05-14-2013 08:20 AM
We are using RSA for user authentication with Global Protect.
We need to identify the LDAP group (Windows Active Directory) the user belongs to, but It doesn't work.
The reason is that the user we use for authentication doesn't include the domain and the LDAP query doen't match the right user:
firstname.lastname@example.org(active)> show user ip-user-mapping all | match mbm60380
10.240.1.24 vsys1 UIA domain\mbm60380 2388 2388
10.240.1.1 vsys1 UIA domain\mbm60380 2101 2101
10.240.250.1 vsys2 GP mbm60380 2590859 2590859
email@example.com(active)> show user group name domain\group1
short name: domain\group1
[1 ] domain\aag60368
[2 ] domain\ced61081
[3 ] domain\jas61669
[4 ] domain\mbm60380
[5 ] domain\pmc61693
[6 ] domain\vcm60984
Is there any way to fix this?
Can the firewall add the domain to the LDAP query?
05-14-2013 02:06 PM
I'm afraid I don't know how to clear the user cache for that IP or the group cache. I don't know how to reset the ldap server profile connection either.
I'm running 5.0.4 version
What authentication method are you using?
05-14-2013 02:36 PM
You can use the following commands to clear the user ip mapping from the firewall. Just make sure user is logged out before you do this.
clear user-cache ip
clear user-cache-mp ip
Moreover, If you are using AD to authenticate user and have added netbios domain name in the profile that it should be appended to the mapping.
Hope this helps.
05-14-2013 11:47 PM
I have cleared both caches but the result is the same.
I'm using RSA SecurID authentication, through a Cisco Secure ACS 4.2 server. It doesn't support domain stripping. At least the version we have
Thanks for you help
05-15-2013 12:55 AM
I've tried another thing:
- If I type domain\mbm60380 for GlobalProtect authentication the firewall sends to the Radius Server is mbm60380. It removes the domain.
- Nevertheless, if I type mbm60380@domain the firewall does send that user to the Radius. In that case it doesn't remove the suffix.
05-15-2013 08:25 AM
I've been able to solve this issue.
Y use <username>@domain format in the GlobalProtect Client.
Then, I make the domain stripping in the Radius configuration so that the RSA server authenticates just the username without domain
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!