Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

RADIUS And Open LDAP Integration.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

RADIUS And Open LDAP Integration.

L4 Transporter

Hi team,

 

I have come through as a requirement from one of my clients, They are using RADIUS Server for RSA authentication for globalprotect, but in USER ID they are using OpenLDAP, So in the ip-user-mapping, Whenever user connecting to globalprotect, I can see the user detecting from the GP and the only as "username", but the customer has configured a user group based policy and the user detected as "domain\username".

Due to this user traffic not hitting on the user-based policy, Is there a way we can integrate RADIUS and LDAP for globalprotect. Or any other suggestion to achieve this with another workaround. 

Snow
1 accepted solution

Accepted Solutions

6 REPLIES 6

L6 Presenter

As far as I know PA can use RADIUS user groups only in authentication profiles (checking if user belongs to certain group after succesful authentication).

For security (or any other) policies PA can only use user groups obtained from LDAP servers. So consider switching GP authentication to LDAP.

L7 Applicator

Edit the radius auth profile and add the required domain into the user domain box.

leave the username modifier alone and the domain info will not be passed onto radius auth but will be added in user id when radius auth is successful.

@Mick_Ball 

Was thinking about this once, but never tried it. Can you confirm this works?

Also usernames between Open LDAP and RADIUS will have to match.

It works with local auth profile so will work with others.. 

 

i assume that if a user logs into a domain as domain\fred.smith then he probably wont log into radius as kevin roberts....  but yes you are correct and i have seen stranger things....

Haha, true that.

Tho I've seen different variatons to derive username from name and surname 😉 

But I assume in OP's case it's just a radius proxy for MFA which uses LDAP as source of identities anyway.

Hi Mick,

 

The issue resolved, With the below KB Article,

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0JCAS

Snow
  • 1 accepted solution
  • 5055 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!