I'm migrating from ASA to Palo Alto including user VPN access (AnyConnect). The setup will be 2 factor authentication with LDAP/Kerberos (not sure which yet) for the portal and OTP via RADIUS for the gateway.
The current setup allows access lists to be applied via the vpn policy to each authenticated user group limiting their access to internal resources.
My thought is to be able to build security policies providing these same limits that are based on the appropriate AD group. This would allow me to have a single GP gateway & pool but still provide the same granularity they have now.
My question is, does the user's AD username passthrough from the portal and mapped to their users GP IP even with RADIUS being used on the gateway? I'm trying to avoid having to setup separate gateways with separate IP pools and having to base my security policies on the GP IP pools.
I'm looking for best practices way of configuring this.
Thanks for any suggestions.
Figured I'd reply with the answer just in case anyone else has the same question.
There's a post out there that discusses making sure to fill in the NetBIOS domain name in the 'domain' box in the authentication profile. This applies not just to LDAP but to RADIUS. When you fill this in you will get the DOMAIN\userid in the traffic log and security policies based on a domain security group work.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!