Global protect username tags

L4 Transporter

Global protect username tags

Hello all,


I use RADIUS server for authenticating GP users. Is there a possibility to read tags sent by RADIUS server associated with user groups and palo could allow/deny specific users?



L7 Applicator

well.... yes and no, then yes again...


you can use RSA groups but only for auth level. so you could allow RSA Grouped users to actually use the authentication profile.

this will not populate to policies. this requires LDAP based group membership.


as a workaround...   if you have an LDAP server or use AD you can create groups that serve no other use than group membership and reference these to the matched usernames within RSA.


it may be that your users are already on AD, this will be a win win situation.


please note that this "group membership" will only apply to the PA that GP authenticates to, it will not work if the users traverse any other firewall with such policies.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!