This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Can't Get AD groups to be used as user authentication

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Can't Get AD groups to be used as user authentication

mcarlton
L0 Member

‎07-26-2012 09:51 AM

We are running 2 2050 firewalls running 4.16 software and 2 user agents running 4.1.0-43 code.   When i try to limit a policy by an AD user name it works fine.   However if I want to user a AD group name it wont hit the rule if i put in the user as a group.  What am i doing wrong.

So

MYAD\mcarlton will work for a user on a policy but

MYAD\cooladmins will not work.

What am i doing wrong?

Thanks

Mike

Labels:
0 Likes Likes
2 REPLIES 2

u13550
L3 Networker

‎07-26-2012 09:56 AM

Hi

Just some ideas, as I'm currently also playing with this feature set:

  • have you included the ou where the groups are in into the group mappings? (Device --> User Identication" --> Group Mappings")
  • have you limited the LDAP Server into a Base DN where the groups are not included?

Andre

0 Likes Likes

zarina
L5 Sessionator

‎07-30-2012 05:31 PM

Mike,

The issue might be with the format that ldap is pulling up the user as. The agent might be pulling up the user as xx/user1 whereas ldap might pull it up as yy/user1. Can you verify if the user is mapped the same from both the agent and ldap?

1. show user user-IDs match-user <user_name> : this is the one pulled by ldap

2. show user ip-user-mapping ip <ip_test_user> : this is per the agent

If the output of 1 and 2 are different, goto the ldap server profile settings and change the domain to the one listed in 2.

Please let me know if this was helpful.

Thanks,

Sri

  • 3080 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks