ldap user authentication in security policy not working
Showing results for 
Search instead for 
Did you mean: 

ldap user authentication in security policy not working

L1 Bithead

i have configured  ldap server profile with "base=" and "basedn=ldap string " and domain= blank.

in group mapping under available groups only groups are there and no users can be viewed. i have included two groups here. which  is added in security policy rule under user option.

In authentication profile i have added above included ldap groups in allow list with login attr sAMAccountName. i have tried without adding groups with allow "all" also.

i am using captive-portal setting in redirect mode with captive portal policy rule for user identification.

I have two problems 1) i cannot view users only groups are there.

2) after adding groups in security policy cannot web-browse ie very slow almost not working , but if groups  removed from policy the web-browsing is ok.

i want the rules to be applied using ldap authentication.


L6 Presenter


You cannot see users from group mapping.That is for just group mapping filter.

Also in LDAP profile you should configure Domain and add Netbios name here.

if you want to see users try the command

show user ip-user mapping all

L6 Presenter

thanks for reply. the users are not seen in security policy in user option. when select add only groups are there.  the  command shows all users to ip mapping..as per ldap documentation i tried except transparent mode. when try to browse same problem with added groups.

in the policy users tab did you try to write a user name because if you just click add and look and not even write a letter, you'll not see the users.

Asking just to be sure what the problem is

yes .you are right when try to write i can see all users.

my second problem when i am selecting users or groups  to apply security policy  like allowing  app.web-browsing . it is not working.when i make any ie removing users or groups  in users it working  fine. i am using only one security policy for testing purpose.

can you write 2 rules with any any allow check every tab

then for the top rule select a user


then try to login with that user, make some traffic and see traffic logs for the rule name.Which rule is seen

at that time also use the command for the user's ip

show user ip-user mapping ip X.X.X.X

i created two rules and top rule with selected user . in traffic log top rule is used ie with user. and follwoing is the result  of command.

> show user ip-user-mapping ip

User:        darah\rasheed
From:        CP
Idle Timeout: 107s
Max. TTL:    107s
Groups that the user belongs to (used in policy)

so that means one genaral rule with any and other rules with user or groups to be created for user authentication to work?.

Wow, panos.  You just saved me.  I have spent hours trying to figure out why nothing  shows up in the dropdown list in the Users tab in a policy rule.  From your post, I learn that if I enter any text, then they show up!  Thank you!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!