10-27-2010 08:14 AM
I would like to use my AD groups in Security rules (along with RADIUS and HTML Captive Portal). So far I managed to use "known users" only, seems due to a lack of Group attribute exchange between PAN and RADIUS (MS IAS 2003).
I found the promising "Retrieve User Group" chekbox in RADIUS authentication profile settings but so far didn't find any reference to it in the Knowledgepoint.
Can anyone point me to a relevant docs, or to share a personal experience?
Sincerely,
Evgeny
10-27-2010 06:52 PM
In order to use AD groups in security policies you will have to forward the group information from the Pan-agent to the Pan firewall using the Filter Group Members setting on the Pan-Agent gui
10-28-2010 01:55 AM
I am not going to use PAN agent (for this network segment), but rather HTTP Captive Portal with RADIUS. My problem is that the only method that worked so far was defining "known user" in security rule and specific AD user group in RADIUS policy that is not what I need (actually I need in a contrary).
Sincerely,
Evgeny
10-28-2010 02:56 AM
Hi There,
You should configure an LDAP connection to your AD server in order to obtain groups for users that login via Captive Portal - you can use either RADIUS or LDAP to actually auth the users.
This doc may help you:
https://live.paloaltonetworks.com/docs/DOC-1445#comment-1211
Thanks
James
10-28-2010 03:04 AM
Thanks, James.
I will try to configure LDAP auth (actually I belive that I would not need RADIUS if LDAP auth in place).
Evgeny
10-28-2010 03:21 AM
Hi Evgeny,
You are correct - although it is also possible to auth users via RADIUS and get group info from LDAP. One use case for this is when two factor authentication is required.
Good Luck!
James
10-28-2010 10:44 PM
I think these comments are missing your original question. There is a RADIUS VSA that you can use to have the RADIUS server pass the group info. It is called PaloAlto-User-Group. If you use this VSA on the RADIUS server, and then check the Retrieve User Group option you mention, the group name specified in the VSA will be checked in the allow list of the auth profile. You can enter the group names manually in the auth profile.
10-29-2010 02:17 AM
Mike: indeed. 🙂
Anyway, I am going to test both ways next week (RADIUS User group and LDAP).
Assuming that MS IAS 2003 knows to deal with that PaloAlto-User-Group VSA....
10-29-2010 03:11 AM
Hi - I believe (from the original question) the groups are required for setting security policy. If this is true, then you'll need to use LDAP - VSA's are not currently supported for setting security policy rules against them. If the group information is for Access rights to the device, then VSA's will work.
Just to try to help you save time 
Thanks
James
01-12-2015 02:45 AM
Hello
There is FR2729 to pull groups from Radius, please vote for this FR - at the moment is only 8 votes
Regards
SLawek
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
