Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-15-2021 11:35 PM
Hi team,
I have come through as a requirement from one of my clients, They are using RADIUS Server for RSA authentication for globalprotect, but in USER ID they are using OpenLDAP, So in the ip-user-mapping, Whenever user connecting to globalprotect, I can see the user detecting from the GP and the only as "username", but the customer has configured a user group based policy and the user detected as "domain\username".
Due to this user traffic not hitting on the user-based policy, Is there a way we can integrate RADIUS and LDAP for globalprotect. Or any other suggestion to achieve this with another workaround.
08-20-2021 08:19 PM
Hi Mick,
The issue resolved, With the below KB Article,
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0JCAS
08-16-2021 03:12 AM
As far as I know PA can use RADIUS user groups only in authentication profiles (checking if user belongs to certain group after succesful authentication).
For security (or any other) policies PA can only use user groups obtained from LDAP servers. So consider switching GP authentication to LDAP.
08-16-2021 12:13 PM
Edit the radius auth profile and add the required domain into the user domain box.
leave the username modifier alone and the domain info will not be passed onto radius auth but will be added in user id when radius auth is successful.
08-17-2021 01:57 AM
Was thinking about this once, but never tried it. Can you confirm this works?
Also usernames between Open LDAP and RADIUS will have to match.
08-17-2021 12:46 PM
It works with local auth profile so will work with others..
i assume that if a user logs into a domain as domain\fred.smith then he probably wont log into radius as kevin roberts.... but yes you are correct and i have seen stranger things....
08-17-2021 11:47 PM
Haha, true that.
Tho I've seen different variatons to derive username from name and surname 😉
But I assume in OP's case it's just a radius proxy for MFA which uses LDAP as source of identities anyway.
08-20-2021 08:19 PM
Hi Mick,
The issue resolved, With the below KB Article,
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0JCAS
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
