This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Rules for one AD group

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Rules for one AD group

anider
Not applicable

‎10-24-2012 03:31 AM

Hello,

i'm french user of PA 500.

i search for create one rule apply to one AD group.

i have create 1 group in my AD and had one users in this Group.

on my PA settings, in User agent ID, i have had my two Ad controllers. on this controllers, User ID agent is install.

On Device-server profiles-LDAP, i have had a ldap profile, no problem.

On Device-User identification-Group mapping settings, no problem, my group is had to group include list

i have create a rules in policy, on first position, this rules is applicate on my group only and i have had a profile url filtering. On this url filtering profiles, all web adresse is accessible, (*.* in white list) and no block, no alert.

A second rules has been create, on this rule, for all users, there is a url filtering profiles to block streaming, social networking........

When i go on internet with users on group match with first rules, normally, i have full access on internet. it's not workink, it's the second rules applicated.

Any ideas why my first rules not working ?

Sorry for my bad english 😉

Labels:
0 Likes Likes
2 REPLIES 2

acamacho
L3 Networker

‎10-28-2012 10:12 AM

Hello

It sounds like you have your configuration configured correctly, but without seeing only think I can recommend is the following.

1. Select the Network tab

2. Select the Zones link and make sure the zone that your clients connects has the Enable User Identification box checked.

3. Check the traffic log and see if your user name is being seen under the source user column.

If you have time during your local business day maybe you can call into support so we can assist.

Thank you

apasupulati
L4 Transporter

‎10-31-2012 05:36 PM

So assuming you do have user-id enabled for the Ingress zone of the User, can you check if the user-group mapping is correct.

Please do a:

> show user ip-user-mapping ip <user's ip>

This should show you his ip-mapping information and the groups he is a part of, that are being used in a policy.

> show user user-IDs match-user <username>

this should show you if the user is successfully being mapped to the group in the policy.

Make a note of how the mapping shows up, along with netbios name or just the username? for eg: hyatt\admin or admin, for the ip-mapping and for the user-group mapping, then you may want to check the 'domain' field configuration for your LDAP server profile.

  • 2144 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks