The information coming back from the group mapping does not match the information you have configured in your authentication profile.
Your group members are being represented as domain\name, whereas your auth profile is domain.lan\name
Updating the User Domain to domain in your authentication profile may fix you up.
Allow list check error:
Target vsys is not specified, user "steven.williams.da" is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...
User steven.williams.da is not allowed with authentication profile Palo_Alto_Admins
admin@PA500-01> show user group name cn=paloaltoadmins,ou=groups,ou=domain,dc=domain,dc=lan
short name: domain\paloaltoadmins
source type: ldap
[1 ] domain\steven.williams.da
admin@PA500-01> show user group list
* : Custom Group
There has to be a deeper level debug or something to see whats wrong no?
ok sorry i've lost the thread here slightly...
in my authentication profile I have the following settings
user domain ( our domain name)
username modifier (%USERINPUT%)
is this similar to yours.
in your previous post as below
admin@PA500-01> show user group name "cn=domain users,cn=users,dc=domain,dc=lan" | match steven.williams
[5510 ] domain\steven.williams
[5515 ] domain\steven.williams.da
whatever it is in place of "domain", stick that in the user domain box
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!