Group Mapping vs Authentication Profile

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Group Mapping vs Authentication Profile

L3 Networker

Hi

 

Here is what we want to do:

1. Implement a security policy rule based on user group membership

2. There is no User ID using any Agent. The users will authenticate using captive portal.

3. Firewall will use LDAP to retrieve group mapping

4. PAN OS 7.1

 

Here's the question:

Assume that I want to allow only users from LDAP Group "HR" in the security policy. Then I create a LDAP Server Profile and then where do I need to mention the group:

1. In the Authentication Profile > Advanced > Allow List ??    OR

2. In User IDentification > Group Mapping Settings?? 

 

OR both?

What is the purpose of each of the above settings? I am confused.

 

Best Regards,

R

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

The auth profile controls who is allowed to authenticate

The group mapping controls which groups are learned from LDAP (to be used in security policy)

And network access is controlled through the 'source user' field in the security policy

 

 

you can use all 3 to achieve your objective 🙂

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

Community Team Member

Hi @rjdahav163,

 

In the Authentication Profile you select the specific users and groups that are allowed to authenticate with this profile. If you don’t add entries, no users can authenticate.

In the mapping you can control which groups are retrieved from LDAP.

 

Hope this clarifies the difference between the 2.

 

Cheers !

-Kiwi

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

3 REPLIES 3

L7 Applicator

there maybe more than 1 answer to this, depends on who is allowed to authenticate.

 

i will assume that all users auth via your ldap authentication profile. so set this to "any"

 

use your ldap server in group mapping settings, and select the groups you want to include in your policies.

 

in your HR policy just add source HR group.

 

so... auth profile is for users allowed to authenticate. (you will still need group mapping if drilling down to group level)

 

probably confused things... happy to re post if required...

 

 

Cyber Elite
Cyber Elite

The auth profile controls who is allowed to authenticate

The group mapping controls which groups are learned from LDAP (to be used in security policy)

And network access is controlled through the 'source user' field in the security policy

 

 

you can use all 3 to achieve your objective 🙂

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Community Team Member

Hi @rjdahav163,

 

In the Authentication Profile you select the specific users and groups that are allowed to authenticate with this profile. If you don’t add entries, no users can authenticate.

In the mapping you can control which groups are retrieved from LDAP.

 

Hope this clarifies the difference between the 2.

 

Cheers !

-Kiwi

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 2 accepted solutions
  • 2504 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!