clear user-cache-mp ip

Moreover, If you are using AD to authenticate user and have added netbios domain name in the profile that it should be appended to the mapping.


Hope this helps.

Thank you


I have cleared both caches but the result is the same.

I'm using RSA SecurID authentication, through a Cisco Secure ACS 4.2 server. It doesn't support domain stripping. At least the version we have

Thanks for you help

L2 Linker

I've tried another thing:

- If I type domain\mbm60380 for GlobalProtect authentication the firewall sends to the Radius Server is mbm60380. It removes the domain.

- Nevertheless, if I type mbm60380@domain the firewall does send that user to the Radius. In that case it doesn't remove the suffix.

L2 Linker

I've been able to solve this issue.

Y use <username>@domain format in the GlobalProtect Client.

Then, I make the domain stripping in the Radius configuration so that the RSA server authenticates just the username without domain

Thank you

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!