11-15-2017 02:31 AM
Hi
Here is what we want to do:
1. Implement a security policy rule based on user group membership
2. There is no User ID using any Agent. The users will authenticate using captive portal.
3. Firewall will use LDAP to retrieve group mapping
4. PAN OS 7.1
Here's the question:
Assume that I want to allow only users from LDAP Group "HR" in the security policy. Then I create a LDAP Server Profile and then where do I need to mention the group:
1. In the Authentication Profile > Advanced > Allow List ?? OR
2. In User IDentification > Group Mapping Settings??
OR both?
What is the purpose of each of the above settings? I am confused.
Best Regards,
R
11-15-2017 03:07 AM
The auth profile controls who is allowed to authenticate
The group mapping controls which groups are learned from LDAP (to be used in security policy)
And network access is controlled through the 'source user' field in the security policy
you can use all 3 to achieve your objective 🙂
11-15-2017 03:12 AM
Hi @rjdahav163,
In the Authentication Profile you select the specific users and groups that are allowed to authenticate with this profile. If you don’t add entries, no users can authenticate.
In the mapping you can control which groups are retrieved from LDAP.
Hope this clarifies the difference between the 2.
Cheers !
-Kiwi
11-15-2017 02:54 AM
there maybe more than 1 answer to this, depends on who is allowed to authenticate.
i will assume that all users auth via your ldap authentication profile. so set this to "any"
use your ldap server in group mapping settings, and select the groups you want to include in your policies.
in your HR policy just add source HR group.
so... auth profile is for users allowed to authenticate. (you will still need group mapping if drilling down to group level)
probably confused things... happy to re post if required...
11-15-2017 03:07 AM
The auth profile controls who is allowed to authenticate
The group mapping controls which groups are learned from LDAP (to be used in security policy)
And network access is controlled through the 'source user' field in the security policy
you can use all 3 to achieve your objective 🙂
11-15-2017 03:12 AM
Hi @rjdahav163,
In the Authentication Profile you select the specific users and groups that are allowed to authenticate with this profile. If you don’t add entries, no users can authenticate.
In the mapping you can control which groups are retrieved from LDAP.
Hope this clarifies the difference between the 2.
Cheers !
-Kiwi
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
