I would like to use my AD groups in Security rules (along with RADIUS and HTML Captive Portal). So far I managed to use "known users" only, seems due to a lack of Group attribute exchange between PAN and RADIUS (MS IAS 2003).
I found the promising "Retrieve User Group" chekbox in RADIUS authentication profile settings but so far didn't find any reference to it in the Knowledgepoint.
Can anyone point me to a relevant docs, or to share a personal experience?
I am not going to use PAN agent (for this network segment), but rather HTTP Captive Portal with RADIUS. My problem is that the only method that worked so far was defining "known user" in security rule and specific AD user group in RADIUS policy that is not what I need (actually I need in a contrary).
You should configure an LDAP connection to your AD server in order to obtain groups for users that login via Captive Portal - you can use either RADIUS or LDAP to actually auth the users.
This doc may help you:
I think these comments are missing your original question. There is a RADIUS VSA that you can use to have the RADIUS server pass the group info. It is called PaloAlto-User-Group. If you use this VSA on the RADIUS server, and then check the Retrieve User Group option you mention, the group name specified in the VSA will be checked in the allow list of the auth profile. You can enter the group names manually in the auth profile.
Hi - I believe (from the original question) the groups are required for setting security policy. If this is true, then you'll need to use LDAP - VSA's are not currently supported for setting security policy rules against them. If the group information is for Access rights to the device, then VSA's will work.
Just to try to help you save time
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!