I'm studying the PCNSA, may I ask you a question about a security policy?
The "it" group in that policy could be a Radius group imported on the FW?
Or could be a way to map users to group?
it would be very useful if Palo Alto offered a free VM lab to test which we are learning, anyone know if it's already been provided?
Hi @alessandroco ,
There are two ways to use users and user groups in policy:
- Local database: You can create the users (username and password) localy on firewall and then create user group again localy. After that in your security rule you can refer indivituals local users or the local user group. Local users and groups are configured under Device -> Local Users Database
- Group Mapping: Unfortunately currently only LDAP is supported. So if you have Active Directory, firewall will use LDAP to query the AD and "extract" all user groups that you have already created at the AD (you can set some filters and limit the groups that firewall will query, but by default FW will try to collect them all).
So to anwert your question - No, user groups information cannot be collected over RADIUS. You need LDAP to gather group membership information (which user is member of which group).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!