Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Can't authenticate users in nested groups (AD, Radius)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Can't authenticate users in nested groups (AD, Radius)

Not applicable

Hi All,

I have a rule to allow access to Facebook.  The rule works if I list individual users, but not groups.

We have a single forest with 2 child domains.

Universal Group "FB Allowed"  has the following groups as members: "OU1 FB Allowed" and "OU2 FB Allowed"

These universal groups contain members from both domains.

I'm trying to avoid having to maintain multiple groups in the rules.  As far as the Palo is concerned, I want it to read from 1 group and allow local admins at each site to populate their users into their respective groups.

2 REPLIES 2

L3 Networker

Hello, I believe you have 2 separate user agents configured 1 for each domain.

Are you able to read group information?

> debug device-server dump user-group name “domain\groupname”

L4 Transporter

I had the same problem in a demo install and I opened a case. That was a few months ago with a 4.x release. Unfortunately support was not willing to replicate the issue in their Lab and I did not want to bother the prospect with onsite troubleshooting sessions during a demo installation....  So the case was dropped (case number 00038670), but the problem is still there, just did not have time to setup the whole scenario again in our own Lab and open up another case.  Roland

  • 2453 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!