02-03-2016 08:30 AM
We have user-id setup and every cluster with a designated master device for user-id mappings. I have the group mapping of the new AD group showing in the gateway itself, however when I go to implement the group in a policy in panorama, it will not display the new group. I have done a forced refresh on the gateway and refreshed the panorama but with no luck. It will still not display the new AD group created....any idea?
02-11-2016 07:32 AM
The issue is as by design the panorama device is not intergrated with AD (the is a Feature Request for this).
Here is the following proceedure that needs to be done for new AD groups being added to a policy:
In the user-id tab of the policy rule, click add and paste the entire tree directory mapping to the new AD group:
Example: cn=admin,ou=stuff,ou=more_stuff,ou=even_more_stuff,ou=bigger_stuff,ou=organizational units,dc=ds,dc=company,dc=com
You will see it will map and change to the short version company\stuff…blah blah blah…
If you don’t know what the full mapping is or your too lazy to type it all out…do the following:
Login to any gateway CLI and do the following command: show user group list | match stuff *or whatever the name is*
You will get the following output:
admin@Test-FW01(active)> show user group list | match stuff
cn=admin,ou=stuff,ou=more_stuff,ou=even_more_stuff,ou=bigger_stuff,ou=organizational units,dc=ds,dc=company,dc=com
02-11-2016 07:32 AM
The issue is as by design the panorama device is not intergrated with AD (the is a Feature Request for this).
Here is the following proceedure that needs to be done for new AD groups being added to a policy:
In the user-id tab of the policy rule, click add and paste the entire tree directory mapping to the new AD group:
Example: cn=admin,ou=stuff,ou=more_stuff,ou=even_more_stuff,ou=bigger_stuff,ou=organizational units,dc=ds,dc=company,dc=com
You will see it will map and change to the short version company\stuff…blah blah blah…
If you don’t know what the full mapping is or your too lazy to type it all out…do the following:
Login to any gateway CLI and do the following command: show user group list | match stuff *or whatever the name is*
You will get the following output:
admin@Test-FW01(active)> show user group list | match stuff
cn=admin,ou=stuff,ou=more_stuff,ou=even_more_stuff,ou=bigger_stuff,ou=organizational units,dc=ds,dc=company,dc=com
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
