- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-30-2018 05:22 PM
We'd like our users to be able to log into Captive Portal or Globalprotect with user@domain.com or just user. We've messed around with seemingly every combination of username modifiers, but have not been able to get it to work both ways. Currently, logging in with user@domain.com works and the filter can see the user's AD group memberships. In certain configs, we can get just 'user' to log in, but no user groups are pulled. Does anyone have this working both ways? Currently on 8.1.2. Can't do 8.1.3 due to a bug that wouldn't allow us to commit on the HA pair.
09-05-2018 09:35 AM
ok i would test again with 1 profile and add same domain to user domain in group id stuff.
09-01-2018 12:44 AM
I have never tried this but could you not have one auth profile with no modifier and another with the domain modifier and add them both to an authentication sequence.
perhaps putting your most popular auth type at the top...
09-04-2018 07:10 AM
We've tried auth sequences as well, but currently we aren't able to get AD groups pulled when someone logs in as 'user'. They can successfully log into the portal and the palo shows their user's DN, but will not show their group memberships. Setting it up another way where they succesffuly log in as user@domain.com pulls their groups.
09-04-2018 07:46 AM
so when "user" logs in, are they using the same auth profile as user@domain.
that may be confusing...
do you get the same results with just one auth profile.
09-04-2018 09:20 AM - edited 09-04-2018 09:44 AM
We've tried with 1 auth profile to catch both as well as a sequence with 2 profiles. The current setup is a sequence that goes through the following:
Working with @domain.com & pulls groups:
Login Attribute: userPrincipalName
User Domain: blank
Modifer: %USERINPUT%
Can log in without @domain.com but does not pull groups:
Login Attribute: userPrincipalName
User Domain: domain.com
Modifer: %USERINPUT%@%USERDOMAIN%
I feel that we've tried every combination of modifier + user domain (blank, domain, domain.com) + userPrincipalName vs sAMAccountName to no avail of getting groups pulled when it lets just 'user' login. If we can just get a profile that works to let 'user' login & pull groups, then we'd be set putting it in a sequence.
09-04-2018 09:42 AM
ok im gonna test this tomorrow but im sure you need to fill in the user domain field.
this is where %userdomain% is populated from.
if you login as fred@domain.com with the user domain field blank and the modifier set to userinput@userdomain then you will actually login as fred.
we have the netbios name in our user domain field as this is what is used for group mappings.
anothe post will follow with PA help snippet thingy...
09-04-2018 09:44 AM - edited 09-04-2018 09:45 AM
I'm sorry, we actually do have the user domain filled with our domain for the profile where we are expecting just 'user'. Edited
09-04-2018 09:48 AM
ok no point sending the help file...
could you just post an example (using domain.com) of a users CN, UPN and SamAccountName.
i will have a play in the morning...
09-04-2018 11:12 AM
Hope this helps - https://imgur.com/a/2fym3fn
We have a 220 test box, so free to make any changes to test at any time. Thanks!
09-04-2018 11:39 AM
Cool clips but of no help.
im looking for format
fred smiff
fred.smiff
fred.smiff@domain.com
09-05-2018 06:00 AM
OK i am able to connect via GP as either mick.ball or mick.ball@domain.thingy.com
and i can add user policies for domain.thingy.com\mick.ball
the policy applies to both mick.ball and mick.ball@domain.thingy.com logins.
is that your expected outcome?
09-05-2018 07:16 AM
Yes, although the format for the username in our org would be mball.
Sorry for the delay, got the info from the server folk.
CN=Last\, First M. (ORG)
UPN= FLast@domain.com
sAMAccountName= FLast
Since users can log in and get groups pulled using user@domain.com with the following settings,
Attribute userPrincipalName
Blank domain
%USERINPUT%
it would make sense to me that the following settings would modify just user to work, but do not.
userPrincipalName
domain.com
%USERINPUT%@%USERDOMAIN%
09-05-2018 07:54 AM
i have exactly that..
this works for both mick.ball@domain.com and mick.ball
or is it the group stuff thats not working for you...
09-05-2018 08:05 AM
it may be an issue if you are still using auth order.
just use one profile as i have because the user "user" will still auth against the first profile in auth order and ignore the second'
hmm. that may be confusing... just use 1 profile as per my post, if you need auth order for redundancy the just replicate same settings to different servers.
09-05-2018 08:05 AM - edited 09-05-2018 08:38 AM
It's the group stuff. That will let the user log in, but not pull any groups, making the security policies not match. Once logged in with 'user', doing a show user ip-user-mapping ip x.x.x.x only shows:
IP address: 192.168.1.10 (vsys1)
User: domain.com\FLast
From: CP
Idle Timeout: 894s
Max. TTL: 3583s
MFA Timestamp: first(1) - 2018/09/05 11:02:37
Group(s): domain.com\FLast(225)
while logging in with user@domain.com shows:
IP address: 192.168.1.10 (vsys1)
User: FLast@domain.com
From: CP
Idle Timeout: 896s
Max. TTL: 3596s
MFA Timestamp: first(1) - 2018/09/05 11:04:12
Group(s): FLast@domain.com(115260)
domain\Flast(712)
cn=administrators,cn=builtin,dc=ccboe,dc=com(2147483660)
As well as the rest of the groups
Currently publishing the change to have cap portal only user the 1 profile made for just 'user' like you showed, instead of the sequence.
EDIT -
Testing the portal with just the 1 profile that has
userPrincipalName
domain.com
%USERINPUT%@%USERDOMAIN%
resulted in the same behaiviour above without the groups.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!