i need to map user to ldap group. For desktops there is no problem, mappings goes well. But if some user connects via smartphone and didn't provide DOMAIN\ then problem occur. Is there any way to achieve this goal ?
Typing DOMAIN\ on mobile keyboard is difficoult.
Users are authenticated through 802.1x on extrenal NAC and user-id is passed via XML-API
Did you make sure to add the domain name to the user domain attribute in the LDAPprofile/GroupMappingProfile
as far as i know this setting is to replace LDAP response. If client log to the network with username only [john.smith instead of DOMAIN\john.smith] then palo alto cannot compare it to LDAP response domain\username. Doesn't metter if i compare it to oryginal ldap response or replaced domain prefix ldap response it still doesn't solve problem.
I see two options:
a) add domain to user name when sending entry via API,
b) gather User-ID through Syslog Sender, you can define the Default Domain Name of those mappings.
It will be possible if there is only one domain for users.
Hope it helps :-)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!